Tags: chainguard-dev/melange
Tags
feat(git-checkout): log resolved clone URL after successful clone (#2572 ) ## What/Why Log the resolved remote URL after git clone completes in the git-checkout pipeline. When git insteadOf rules rewrite the URL (e.g. to a local mirror), the clone log only shows the original configured URL. This line shows the actual URL git used, making mirror usage visible without enabling GIT_TRACE. ## Proof it works Verified in staging elastic builds: the log line shows `https://gitlab.chaindag.dev/...` when insteadOf rewrites are active, confirming the mirror is used. ## Risk + AI role Low. One log line addition to a shell pipeline. AI-assisted. ## Review focus - Placement after clone success but before cd into workdir. Signed-off-by: jmeridth <jmeridth@gmail.com>
fix(qemu): pass SLIRP DNS address via kernel cmdline when QEMU_NET_CI… …DR is set (#2570) * fix(qemu): pass SLIRP DNS address via kernel cmdline when QEMU_NET_CIDR is set ## What When QEMU_NET_CIDR overrides the SLIRP internal network, derive the correct DNS server address (network base + 3, per SLIRP convention) and pass it to the guest via the `dns=` kernel command line parameter. ## Why Guest init scripts typically write `/etc/resolv.conf` using the `dns=` kernel param with a fallback to `10.0.2.3` (SLIRP's default). When QEMU_NET_CIDR moves the SLIRP network to a different subnet (e.g., `192.168.76.0/24`), the default DNS address `10.0.2.3` no longer exists on that network and all DNS resolution inside the QEMU VM fails. This breaks git clones, submodule fetches, and any other network operation that requires name resolution. ## Notes - When QEMU_NET_CIDR is not set or empty, no `dns=` is added to the kernel cmdline. Zero behavior change for existing builds. - The `dns=` parameter follows QEMU/Linux kernel cmdline conventions and is already consumed by common guest init scripts. Signed-off-by: jmeridth <jmeridth@gmail.com> * fix(qemu): address review feedback on SLIRP DNS handling - Set dns= explicitly on QEMU netdev args so melange is authoritative about the DNS address rather than relying on SLIRP's internal default derivation, which uses a different algorithm for prefixes wider than /23 - Remove redundant ip/ipv4 nil-check in slirpDNSAddr, use binary.BigEndian for cleaner uint32 pack/unpack - Remove dead ipnet.Contains check (base+3 is always in-network for the /8-/28 range enforced by parseAndValidateNetCIDR) - Tighten parseAndValidateNetCIDR minimum prefix from /30 to /28 since SLIRP needs room for gateway (.2), DNS (.3), and DHCP range (.15+) - Add /22, /23, and /28 boundary test cases for slirpDNSAddr Signed-off-by: jmeridth <jmeridth@gmail.com> --------- Signed-off-by: jmeridth <jmeridth@gmail.com>
build(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 in the go… …mod group (#2569) Bumps the gomod group with 1 update: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0 - [Commits](golang/crypto@v0.52.0...v0.53.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.53.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix(qemu): skip empty QEMU_NET_CIDR instead of erroring (#2568) os.LookupEnv returns ok=true for an empty string. When QEMU_NET_CIDR is set to "" (e.g., via a build system that always sets the env var with a default empty value), the validator rejects it as "empty CIDR" and the build fails. Skip silently when the value is empty. Signed-off-by: jmeridth <jmeridth@gmail.com>
feat(qemu): add QEMU_NET_CIDR to override SLIRP internal network (#2564) ## What Add an opt-in QEMU_NET_CIDR environment variable that overrides SLIRP's default internal network (10.0.2.0/24) by appending net=<cidr> to the SLIRP netdev args. Validates the input as a sane IPv4 CIDR with prefix length between 8 and 30. ## Why SLIRP user-mode networking treats its default 10.0.2.0/24 network as part of its own NAT space. When the host needs to reach VPC-internal addresses that fall within the 10.0.0.0/8 range (e.g., a Private Service Connect endpoint at 10.10.0.108), SLIRP may not forward those connections to the host's network stack, causing the guest VM to time out. Setting QEMU_NET_CIDR to a non-conflicting range (e.g., 192.168.76.0/24) moves SLIRP's internal NAT off the 10.x.x.x space so 10.x.x.x addresses route through the host normally. ## Notes - Opt-in via environment variable; default behavior unchanged. - Follows the existing QEMU_DNS_SEARCH pattern for env-driven netdev configuration. - Input validation rejects IPv6, prefixes outside [8, 30], and any injection attempts via embedded commas or whitespace. Signed-off-by: jmeridth <jmeridth@gmail.com>
build(deps): bump actions/checkout in the actions group (#2560) Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
feat(pipelines/xcover): add include-functions (#2551) * feat(pipelines/xcover): add include-functions include-functions xcover flag allows to filter functions to be traced. Add support to the xcover/profile pipeline as new parameter. Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev> * test(pipelines/xcover): e2e include-functions Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev> --------- Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
ci: allow production.cloudfront.docker.com in harden-runner egress (#… …2552) Docker Hub serves image blobs from a CDN, and sometimes uses CloudFront (production.cloudfront.docker.com) in addition to the Cloudflare endpoint already allowlisted. Docker changed this recently (see Docker Hub release notes, ~a week ago: https://docs.docker.com/docker-hub/release-notes/), which is why crane pulls of Docker Hub images (e.g. chainguard/static in the e2e xcover test) started failing harden-runner egress with: dial tcp: lookup production.cloudfront.docker.com ... i/o timeout Same CloudFront usage was observed in mono CI: https://github.com/chainguard-dev/mono/actions/runs/26589819417/job/78350661305#step:18:25 Add production.cloudfront.docker.com:443 to the egress allowlist in the Test packages (e2e) and release jobs, alongside the existing Cloudflare endpoint.
fix(pipelines/strip): Don't try to strip ELFs for non-native platforms ( #2542) strip only supports the architecture it was built for so when we intentionally package non-native binaries (I.E. cubins), strip fails loudly We still want to strip the binaries we can so skip when the platform isn't the platform strip is being used on Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>
build(deps): bump sigstore/cosign-installer (#2526) Bumps the actions group with 1 update in the / directory: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer). Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@cad07c2...6f9f177) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
PreviousNext