chore(deps): update dependency aquaproj/aqua to v1.38.0

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v1.19.3 -> v1.38.0

---

Release Notes

aquaproj/aqua (aquaproj/aqua)

v1.38.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.37.2...v1.38.0

Features

#​1781 #​1783 Support configuring require_checksum by the environment variable

export AQUA_REQUIRE_CHECKSUM=true # false

If require_checksum is configured in a configuration file, the environment variable is ignored.
If checksum isn't enabled in a configuration file, the environment variable is ignored.

Why is the feature needed?

To combine security and convenience.
In CI we would like to enable require_checksum for security.
On the other hand, we don't want to enable require_checksum in your laptops for convenience.
If require_checksum is enabled, you have to run aqua update-checksum when you change the package version.
Otherwise, it fails to run the package. This is a bad experience.

v1.37.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.37.1...v1.37.2

Fixes

#​1777 init, init-policy: remove broken links

aqua.yaml and aqua-policy.yaml generated by aqua init and aqua init-policy commands contained broken links.
So we removed them.

v1.37.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.37.0...v1.37.1

Bug Fixes

#​1771 #​1772 Fixed a bug that update-checksum --deep command fails if go_install package is used

v1.37.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.36.1...v1.37.0

Features

#​1762 Support default checksum parser

aqua supported two checksum file format raw and regexp and the file format is mandatory.
This pull request supports a default file format and the file format becomes optional.

If a checksum file contains only one line and doesn't contain a space , a file content is treated as checksum.

e.g.

0549CBAA2DF451CF3A2011A9D73A9CB127784D26749D9CD14C9F4818AF104D44

Each line is split by a space .
The first element is treated as a checksum
The second element is treated as a file path, and the base name is treated as the asset name.

e.g.

944fdfebfdf1026d318609cc706bad454196f0b1d76e557b56c829b0e6165a9f  ./kapp-linux-arm64
9aaa735985efbe240af0ca1d80adf3b43be6cf4ec6620a053082e31bea25dae7  ./kapp-linux-amd64
dcbf6dd9b4cecfc6316391029a6e9a5f3863e6a1f7848eb5fb78bfdbdc06faf8  ./kapp-darwin-amd64
e802044c2676455464675e290ea5b5eed7da9741eae1260af8d8d15355495db3  ./kapp-windows-amd64.exe
f059d708fc550c516d1f04ee4c82efd8bc346c480156c03a3445825c73d827a6  ./kapp-darwin-arm64

Why this feature is needed

This feature works well flexibly and we don't have to fix checksum configuration when the checksum file format is changed.
We don't have to write complicated regular expressions.
This feature improves the maintainability of checksum configuration.

Others

#​1764 Update Go from v1.20.1 to v1.20.2

v1.36.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.36.0...v1.36.1

Bug Fixes

#​1742 #​1752 install: install command succeeded unexpectedly even if unknown packages are included

This bug was caused by aquaproj/aqua@40154d3 v1.19.5 (2022-10-01).

#​1746 #​1757 Clear unrelated fields if package type is changed by overrides or version_overrides

Others

#​1718 #​1721 #​1755 #​1756 Use slsa-verifier as CLI instead of Go library to separate slsa-verifier from aqua itself
#​1753 update google/go-github from v45 to v50

Use slsa-verifier as CLI instead of Go library to separate slsa-verifier from aqua itself

#​1718 #​1721

From aqua v1.26.0, aqua has supported verifing packages by slsa-verifier. aqua used slsa-verifier as a Go library, but then some issues occured because slsa-verifier is so large.

• aqua binary becomes so large 5 MB => 15 MB
• It takes a long time to build aqua
• #​1717 Renovate fails to run go mod tidy and go get

Especially, #​1717 was critical.

To solve these issues, we decided to use slsa-verifer as CLI instead of Go library.

v1.36.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.35.0...v1.36.0

Features

#​1668 #​1710 Show files in a package if an executable file isn't found
#​1704 #​1705 Output HTTP status code when it fails to install a http package

Show files in a package if an executable file isn't found

#​1668 #​1710

e.g.

$ aqua i --test
ERRO[0000] check file_src is correct                     aqua_version= env=darwin/arm64 error="check file_src is correct: exe_path isn't found: stat /Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/github_release/github.com/Azure/aks-engine/v0.76.0/aks-engine-v0.76.0-darwin-amd64.tar.gz/aks-engine: no such file or directory" file_name=aks-engine package_name=Azure/aks-engine package_version=v0.76.0 program=aqua registry=standard
ERRO[0000] executable files aren't found
Files in the unarchived package:
aks-engine-v0.76.0-darwin-amd64/aks-engine
   aqua_version= env=darwin/arm64 package_name=Azure/aks-engine package_version=v0.76.0 program=aqua registry=standard
ERRO[0000] install the package                           aqua_version= env=darwin/arm64 error="check file_src is correct" package_name=Azure/aks-engine package_version=v0.76.0 program=aqua registry=standard
FATA[0000] aqua failed                                   aqua_version= env=darwin/arm64 error="it failed to install some packages" program=aqua

v1.35.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.34.2...v1.35.0

Features

#​1692 #​1699 Output the content of a checksum file when it fails to parse a checksum file
#​1684 #​1687 Support outputting error messages when a package is installed
#​1693 #​1695 Add a field no_asset to package configuration for returing an error because there is no asset

Output the content of a checksum file when it fails to parse a checksum file

#​1692 #​1699

This is useful to fix the package's checksum configuration.

e.g.

ERRO[0005] Checksum isn't found in a checksum file. Checksum file content:
237db2e5a4fa7525362c012e94c8a76b36a73d138ac7950cc1c07d862a7cc74a  github-comment_5.0.3_windows_amd64.tar.gz
48e49e0b5f1b3af4b5be13b7031bfb38d856259f09f3582e4f67bcae4b357429  github-comment_5.0.3_linux_arm64.tar.gz
58a32e01623ea00fc3650ffb149f724d3e76a06b2aa5237bb128da138ee79359  github-comment_5.0.3_linux_amd64.tar.gz
621a03cd09ee7eb57d9a00cdfb8c2fe70232b64db070c74122df5a0d7f26ae02  github-comment_5.0.3_darwin_arm64.tar.gz
b893acb1bef079724017590a115bc1447208ea92b0c1fdf8563c6dfc1ef19ff0  github-comment_5.0.3_darwin_amd64.tar.gz
c1a3e184957850e333e24ee437a14b55c8ea78d2e190be71c0f72b0eac0e09d7  github-comment_5.0.3_windows_arm64.tar.gz  aqua_version= checksum_file_format=regexp checksum_pattern_checksum="^(\\b[A-Fa-f0-9]{128}\\b)" checksum_pattern_file="^\\b[A-Fa-f0-9]{128}\\b\\s+(\\S+)$" env=darwin/arm64 exe_name=github-comment exe_path=/Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/github_release/github.com/suzuki-shunsuke/github-comment/v5.0.3/github-comment_5.0.3_darwin_arm64.tar.gz/github-comment package=suzuki-shunsuke/github-comment package_name=suzuki-shunsuke/github-comment package_version=v5.0.3 program=aqua registry=standard

Support outputting error messages when a package is installed

#​1684 #​1687

e.g.

registry.yaml

packages:
  - type: github_release
    repo_owner: grafana
    repo_name: xk6
    version_constraint: semver("< 0.9.0")
    version_overrides:
      - version_constraint: semver(">= 0.9.0")
        error_message: |
          From version xk6 v0.9.0 there are no more binaries published.

          https://github.com/grafana/xk6/issues/60

$ xk6 --help                   
ERRO[0000] failed to install a package grafana/xk6@​v0.9.0. From version xk6 v0.9.0 there are no more binaries published.

https://github.com/grafana/xk6/issues/60  aqua_version= env=darwin/arm64 exe_name=xk6 exe_path=/Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/github_release/github.com/grafana/xk6/v0.9.0/xk6_0.9.0_mac_arm64.tar.gz/xk6 package=grafana/xk6 package_name=grafana/xk6 package_version=v0.9.0 program=aqua registry=standard
FATA[0000] aqua failed                                   aqua_version= env=darwin/arm64 error= exe_name=xk6 package=grafana/xk6 package_version=v0.9.0 program=aqua

Add a field no_asset to package configuration for returing an error because there is no asset

#​1693 #​1695

e.g.

registry.yaml

packages:
  - type: github_release
    repo_owner: grafana
    repo_name: xk6
    version_constraint: semver("< 0.9.0")
    version_overrides:
      - version_constraint: semver(">= 0.9.0")
      	no_asset: true

$ xk6 --help                   
ERRO[0000] failed to install a package grafana/xk6@​v0.9.0. No asset is released in this version  aqua_version= env=darwin/arm64 exe_name=xk6 exe_path=/Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/github_release/github.com/grafana/xk6/v0.9.0/xk6_0.9.0_mac_arm64.tar.gz/xk6 package=grafana/xk6 package_name=grafana/xk6 package_version=v0.9.0 program=aqua registry=standard
FATA[0000] aqua failed                                   aqua_version= env=darwin/arm64 error= exe_name=xk6 package=grafana/xk6 package_version=v0.9.0 program=aqua

Fixes

#​1700 #​1701 Remove exe_path from log

exe_path isn't helpful in many cases. exe_path is long, so this is a bit noisy.

v1.34.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.34.1...v1.34.2

Bug Fixes

#​1682 #​1685 generate-registry: Fix --deep option to handle GitHub Releases not conforming to semantic versioning

v1.34.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.34.0...v1.34.1

Bug Fixes

#​1092 #​1675 #​1677 #​1678 generate-registry: Refactoring and fix some bugs

v1.34.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.33.0...v1.34.0

Features

#​1655 #​1662 generate-registry: Support generating version_overrides and testdata

https://aquaproj.github.io/docs/reference/scaffold-registry/#generate-version_overrides-by---deep-option

Add command line options --deep and --out-testdata to aqua gr command.

• --deep: Generate version_overrides
• --out-testdata: Output testdata to a file

⚠️ --deep option calls GitHub API per GitHub Release. So if there are a lot of GitHub Releases, many GitHub API are called and GitHub API rate limiting may occur.

Fixes

#​1639 generate-registry: Support md5 and sha1
#​1640 generate-registry: Fix checksum asset names
#​1611 Use the default configuration if the package version doesn't match any version_constraint

Others

#​1638 generate-registry: Refactoring

v1.33.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.32.3...v1.33.0

Features

#​1595 #​1615 #​1626 Support keeping configuration files in one directory

https://aquaproj.github.io/docs/tutorial-extras/keep-in-one-dir

aqua has several configuration files such as aqua.yaml, aqua-checksums.json, policy file, and imported files.

e.g.

aqua.yaml
aqua-checksums.json
aqua-policy.yaml # You can rename freely
aqua/ # You can rename freely
  terraform.yaml
  ...

From aqua v1.33.0, aqua supports keeping configuration files in one directory.

e.g.

aqua/ # or .aqua
  aqua.yaml
  aqua-checksums.json
  policy.yaml # You can rename freely
  imports/ # You can rename freely
    terraform.yaml
    ...

This is useful to keep the working directory clean.

How to migrate

• Update aqua to v1.33.0 or later
• Update update-checksum-action to v0.2.0 or later
• Update update-checksum-workflow to v0.1.1 or later
• Move files
  • aqua.yaml => aqua/aqua.yaml
  • aqua-checksums.json => aqua/aqua-checksums.json
  • aqua-policy.yaml => aqua/policy.yaml # rename freely
  • imported files => aqua/imports/*.yaml # change the filename freely
• Fix AQUA_POLICY_CONFIG
• Fix GitHub Actions Path filters
• Fix aqua-renovate-config's file preset argument

v1.32.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.32.2...v1.32.3

Bug Fixes

#​1610 fix a bug Registry's checksums are compared without normalization

This bug occurs when a Registry is installed and the Registry's checksum in aqua-checksums.json is uppercase,
because the calculated checksum is lowercase.

This bug raised by https://github.com/aquaproj/aqua/releases/tag/v1.32.2 , because the release made checksums uppercase.

e.g.

time="2023-02-02T01:22:11Z" level=error msg="install the registry" actual_checksum=603942e90f42411891411460a1ff5ceac0e9ae9233cc828b7cab5d8bedd76d90bbe5476e6744c50de6827869da2641562990fe649dd5f872cb98397b2e2c30e6 aqua_version=1.32.2 env=linux/amd64 error="check a registry's checksum: checksum is invalid" expected_checksum=603942E90F42411891411460A1FF5CEAC0E9AE9233CC828B7CAB5D8BEDD76D90BBE5476E6744C50DE6827869DA2641562990FE649DD5F872CB98397B2E2C30E6 program=aqua registry_name=standard

v1.32.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.32.1...v1.32.2

Bug Fixes

#​1599 #​1600 Skip setting checksum if the key already exists

Fixes

#​1601 Normalize checksum when a newly added

v1.32.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.32.0...v1.32.1

Fixes

#​1585 #​1588 Retry slsa-verifier when slsa-verifier failed due to timeout

v1.32.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.31.0...v1.32.0

Features

generate-registry: Support specifying version

e.g.

$ aqua gr suzuki-shunsuke/tfcmt@v3.2.4

v1.31.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.30.4...v1.31.0

Features

#​1545 #​1552 Add the attribute version_prefix to Registry Configuration

• Add the attribute version_prefix to Registry Configuration
• Add the parameter SemVer to expr expressions and template variables
• versions are filtered by this attribute same as version_filter
  • We would be able to replace version_filter to version_prefix in many cases
• Instead of Version, the parameter Semver is used in the function semver

You can filter versions with a specific prefix and trim the prefix from versions by version_prefix.

For example, kubernetes-sigs/kustomize has a prefix kustomize/.

- type: github_release
    repo_owner: kubernetes-sigs
    repo_name: kustomize
    version_prefix: kustomize/
    asset: kustomize_{{.SemVer}}_{{.OS}}_{{.Arch}}.tar.gz
    version_constraint: semver(">= 4.5.4")
    version_overrides:
      - version_constraint: semver(">= 4.4.1")
        supported_envs:
          - linux
          - darwin
          - amd64
      - version_constraint: semver(">= 4.2.0")
        supported_envs:
          - linux
          - darwin
      - version_constraint: semver("< 4.2.0")
        rosetta2: true
        supported_envs:
          - linux
          - darwin
          - amd64

Bug Fixes

Fixed bugs regarding to Cosign.

#​1554 #​1557 Retry the verification by Cosign
#​1555 #​1558 Get a lock before executing Cosign to prevent Cosign from being executing in parallel
#​1559 Get a Lock before installing Cosign
#​1559 Fix a bug that options of Cosign could be wrong if the same package's multiple versions are installed at the same time

v1.30.4

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.30.3...v1.30.4

Bug Fixes

#​1541 generate: remove a newline

From aqua v1.25.2, a newline was inserted unnecessarily.

e.g.

$ aqua g -i suzuki-shunsuke/tfcmt

registries:
- type: standard
  ref: v3.118.0
packages:
- name: suzuki-shunsuke/tfcmt@v4.0.1

By this release, the newline is removed.

registries:
- type: standard
  ref: v3.118.0
packages:
- name: suzuki-shunsuke/tfcmt@v4.0.1

#​1548 #​1549 Return error if version doesn't match with all version_constraints

v1.30.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.30.2...v1.30.3

Features

#​1539 Verify checksums of aqua-proxy to prevent aqua-proxy from being tampered. Checksums are hardcoded to aqua.

Others

#​1540 Update aqua-proxy from v1.1.2 to v1.1.4

v1.30.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.30.2-1...v1.30.2

Bug Fixes

#​1528 #​1530 Fix a bug that Cosign isn't installed properly if AQUA_GOOS and AQUA_GOARCH are set

Others

#​1391 #​1526 Sign checksum files by Cosign

v1.30.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.30.0...v1.30.1

Bug Fixes

#​1521 #​1523 update-checksum: Fix a bug that registries' checksums are removed by -prune option

v1.30.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.29.0...v1.30.0

Features

#​1490 #​1511 Install cosign lazily to avoid installing Cosign unnecessarily
#​1510 Prevent Cosign from being tampered by hardcoding checksums of Cosign
#​1491 #​1508 Support verifying Registries' checksums
#​1512 #​1514 Add darwin/arm64 to supported_envs if rosetta2 is enabled

Support verifying Registries' checksums

#​1491 #​1508

aqua verifies checksums of Registries if Checksum Verification is enabled.

aqua.yaml

checksum:
  enabled: true

aqua-checksums.json

{
  "checksums": [
    {
      "id": "registries/github_content/github.com/aquaproj/aqua-registry/v3.114.0/registry.yaml",
      "checksum": "b5b922c4d64609e536daffec6e480d0fed3ee56b16320a10c38ae12df7f045e8b20a0c05ec66eb28146cee42559e5e6c4e4bc49ce89ffe48a5640999cc6248bd",
      "algorithm": "sha512"
    }
  ]
}

If the checksum is invalid, it would fail to install Registries.

ERRO[0000] install the registry                          actual_checksum=b5b922c4d64609e536daffec6e480d0fed3ee56b16320a10c38ae12df7f045e8b20a0c05ec66eb28146cee42559e5e6c4e4bc49ce89ffe48a5640999cc6248be aqua_version= env=darwin/arm64 error="check a registry's checksum: checksum is invalid" exe_name=starship expected_checksum=b5b922c4d64609e536daffec6e480d0fed3ee56b16320a10c38ae12df7f045e8b20a0c05ec66eb28146cee42559e5e6c4e4bc49ce89ffe48a5640999cc6248bd program=aqua registry_name=standard
FATA[0000] aqua failed                                   aqua_version= env=darwin/arm64 error="it failed to install some registries" exe_name=starship program=aqua

Others

#​1509 init: add .checksum.supported_envs to aqua init's template

v1.29.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.28.0...v1.29.0

Features

#​1230 #​1498 checksum: Support excluding unneeded os/arch checksum from aqua-checksums.json
#​1216 #​1500 checksum: Support an algorithm sha1

Support excluding unneeded os/arch checksum from aqua-checksums.json

#​1230 #​1498

Make aqua-checksums.json slim and avoid unneeded API call and failure.
Prevent aqua update-checksum -deep from downloading unused platform's assets.

e.g. Exclude Windows

aqua.yaml

checksum:
  enabled: true
  supported_envs:
    - darwin
    - linux

Support an algorithm sha1

#​1216 #​1500

v1.28.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.27.0...v1.28.0

Features

Improved aqua update-checksum command. https://aquaproj.github.io/docs/tutorial-extras/checksum/

#​1489 #​1492 Ignore unrelated files' checksums in checksum files
#​1257 #​1495 Support pruning unused checksums in aqua-checksums.json

Ignore unrelated files' checksums in checksum files

#​1489 #​1492

aqua update-checksum added all checksums in checksum files.
But some checksum files include unrelated checksums.
For example, gh_2.21.1_checksums.txt includes a checksum of Debian package, which is unneeded for aqua.

2005b4aef5fec0336cb552c74f3e4c445dcdd9e9c1e217d8de3acd45ee152470  gh_2.17.0_linux_386.deb
34c0ba49d290ffe108c723ffb0063a4a749a8810979b71fc503434b839688b5c  gh_2.17.0_linux_386.rpm
3516a4d84f7b69ea5752ca2416895a2705910af3ed6815502af789000fc7e963  gh_2.17.0_macOS_amd64.tar.gz
3fb9532fd907547ad1ed89d507f785589c70f3896133ca64de609ba0dcc080d5  gh_2.17.0_linux_armv6.tar.gz
4bd7415b5ccc559b2e9ff7d4bcb8d1fd63c4acce3eaf589da2a70c50035af54f  gh_2.17.0_linux_amd64.deb
5859178d22f0124bbedc8d69c242df8c304ba8da1eb94406f11b1bbe4ec393e8  gh_2.17.0_linux_amd64.rpm
8c403207ed8ab18b4c69d7e97321a553731d9034fe98ba96feebfc267ecd2c91  gh_2.17.0_linux_armv6.deb
96d4e523636446b796b28f069332b6f8ea9a0950c6ef43617203cc5ac5af0d84  gh_2.17.0_windows_amd64.zip
a614f898e229f3d6af3cea88cb42ff71c4c5466a52fefef2118d307f1a11b055  gh_2.17.0_linux_armv6.rpm
c36f5ead31b8d6c41dc5ce97b514133a8cc037739aba239aa2a75b8afe3e618a  gh_2.17.0_linux_arm64.deb
c6ce28981a1fb9acb13ee091b5f3de8eb244a67dc99aff1d106985c1e94c72c6  gh_2.17.0_linux_amd64.tar.gz
cdd97a4afe4ec828fed72811f9b47a9fa4ef8f8fb2fa1e3b9a8cfc3334cbc815  gh_2.17.0_linux_arm64.rpm
d373e305512e53145df7064a0253df696fe17f9ec71804311239f3e2c9e19999  gh_2.17.0_linux_arm64.tar.gz
d3b06f291551ce0357e08334d8ba72810a552b593329e3c0dd3489f51a8712a3  gh_2.17.0_windows_386.zip
ed2ed654e1afb92e5292a43213e17ecb0fe0ec50c19fe69f0d185316a17d39fa  gh_2.17.0_linux_386.tar.gz

From aqua v1.28.0, aqua ignores these unrelated checksums.

Support pruning unused checksums in aqua-checksums.json

#​1257 #​1495

When tools are updated, checksums for old versions are basically unneeded.
Or when we remove some tools from aqua.yaml, checksums for those tools would be unneeded.

You can remove unused checksums by setting -prune option.

aqua update-checksum -prune

v1.27.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.26.2...v1.27.0

Features

#​1466 #​1468 #​1486 Support a new field private for private packages and registries

You can set private: true to private packages and registries.
By default, private is false.
If private is true, aqua skips sending HTTP requests to download assets, because the requests always fail.
Even if the value of private attribute is wrong, you can install the registry and package.

e.g. aqua.yaml

registries:
- name: foo
  type: github_content
  repo_owner: aquaproj
  repo_name: private-repository
  ref: v3.90.0
  private: true # Private Registry
  path: registry.yaml

e.g. registry.yaml

packages:

##### init: a
- type: github_release
  repo_owner: aquaproj
  repo_name: private-repository
  asset: 'foo_{{trimV .Version}}_{{title .OS}}_{{.Arch}}.tar.gz'
  private: true # Private Package

#​1084 #​1487 Support template in go_install package's path attribute

Go Module path includes the major version.
We have ever had to define version_constraint per major version.
Using template, you can define the package more simply.

e.g.

packages:
  - type: go_install
    repo_owner: volatiletech
    repo_name: sqlboiler
    description: Generate a Go ORM tailored to your database schema
    path: github.com/volatiletech/sqlboiler/v{{(semver .Version).Major}}

Bug Fixes

#​1482 generate-registry: Remove slsa_provenance: null from the output of aqua gr

v1.26.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.26.1...v1.26.2

Bug Fixes

#​1477 Install and execute Cosign with correct runtime

Fixed a bug that when AQUA_GOOS or AQUA_GOARCH were set Cosign for wrong runtime was installed.

v1.26.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.26.0...v1.26.1

Bug Fixes

#​1471 Skip installing Cosign and verify with Cosign in windows/arm64
#​1473 Check if Cosign is supported

Others

#​1474 Update Go to 1.19.4

v1.26.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.25.2...v1.26.0

Features

#​1449 #​1454 Support package verification by Cosign and slsa-verifier
We provide aqua's SLSA Provenance multiple.intoto.jsonl.

v1.25.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.25.0...v1.25.2

📝 It failed to release v1.25.1 by CI, so we released v1.25.2. This is why the release v1.25.1 doesn't exist.

Fixes

#​1462 #​1463 generate: fix a bug of --pin option

v1.25.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.24.0...v1.25.0

Features

#​901 #​1416 Replace $HOME to the home directory in local registry path

e.g. aqua.yaml

registries:
- name: local
  type: local
  path: $HOME/.config/aquaproj-aqua/registry.yaml

$HOME is gotten by os.UseHomeDir.

v1.24.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.23.1...v1.24.0

Features

#​1306 #​1308 Support defining the policy of package installation and execution for security

https://aquaproj.github.io/docs/tutorial-extras/policy-as-code

We strongly recommend setting Policy to protect your laptop and CI from threat.
We consider to disable registries other than standard Registry by default.
Please see the issue and give your feedback. #​1404

v1.23.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.23.0...v1.23.1

Bug Fixes

#​1388 #​1389 generate: Fix a panic when unknown packages are specified

This bug came from aquaproj/aqua@0c87e2c .
Affected versions: v1.23.0

v1.23.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.22.0...v1.23.0

Features

#​441 #​1330 #​1336 Support filtering packages with tags

https://aquaproj.github.io/docs/guides/package-tag/

Add the optional field tags to aqua.yaml's package.
This field is a string list of tags.

e.g.

---
registries:
- type: standard
  ref: v3.79.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: suzuki-shunsuke/tfcmt@v3.2.0
  tags:
    - test
    - foo
- name: suzuki-shunsuke/github-comment@v4.0.0
- name: cli/cli@v2.0.0
  tags:
    - bar
    - foo

And add the following command line options to the commands aqua install and aqua cp.

• --tags (-t) (string): When this option is set, only packages that have specifed tags are installed. You can specify multiple tags joining with , (e.g. -t ci,test)
• --exclude-tags (string): When this option is set, packages that have specifed tags aren't installed. You can specify multiple tags joining with , (e.g. -exclude-tags ci,test)

$ aqua i # Install suzuki-shunsuke/tfcmt@v3.2.0 and suzuki-shunsuke/github-comment@v4.0.0 and cli/cli@v2.0.0
$ aqua i -t test # Install suzuki-shunsuke/tfcmt@v3.2.0
$ aqua i -t foo,bar # Install suzuki-shunsuke/tfcmt@v3.2.0 and cli/cli@v2.0.0
$ aqua i --exclude-tags test # Install suzuki-shunsuke/github-comment@v4.0.0 and cli/cli@v2.0.0
$ aqua i --exclude-tags test -t foo # Install cli/cli@v2.0.0

Note that symbolic links of all packages are created regardless tags, so that you can execute all tools by Lazy Install and assure that tools are managed by aqua.

Others

#​1367 docs: Fix JSON Schema
#​1377 chore: update Go to v1.19.3

Contributors

Regarding #​441 , @​uesyn and @​sheldonhull propose the feature and gave us the feedback.
Thanks a lot!

v1.22.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.21.0...v1.22.0

Features

#​1041 #​1060 #​1363 Add update-aqua command
#​1352 #​1358 generate: Support specifying version

Add update-aqua command

#​1041 #​1060 #​1363

$ aqua update-aqua [version]

aqua is installed in $AQUA_ROOT_DIR/bin/aqua.
By default, the latest version is installed, but you can also specify the version with an argument.

You can't specify the install path. We think you don't have to change the install path.

e.g.

$ aqua update-aqua # Install the latest version
$ aqua update-aqua v1.20.0 # Install aqua v1.20.0

generate: Support specifying version

#​1352 #​1358

aqua generate supports specifying the package version. The package version is optional.

e.g.

$ aqua g cli/cli
- name: cli/cli@v2.18.1

$ aqua g cli/cli@v2.0.0
- name: cli/cli@v2.0.0

The option -pin is added to aqua generate command.
This option is useful to prevent the package from being updated by Renovate.

$ aqua g -pin cli/cli
- name: cli/cli
  version: v2.18.1

$ aqua g -pin cli/cli@v2.0.0
- name: cli/cli
  version: v2.0.0

Others

#​1353 #​1356 #​1357 #​1362 Refactoring

v1.21.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.20.2...v1.21.0

Features

#​1323 Support changing type in overrides

v1.20.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.20.1...v1.20.2

Bug Fixes

#​1304 cp: Skip creating links

aqua cp is a command to copy executable files to a directory, so symbolic links don't have to be created.

v1.20.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.20.0...v1.20.1

Bug Fixes

#​1299 #​1300 update-checksum: Fix the checksum of http package calculated by -deep option

v1.20.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.19.5...v1.20.0

Features

#​427 Support the checksum verification 🎉
#​1173 #​1247 cp: Support coping all packages

Support the checksum verification 🎉

#​427

aqua supports the Checksum Verification 🎉

For the detail, please see the document. https://aquaproj.github.io/docs/reference/checksum

cp: Support coping all packages

#​1173 #​1247

You had to specify copied command names as arguments of aqua cp command.
This update allows you to copy all packages without arguments.

$ aqua cp [-a]

aqua cp copies all commands.

If the option -a is specified, all commands including global configuration files are copied.

Others

#​1281 update Go to 1.19.2
#​1284 golangci-lint: disable deprecated linters

v1.19.5

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.19.4...v1.19.5

Bug Fixes

#​1244 #​1245 nil check to avoid panic

Others

#​1225 Improve error log: Output download url when it failed to download a file

v1.19.4

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.19.3...v1.19.4

Bug Fixes

#​1166 #​1213 generate-registry: set complete_windows_ext

Others

#​1184 #​1210 Support MD5 for the checksum verification
#​1214 Improve a log creating a symbolic link

Replace log fields link_file and new to command.

AS IS

$ aqua i
INFO[0000] create a symbolic link                        aqua_version= env=darwin/arm64 link_file=/Users/shunsukesuzuki/.local/share/aquaproj-aqua/bin/actionlint new=aqua-proxy program=aqua

$ aqua i
INFO[0000] create a symbolic link                        aqua_version= command=actionlint env=darwin/arm64 program=aqua

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.