diff --git a/commitchecker.yaml b/commitchecker.yaml index cca809eb0..04f8b5574 100644 --- a/commitchecker.yaml +++ b/commitchecker.yaml @@ -1,4 +1,4 @@ -expectedMergeBase: 6e4f192699f5c039fa2b92b01372a150274447bd +expectedMergeBase: 43607473e92bcd4d5d94f9b896db46500cc404ab upstreamBranch: main upstreamOrg: operator-framework upstreamRepo: operator-controller diff --git a/go.mod b/go.mod index 9bdd56829..245a8f6b1 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/golang-jwt/jwt/v5 v5.3.0 github.com/google/go-cmp v0.7.0 github.com/google/go-containerregistry v0.20.7 - github.com/google/renameio/v2 v2.0.1 + github.com/google/renameio/v2 v2.0.2 github.com/gorilla/handlers v1.5.2 github.com/klauspost/compress v1.18.2 github.com/opencontainers/go-digest v1.0.0 @@ -31,7 +31,7 @@ require ( github.com/stretchr/testify v1.11.1 go.podman.io/image/v5 v5.38.0 golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 - golang.org/x/mod v0.31.0 + golang.org/x/mod v0.32.0 golang.org/x/sync v0.19.0 golang.org/x/tools v0.40.0 helm.sh/helm/v3 v3.19.4 @@ -204,7 +204,7 @@ require ( github.com/shopspring/decimal v1.4.0 // indirect github.com/sigstore/fulcio v1.8.5 // indirect github.com/sigstore/protobuf-specs v0.5.0 // indirect - github.com/sigstore/sigstore v1.10.3 // indirect + github.com/sigstore/sigstore v1.10.4 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/smallstep/pkcs7 v0.2.1 // indirect github.com/spf13/cast v1.7.1 // indirect diff --git a/go.sum b/go.sum index ab53d1b29..81246df0b 100644 --- a/go.sum +++ b/go.sum @@ -264,8 +264,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d h1:KJIErDwbSHjnp/SGzE5ed8Aol7JsKiI5X7yWKAtzhM0= github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= -github.com/google/renameio/v2 v2.0.1 h1:HyOM6qd9gF9sf15AvhbptGHUnaLTpEI9akAFFU3VyW0= -github.com/google/renameio/v2 v2.0.1/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4= +github.com/google/renameio/v2 v2.0.2 h1:qKZs+tfn+arruZZhQ7TKC/ergJunuJicWS6gLDt/dGw= +github.com/google/renameio/v2 v2.0.2/go.mod h1:OX+G6WHHpHq3NVj7cAOleLOwJfcQ1s3uUJQCrr78SWo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -470,8 +470,8 @@ github.com/sigstore/fulcio v1.8.5 h1:HYTD1/L5wlBp8JxsWxUf8hmfaNBBF/x3r3p5l6tZwbA github.com/sigstore/fulcio v1.8.5/go.mod h1:tSLYK3JsKvJpDW1BsIsVHZgHj+f8TjXARzqIUWSsSPQ= github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/sigstore v1.10.3 h1:s7fBYYOzW/2Vd0nND2ZdpWySb5vRF2u9eix/NZMHJm0= -github.com/sigstore/sigstore v1.10.3/go.mod h1:T26vXIkpnGEg391v3TaZ8EERcXbnjtZb/1erh5jbIQk= +github.com/sigstore/sigstore v1.10.4 h1:ytOmxMgLdcUed3w1SbbZOgcxqwMG61lh1TmZLN+WeZE= +github.com/sigstore/sigstore v1.10.4/go.mod h1:tDiyrdOref3q6qJxm2G+JHghqfmvifB7hw+EReAfnbI= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/smallstep/pkcs7 v0.2.1 h1:6Kfzr/QizdIuB6LSv8y1LJdZ3aPSfTNhTLqAx9CTLfA= @@ -617,8 +617,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI= -golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= diff --git a/requirements.txt b/requirements.txt index 140b20bb4..09db01c8e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,7 @@ mkdocs-material==9.7.1 mkdocs-material-extensions==1.3.1 packaging==25.0 paginate==0.5.7 -pathspec==1.0.1 +pathspec==1.0.3 platformdirs==4.5.1 Pygments==2.19.2 pymdown-extensions==10.20 diff --git a/vendor/github.com/google/renameio/v2/option.go b/vendor/github.com/google/renameio/v2/option.go index a86906f4c..39bfe0b85 100644 --- a/vendor/github.com/google/renameio/v2/option.go +++ b/vendor/github.com/google/renameio/v2/option.go @@ -13,7 +13,6 @@ // limitations under the License. //go:build !windows -// +build !windows package renameio @@ -86,3 +85,14 @@ func WithReplaceOnClose() Option { c.renameOnClose = true }) } + +// WithRoot specifies a root directory to use when working with files. +// See [os.Root] and https://go.dev/blog/osroot for more details. +// +// When WithRoot is used, WithTempDir (and the $TMPDIR environment variable) are +// ignored, as temporary files must be created in the specified root directory. +func WithRoot(root *os.Root) Option { + return optionFunc(func(c *config) { + c.root = root + }) +} diff --git a/vendor/github.com/google/renameio/v2/tempfile.go b/vendor/github.com/google/renameio/v2/tempfile.go index 98114e539..e101e4e70 100644 --- a/vendor/github.com/google/renameio/v2/tempfile.go +++ b/vendor/github.com/google/renameio/v2/tempfile.go @@ -13,13 +13,11 @@ // limitations under the License. //go:build !windows -// +build !windows package renameio import ( - "io/ioutil" - "math/rand" + "math/rand/v2" "os" "path/filepath" "strconv" @@ -29,10 +27,10 @@ import ( const defaultPerm os.FileMode = 0o600 // nextrandom is a function generating a random number. -var nextrandom = rand.Int63 +var nextrandom = rand.Int64 // openTempFile creates a randomly named file and returns an open handle. It is -// similar to ioutil.TempFile except that the directory must be given, the file +// similar to os.CreateTemp except that the directory must be given, the file // permissions can be controlled and patterns in the name are not supported. // The name is always suffixed with a random number. func openTempFile(dir, name string, perm os.FileMode) (*os.File, error) { @@ -58,6 +56,33 @@ func openTempFile(dir, name string, perm os.FileMode) (*os.File, error) { } } +// openTempFileRoot creates a randomly named file in root and returns an open +// handle. It is similar to os.CreateTemp except that the directory must be +// given, the file permissions can be controlled and patterns in the name are +// not supported. The name is always suffixed with a random number. +func openTempFileRoot(root *os.Root, name string, perm os.FileMode) (string, *os.File, error) { + prefix := name + + for attempt := 0; ; { + // Generate a reasonably random name which is unlikely to already + // exist. O_EXCL ensures that existing files generate an error. + name := prefix + strconv.FormatInt(nextrandom(), 10) + + f, err := root.OpenFile(name, os.O_RDWR|os.O_CREATE|os.O_EXCL, perm) + if !os.IsExist(err) { + return name, f, err + } + + if attempt++; attempt > 10000 { + return "", nil, &os.PathError{ + Op: "tempfile", + Path: name, + Err: os.ErrExist, + } + } + } +} + // TempDir checks whether os.TempDir() can be used as a temporary directory for // later atomically replacing files within dest. If no (os.TempDir() resides on // a different mount point), dest is returned. @@ -83,7 +108,7 @@ func tempDir(dir, dest string) string { // the TMPDIR environment variable. tmpdir := os.TempDir() - testsrc, err := ioutil.TempFile(tmpdir, "."+filepath.Base(dest)) + testsrc, err := os.CreateTemp(tmpdir, "."+filepath.Base(dest)) if err != nil { return fallback } @@ -95,7 +120,7 @@ func tempDir(dir, dest string) string { }() testsrc.Close() - testdest, err := ioutil.TempFile(filepath.Dir(dest), "."+filepath.Base(dest)) + testdest, err := os.CreateTemp(filepath.Dir(dest), "."+filepath.Base(dest)) if err != nil { return fallback } @@ -118,6 +143,8 @@ type PendingFile struct { done bool closed bool replaceOnClose bool + root *os.Root + tmpname string } // Cleanup is a no-op if CloseAtomicallyReplace succeeded, and otherwise closes @@ -134,8 +161,14 @@ func (t *PendingFile) Cleanup() error { if !t.closed { closeErr = t.File.Close() } - if err := os.Remove(t.Name()); err != nil { - return err + if t.root != nil { + if err := t.root.Remove(t.tmpname); err != nil { + return err + } + } else { + if err := os.Remove(t.Name()); err != nil { + return err + } } t.done = true return closeErr @@ -163,8 +196,14 @@ func (t *PendingFile) CloseAtomicallyReplace() error { if err := t.File.Close(); err != nil { return err } - if err := os.Rename(t.Name(), t.path); err != nil { - return err + if t.root != nil { + if err := t.root.Rename(t.tmpname, t.path); err != nil { + return err + } + } else { + if err := os.Rename(t.Name(), t.path); err != nil { + return err + } } t.done = true return nil @@ -200,6 +239,7 @@ type config struct { ignoreUmask bool chmod *os.FileMode renameOnClose bool + root *os.Root } // NewPendingFile creates a temporary file destined to atomically creating or @@ -227,8 +267,15 @@ func NewPendingFile(path string, opts ...Option) (*PendingFile, error) { } if cfg.attemptPermCopy { + var existing os.FileInfo + var err error + if cfg.root != nil { + existing, err = cfg.root.Lstat(cfg.path) + } else { + existing, err = os.Lstat(cfg.path) + } // Try to determine permissions from an existing file. - if existing, err := os.Lstat(cfg.path); err == nil && existing.Mode().IsRegular() { + if err == nil && existing.Mode().IsRegular() { perm := existing.Mode() & os.ModePerm cfg.chmod = &perm @@ -240,7 +287,14 @@ func NewPendingFile(path string, opts ...Option) (*PendingFile, error) { } } - f, err := openTempFile(tempDir(cfg.dir, cfg.path), "."+filepath.Base(cfg.path), cfg.createPerm) + var f *os.File + var err error + var tmpname string + if cfg.root != nil { + tmpname, f, err = openTempFileRoot(cfg.root, "."+filepath.Base(cfg.path), cfg.createPerm) + } else { + f, err = openTempFile(tempDir(cfg.dir, cfg.path), "."+filepath.Base(cfg.path), cfg.createPerm) + } if err != nil { return nil, err } @@ -255,7 +309,13 @@ func NewPendingFile(path string, opts ...Option) (*PendingFile, error) { } } - return &PendingFile{File: f, path: cfg.path, replaceOnClose: cfg.renameOnClose}, nil + return &PendingFile{ + File: f, + path: cfg.path, + replaceOnClose: cfg.renameOnClose, + root: cfg.root, + tmpname: tmpname, + }, nil } // Symlink wraps os.Symlink, replacing an existing symlink with the same name @@ -267,9 +327,9 @@ func Symlink(oldname, newname string) error { return err } - // We need to use ioutil.TempDir, as we cannot overwrite a ioutil.TempFile, + // We need to use os.MkdirTemp, as we cannot overwrite a os.CreateTemp file, // and removing+symlinking creates a TOCTOU race. - d, err := ioutil.TempDir(filepath.Dir(newname), "."+filepath.Base(newname)) + d, err := os.MkdirTemp(filepath.Dir(newname), "."+filepath.Base(newname)) if err != nil { return err } @@ -292,3 +352,41 @@ func Symlink(oldname, newname string) error { cleanup = false return os.RemoveAll(d) } + +// SymlinkRoot wraps os.Symlink, replacing an existing symlink with the same +// name atomically (os.Symlink fails when newname already exists, at least on +// Linux). +func SymlinkRoot(root *os.Root, oldname, newname string) error { + // Fast path: if newname does not exist yet, we can skip the whole dance + // below. + if err := root.Symlink(oldname, newname); err == nil || !os.IsExist(err) { + return err + } + + // We need to use os.MkdirTemp, as we cannot overwrite a os.CreateTemp file, + // and removing+symlinking creates a TOCTOU race. + // + // There is no os.Root-compatible os.MkdirTemp, so we use the path directly. + d, err := os.MkdirTemp(root.Name(), "."+filepath.Base(newname)) + if err != nil { + return err + } + cleanup := true + defer func() { + if cleanup { + os.RemoveAll(d) + } + }() + + symlink := filepath.Join(filepath.Base(d), "tmp.symlink") + if err := root.Symlink(oldname, symlink); err != nil { + return err + } + + if err := root.Rename(symlink, newname); err != nil { + return err + } + + cleanup = false + return os.RemoveAll(d) +} diff --git a/vendor/github.com/google/renameio/v2/writefile.go b/vendor/github.com/google/renameio/v2/writefile.go index 545042102..097817f0e 100644 --- a/vendor/github.com/google/renameio/v2/writefile.go +++ b/vendor/github.com/google/renameio/v2/writefile.go @@ -13,13 +13,12 @@ // limitations under the License. //go:build !windows -// +build !windows package renameio import "os" -// WriteFile mirrors ioutil.WriteFile, replacing an existing file with the same +// WriteFile mirrors os.WriteFile, replacing an existing file with the same // name atomically. func WriteFile(filename string, data []byte, perm os.FileMode, opts ...Option) error { opts = append([]Option{ diff --git a/vendor/modules.txt b/vendor/modules.txt index 3e280f250..40ceaafc4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -473,8 +473,8 @@ github.com/google/go-containerregistry/pkg/v1/tarball github.com/google/go-containerregistry/pkg/v1/types # github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d ## explicit; go 1.24.0 -# github.com/google/renameio/v2 v2.0.1 -## explicit; go 1.13 +# github.com/google/renameio/v2 v2.0.2 +## explicit; go 1.25 github.com/google/renameio/v2 # github.com/google/uuid v1.6.0 ## explicit @@ -769,7 +769,7 @@ github.com/sigstore/fulcio/pkg/certificate # github.com/sigstore/protobuf-specs v0.5.0 ## explicit; go 1.22.0 github.com/sigstore/protobuf-specs/gen/pb-go/common/v1 -# github.com/sigstore/sigstore v1.10.3 +# github.com/sigstore/sigstore v1.10.4 ## explicit; go 1.25.0 github.com/sigstore/sigstore/pkg/cryptoutils github.com/sigstore/sigstore/pkg/signature @@ -1015,7 +1015,7 @@ golang.org/x/crypto/scrypt ## explicit; go 1.23.0 golang.org/x/exp/maps golang.org/x/exp/slices -# golang.org/x/mod v0.31.0 +# golang.org/x/mod v0.32.0 ## explicit; go 1.24.0 golang.org/x/mod/internal/lazyregexp golang.org/x/mod/modfile