Skip to content

merge queue: embarking main (544a3fc) and #180 together#182

Closed
mergify[bot] wants to merge 8 commits into
mainfrom
mergify/merge-queue/e0b9b18110
Closed

merge queue: embarking main (544a3fc) and #180 together#182
mergify[bot] wants to merge 8 commits into
mainfrom
mergify/merge-queue/e0b9b18110

Conversation

@mergify

@mergify mergify Bot commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🎉 This pull request has been checked successfully and will be merged soon. 🎉

Branch main (544a3fc) and #180 are embarked together for merge.

This pull request has been created by Mergify to speculatively check the mergeability of #180.
You don't need to do anything. Mergify will close this pull request automatically when it is complete.

Required conditions of queue rule default for merge:

  • all of:
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, writefile)
    • check-neutral = Build (amd64, writefile)
    • check-skipped = Build (amd64, writefile)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, archive2disk)
    • check-neutral = Build (amd64, archive2disk)
    • check-skipped = Build (amd64, archive2disk)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, cexec)
    • check-neutral = Build (amd64, cexec)
    • check-skipped = Build (amd64, cexec)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, grub2disk)
    • check-neutral = Build (amd64, grub2disk)
    • check-skipped = Build (amd64, grub2disk)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, image2disk)
    • check-neutral = Build (amd64, image2disk)
    • check-skipped = Build (amd64, image2disk)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, kexec)
    • check-neutral = Build (amd64, kexec)
    • check-skipped = Build (amd64, kexec)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, oci2disk)
    • check-neutral = Build (amd64, oci2disk)
    • check-skipped = Build (amd64, oci2disk)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, qemuimg2disk)
    • check-neutral = Build (amd64, qemuimg2disk)
    • check-skipped = Build (amd64, qemuimg2disk)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, rootio)
    • check-neutral = Build (amd64, rootio)
    • check-skipped = Build (amd64, rootio)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, slurp)
    • check-neutral = Build (amd64, slurp)
    • check-skipped = Build (amd64, slurp)
  • any of [🛡 GitHub branch protection]:
    • check-success = Build (amd64, syslinux)
    • check-neutral = Build (amd64, syslinux)
    • check-skipped = Build (amd64, syslinux)
  • any of [🛡 GitHub branch protection]:
    • check-success = DCO
    • check-neutral = DCO
    • check-skipped = DCO

Required conditions to stay in the queue:

---
checking_base_sha: 544a3fce2a00c836ff522325d7ffcc8d60a7930a
previous_failed_batches: []
pull_requests:
  - number: 180
    scopes: []
scopes: []
...

jacobweinstock and others added 8 commits May 27, 2026 10:03
@jacobweinstock
Update Go dependencies, builder images, GHAs:
418ed4d 
The previously pinned deps are years old and pull in long-EOL
containerd/oras releases, blocking any further upgrades and leaving
known CVEs in the build. Refresh the module graph to currently
supported versions, drop the deislabs/oras fork in favor of upstream
oras.land/oras-go, and bump the builder/runtime base images to match.
Code that touched removed APIs (go-diskfs Disk.File, oras.Pull) is
ported to the supported equivalents.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Plug rootio disk FD leak and trim unused builder image deps:
d017da0 
The rootio partition helpers only closed the disk handle on the
success path, so any error from GetPartitionTable, Backend.Sys, Sync
or the partition writes leaked the underlying file descriptor against
a block device the caller intends to keep operating on. Move the
close into a defer so every return path releases it.

The rootio and grub2disk builder stages still installed git, gcc,
musl-dev and friends from when those builds used cgo; since they now
build with CGO_ENABLED=0 those packages are dead weight in the image
and slow the build for no benefit. A dependabot config is added so
the Go module, GitHub Actions and Docker base image bumps that this
branch had to do by hand happen automatically going forward.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Update a fix linting
b18706d 
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
bump builder base to alpine:3.21:
b26562d 
alpine:3.13 has been EOL for years and ships unfixed CVEs.
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Plug mount leak, drop unused builder deps, restore lint timeout:
820a55b 
writefile relied on a deferred unmount that never ran because the error
paths all called os.Exit, risking a mount leak into the host namespace.
A nolint comment had been added to silence the warning with a
justification that was simply wrong.

The v2 golangci-lint migration dropped the explicit runtime timeout;
the upstream default of 1m is not enough for this repo under GitHub
Actions and the lint job started flaking.

One builder stage still pulled compiler toolchain packages even though
the build no longer uses cgo, wasting build time and diverging from its
sibling stage.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
opt-in TLS verify skip; writefile: fix mountpoint perms:
36931d7 
oci2disk unconditionally disabled TLS verification against the
registry, which is unsafe against anything other than a local insecure
registry. Make it opt-in via SKIP_VERIFY so the default is a verified
TLS connection.

writefile created the /mountAction mountpoint with os.ModeDir as the
mode, which is the directory type bit — not permission bits — so the
resulting directory had no usable permissions. Use 0o755, and
MkdirAll so a pre-existing mountpoint isn't an error.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@jacobweinstock
Improve golangci-lint downloading
422122e 
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
@mergify
Merge of #180
82c5d40
@mergify mergify Bot mentioned this pull request May 27, 2026
Merged
3 tasks
@mergify mergify Bot closed this May 27, 2026
@mergify mergify Bot deleted the mergify/merge-queue/e0b9b18110 branch May 27, 2026 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jacobweinstock