use forked alpine-go in go-apk

.github/workflows/build-samples.yml

@@ -17,8 +17,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.1.5
         with:
-          go-version: "1.20"
-          check-latest: true
+          go-version-file: 'go.mod'
       - name: Setup QEMU
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 

.github/workflows/build.yaml

@@ -2,7 +2,11 @@ name: ci
 
 on:
   pull_request:
+    branches:
+      - main
   push:
+    branches:
+      - main
 
 jobs:
   build:
@@ -14,8 +18,7 @@ jobs:
 
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.1.5
         with:
-          go-version: '1.21'
-          check-latest: true
+          go-version-file: 'go.mod'
 
       - name: build
         run: |

go.mod

@@ -4,7 +4,7 @@ go 1.21
 
 require (
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220920003936-cd2dbcbbab49
-	github.com/chainguard-dev/go-apk v0.0.0-20231030174812-a5114d436c7a
+	github.com/chainguard-dev/go-apk v0.0.0-20231103143312-fc2ccc06eae1
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08
 	github.com/dominodatalab/os-release v0.0.0-20190522011736-bcdb4a3e3c2f
 	github.com/go-git/go-git/v5 v5.10.0
@@ -21,7 +21,6 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
 	github.com/tmc/dot v0.0.0-20210901225022-f9bc17da75c0
-	gitlab.alpinelinux.org/alpine/go v0.8.1-0.20230928153721-5381bfaecf9b
 	go.opentelemetry.io/otel v1.19.0
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
 	golang.org/x/sync v0.4.0

go.sum

@@ -104,8 +104,8 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chainguard-dev/go-apk v0.0.0-20231030174812-a5114d436c7a h1:f3m/NBTfmlLkwJ65s/4352OfuwQI/5cKWGT/MSgdwAw=
-github.com/chainguard-dev/go-apk v0.0.0-20231030174812-a5114d436c7a/go.mod h1:LHiVwyOFfuMy/j+HPkAqow7c/+frfMBqaEkKChgG3HA=
+github.com/chainguard-dev/go-apk v0.0.0-20231103143312-fc2ccc06eae1 h1:rTOTV8vrKvQeMo+wJh+fk/KZCltbbpcTWBEL/dDgMLw=
+github.com/chainguard-dev/go-apk v0.0.0-20231103143312-fc2ccc06eae1/go.mod h1:AF2jAOzQkIWpF/RhuUV9tAIzKYCeYy66/aaFP4oC9c4=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08 h1:9Qh4lJ/KMr5iS1zfZ8I97+3MDpiKjl+0lZVUNBhdvRs=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08/go.mod h1:MAuu1uDJNOS3T3ui0qmKdPUwm59+bO19BbTph2wZafE=
 github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
@@ -435,8 +435,6 @@ github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7Jul
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-gitlab.alpinelinux.org/alpine/go v0.8.1-0.20230928153721-5381bfaecf9b h1:VxuNSxH3voth15SPX4nHV8DSFLP/u3Od82juHw7+pLo=
-gitlab.alpinelinux.org/alpine/go v0.8.1-0.20230928153721-5381bfaecf9b/go.mod h1:F2JLVqRezwY1mhf7X/sPkQ/u+X550PHOL4OpCFyuOVU=
 go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo=
 go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I=
 go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=

internal/cli/dot.go

@@ -26,11 +26,11 @@ import (
 	"strings"
 	"time"
 
+	"github.com/chainguard-dev/go-apk/pkg/apk"
 	apkfs "github.com/chainguard-dev/go-apk/pkg/fs"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"github.com/tmc/dot"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 	"golang.org/x/exp/slices"
 	"golang.org/x/sync/errgroup"
 
@@ -132,7 +132,7 @@ func DotCmd(ctx context.Context, configFile string, archs []types.Architecture,
 
 	dmap := map[string][]string{}
 	pmap := map[string][]string{}
-	pkgMap := map[string]*repository.RepositoryPackage{}
+	pkgMap := map[string]*apk.RepositoryPackage{}
 
 	for _, pkg := range pkgs {
 		dmap[pkg.Name] = pkg.Dependencies
@@ -162,7 +162,7 @@ func DotCmd(ctx context.Context, configFile string, archs []types.Architecture,
 			deps[pkg] = struct{}{}
 		}
 
-		renderDeps := func(pkg *repository.RepositoryPackage) {
+		renderDeps := func(pkg *apk.RepositoryPackage) {
 			n := dot.NewNode(pkg.Name)
 			if err := n.Set("label", pkgver(pkg)); err != nil {
 				panic(err)
@@ -212,7 +212,7 @@ func DotCmd(ctx context.Context, configFile string, archs []types.Architecture,
 			renderDeps(pkg)
 		}
 
-		renderProvs := func(pkg *repository.RepositoryPackage) {
+		renderProvs := func(pkg *apk.RepositoryPackage) {
 			n := dot.NewNode(pkg.Name)
 			if err := n.Set("label", pkgver(pkg)); err != nil {
 				panic(err)
@@ -319,7 +319,7 @@ func DotCmd(ctx context.Context, configFile string, archs []types.Architecture,
 	return nil
 }
 
-func pkgver(pkg *repository.RepositoryPackage) string {
+func pkgver(pkg *apk.RepositoryPackage) string {
 	return fmt.Sprintf("%s-%s", pkg.Name, pkg.Version)
 }
 

internal/cli/resolve.go

@@ -203,7 +203,7 @@ func ResolveCmd(ctx context.Context, output string, archs []types.Architecture,
 		for _, rpkg := range resolvedPkgs {
 			lockPkg := lockPkg{
 				Name:         rpkg.Package.Name,
-				URL:          rpkg.Package.Url(),
+				URL:          rpkg.Package.URL(),
 				Architecture: rpkg.Package.Arch,
 				Version:      rpkg.Package.Version,
 				Control: lockPkgRangeAndChecksum{
@@ -225,13 +225,13 @@ func ResolveCmd(ctx context.Context, output string, archs []types.Architecture,
 
 			lock.Contents.Packages = append(lock.Contents.Packages, lockPkg)
 
-			if _, ok := repositories[rpkg.Package.Repository().Uri]; !ok {
+			if _, ok := repositories[rpkg.Package.Repository().URI]; !ok {
 				lock.Contents.Repositories = append(lock.Contents.Repositories, lockRepo{
-					Name:         stripURLScheme(rpkg.Package.Repository().Uri),
-					URL:          rpkg.Package.Repository().IndexUri(),
+					Name:         stripURLScheme(rpkg.Package.Repository().URI),
+					URL:          rpkg.Package.Repository().IndexURI(),
 					Architecture: arch.ToAPK(),
 				})
-				repositories[rpkg.Package.Repository().Uri] = true
+				repositories[rpkg.Package.Repository().URI] = true
 			}
 		}
 	}

internal/cli/show-packages.go

@@ -176,7 +176,7 @@ func ShowPackagesCmd(ctx context.Context, format string, archs []types.Architect
 		for _, pkg := range pkgs {
 			p.Name = pkg.Name
 			p.Version = pkg.Version
-			p.Source = pkg.Url()
+			p.Source = pkg.URL()
 			if err = tmpl.Execute(os.Stdout, p); err != nil {
 				return fmt.Errorf("failed to execute template: %w", err)
 			}

pkg/build/build_implementation.go

@@ -34,7 +34,6 @@ import (
 	"github.com/chainguard-dev/go-apk/pkg/apk"
 	"github.com/chainguard-dev/go-apk/pkg/tarball"
 	"github.com/sigstore/cosign/v2/pkg/oci"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 )
 
 // pgzip's default is GOMAXPROCS(0)
@@ -175,7 +174,7 @@ func WriteIndex(o *options.Options, idx oci.SignedImageIndex) (string, error) {
 	return outfile, nil
 }
 
-func (bc *Context) BuildPackageList(ctx context.Context) (toInstall []*repository.RepositoryPackage, conflicts []string, err error) {
+func (bc *Context) BuildPackageList(ctx context.Context) (toInstall []*apk.RepositoryPackage, conflicts []string, err error) {
 	if toInstall, conflicts, err = bc.apk.ResolveWorld(ctx); err != nil {
 		return toInstall, conflicts, fmt.Errorf("resolving apk packages: %w", err)
 	}

pkg/build/busybox_test.go

@@ -7,7 +7,6 @@ import (
 	"github.com/chainguard-dev/go-apk/pkg/apk"
 	apkfs "github.com/chainguard-dev/go-apk/pkg/fs"
 	"github.com/stretchr/testify/require"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 )
 
 // Copyright 2023 Chainguard, Inc.
@@ -28,7 +27,7 @@ func TestInstallBusyboxSymlinks(t *testing.T) {
 	// these are links that definitely do *not* exist when using the standard files
 	fakeLinks := []string{"/bin/foo", "/bin/bar"}
 	trueLinks := []string{"/bin/ls", "/bin/grep"}
-	pkg := &repository.Package{
+	pkg := &apk.Package{
 		Name:    "busybox",
 		Version: "1.36.0", // version that we know exists in busybox_versions.go
 	}

pkg/sbom/generator/spdx/spdx.go

@@ -24,9 +24,9 @@ import (
 	"time"
 	"unicode/utf8"
 
+	"github.com/chainguard-dev/go-apk/pkg/apk"
 	apkfs "github.com/chainguard-dev/go-apk/pkg/fs"
 	purl "github.com/package-url/packageurl-go"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 	"sigs.k8s.io/release-utils/version"
 
 	"chainguard.dev/apko/pkg/sbom/options"
@@ -390,7 +390,7 @@ func (sx *SPDX) imagePackage(opts *options.Options) (p *Package) {
 }
 
 // apkPackage returns a SPDX package describing an apk
-func (sx *SPDX) apkPackage(opts *options.Options, pkg *repository.Package) Package {
+func (sx *SPDX) apkPackage(opts *options.Options, pkg *apk.Package) Package {
 	return Package{
 		ID: stringToIdentifier(fmt.Sprintf(
 			"SPDXRef-Package-%s-%s", pkg.Name, pkg.Version,

pkg/sbom/generator/spdx/spdx_test.go

@@ -21,10 +21,10 @@ import (
 	"regexp"
 	"testing"
 
+	"github.com/chainguard-dev/go-apk/pkg/apk"
 	apkfs "github.com/chainguard-dev/go-apk/pkg/fs"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/require"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 	"sigs.k8s.io/release-utils/command"
 
 	"chainguard.dev/apko/pkg/sbom/options"
@@ -41,7 +41,7 @@ var testOpts = &options.Options{
 		Version: "3.0",
 	},
 	FileName: "sbom",
-	Packages: []*repository.Package{
+	Packages: []*apk.Package{
 		{
 			Name:        "musl",
 			Version:     "1.2.2-r7",

pkg/sbom/options/options.go

@@ -22,11 +22,11 @@ import (
 	"sort"
 	"time"
 
+	"github.com/chainguard-dev/go-apk/pkg/apk"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types"
 	purl "github.com/package-url/packageurl-go"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 
 	"chainguard.dev/apko/pkg/build/types"
 )
@@ -52,7 +52,7 @@ type Options struct {
 	Formats []string
 
 	// Packages is alist of packages which will be listed in the SBOM
-	Packages []*repository.Package
+	Packages []*apk.Package
 }
 
 type PurlQualifiers map[string]string

pkg/sbom/sbom.go

@@ -20,8 +20,8 @@ import (
 	"io/fs"
 	"path/filepath"
 
+	"github.com/chainguard-dev/go-apk/pkg/apk"
 	osr "github.com/dominodatalab/os-release"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 
 	"chainguard.dev/apko/pkg/sbom/options"
 )
@@ -59,15 +59,15 @@ func ReadReleaseData(fsys fs.FS) (*osr.Data, error) {
 	return osr.Parse(string(osReleaseData)), nil
 }
 
-func ReadPackageIndex(fsys fs.FS) (packages []*repository.Package, err error) {
+func ReadPackageIndex(fsys fs.FS) (packages []*apk.Package, err error) {
 	installedDB, err := fsys.Open(packageIndexPath)
 	if err != nil {
 		return nil, fmt.Errorf("opening APK installed db: %w", err)
 	}
 	defer installedDB.Close()
 
-	// repository.ParsePackageIndex closes the file itself
-	packages, err = repository.ParsePackageIndex(installedDB)
+	// apk.ParsePackageIndex closes the file itself
+	packages, err = apk.ParsePackageIndex(installedDB)
 	if err != nil {
 		return nil, fmt.Errorf("parsing APK installed db: %w", err)
 	}

pkg/tarfs/fs.go

@@ -31,8 +31,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/chainguard-dev/go-apk/pkg/apk"
 	apkfs "github.com/chainguard-dev/go-apk/pkg/fs"
-	"gitlab.alpinelinux.org/alpine/go/repository"
 	"golang.org/x/sys/unix"
 )
 
@@ -49,7 +49,7 @@ type tarEntry struct {
 	tfs      fs.FS
 	header   tar.Header
 	checksum []byte
-	pkg      *repository.Package
+	pkg      *apk.Package
 }
 
 type memFS struct {
@@ -100,7 +100,7 @@ func checksumFromHeader(header *tar.Header) ([]byte, error) {
 	return checksum, nil
 }
 
-func (m *memFS) WriteHeader(hdr tar.Header, tfs fs.FS, pkg *repository.Package) error {
+func (m *memFS) WriteHeader(hdr tar.Header, tfs fs.FS, pkg *apk.Package) error {
 	switch hdr.Typeflag {
 	case tar.TypeDir:
 		// special case, if the target already exists, and it is a symlink to a directory, we can accept it as is