Merge remote-tracking branch 'origin/main' into rules_distroless

.github/workflows/buildifier.yaml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Set up Go 1.15.x
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.15.x
         id: go

.github/workflows/ci-pkg-mgr.yaml

@@ -17,10 +17,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
-    - uses: actions/setup-go@v4
+    - uses: actions/setup-go@v5
       with:
         go-version: '1.20'
-    - uses: actions/cache@v3
+    - uses: actions/cache@v4
       with:
         path: |
           ~/.cache/go-build
@@ -38,11 +38,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: '1.20'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.7.0
+        uses: golangci/golangci-lint-action@v4.0.0
         timeout-minutes: 5
         with:
           # version: latest

.github/workflows/ci.yaml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Mount bazel caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
             path: |
                 ~/.cache/bazel-repo
@@ -55,7 +55,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Mount bazel caches
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
             path: |
                 ~/.cache/bazel-repo

.github/workflows/pylint.yaml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Set up Go 1.15.x
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.15.x
         id: go

.github/workflows/scorecards-analysis.yml

@@ -38,14 +38,14 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
         with:
           sarif_file: results.sarif

.github/workflows/update-deb-package-snapshots.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
-    - uses: actions/setup-go@v4
+    - uses: actions/setup-go@v5
       with:
         go-version: '1.20'
 

CONTRIBUTING.md

@@ -19,12 +19,12 @@ Follow either of the two links above to access the appropriate CLA and instructi
 
 1. For building and loading images to your local Docker engine, you need to add a new rule for that image to the BUILD:
 ```
-load("@contrib_rules_oci//oci/private:tarball.bzl", "oci_tarball")
+load("@rules_oci//oci/private:tarball.bzl", "oci_tarball")
 
 oci_tarball(
     name = "local_build",
     image = "//base:static_root_amd64_debian17",
-    repotags = [],
+    repo_tags = [],
 )
 ```
 then build the tarball and load it into docker

SECURITY.md

@@ -2,7 +2,7 @@
 
 ## Supported Versions
 
-Distroless currently only tracks debian 11 ([bullseye](https://packages.debian.org/bullseye/)) packages.
+Distroless currently tracks debian 11 ([bullseye](https://packages.debian.org/bullseye/)) and debian 12 ([bookworm](https://packages.debian.org/bookworm)) packages.
 
 Debian tracking information at https://github.com/GoogleContainerTools/distroless/blob/main/debian_archives.bzl and generally is updated within 48 hours of debian publishing an update.
 

WORKSPACE

@@ -22,28 +22,40 @@ register_expand_template_toolchains()
 
 # rules_oci setup
 http_archive(
-    name = "contrib_rules_oci",
-    sha256 = "d6bdc1767d326c67b4cbdc79abfed00c8a4ca14b92adea9faf3db4710d514596",
-    strip_prefix = "rules_oci-0.3.2",
-    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v0.3.2/rules_oci-v0.3.2.tar.gz",
+    name = "rules_oci",
+    sha256 = "a3b6f4c0051938940ccf251a7bdcdf7ac5a93ae00e63ad107c9c6d3bfe20885b",
+    strip_prefix = "rules_oci-1.3.1",
+    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v1.3.1/rules_oci-v1.3.1.tar.gz",
 )
 
-load("@contrib_rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")
+load("@rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")
 
 rules_oci_dependencies()
 
-load("@contrib_rules_oci//oci:repositories.bzl", "LATEST_CRANE_VERSION", "LATEST_ZOT_VERSION", "oci_register_toolchains")
+load("@rules_oci//oci:repositories.bzl", "LATEST_CRANE_VERSION", "LATEST_ZOT_VERSION", "oci_register_toolchains")
 
 oci_register_toolchains(
     name = "oci",
     crane_version = LATEST_CRANE_VERSION,
     zot_version = LATEST_ZOT_VERSION,
 )
 
-load("@contrib_rules_oci//cosign:repositories.bzl", "cosign_register_toolchains")
+load("@rules_oci//cosign:repositories.bzl", "cosign_register_toolchains")
 
 cosign_register_toolchains(name = "oci_cosign")
 
+# setup container_structure_test
+http_archive(
+    name = "container_structure_test",
+    sha256 = "2da13da4c4fec9d4627d4084b122be0f4d118bd02dfa52857ff118fde88e4faa",
+    strip_prefix = "container-structure-test-1.16.0",
+    urls = ["https://github.com/GoogleContainerTools/container-structure-test/archive/v1.16.0.zip"],
+)
+
+load("@container_structure_test//:repositories.bzl", "container_structure_test_register_toolchain")
+
+container_structure_test_register_toolchain(name = "cst")
+
 # platforms
 http_archive(
     name = "platforms",
@@ -120,10 +132,10 @@ http_archive(
     name = "jetty",
     add_prefix = "output",
     build_file = "//java:BUILD.jetty",
-    sha256 = "50d6eccd349d2e671bfea710cee833911287eb706fe1d39503eab76fc6fc1a0c",
-    strip_prefix = "jetty-distribution-9.4.48.v20220622/",
+    sha256 = "b04b4cd45f3bf3c09a26bdf7f4e8d1a67e1a0f224ef4539534a0719b2c701088",
+    strip_prefix = "jetty-distribution-9.4.53.v20231009/",
     type = "tar.gz",
-    urls = ["https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.48.v20220622/jetty-distribution-9.4.48.v20220622.tar.gz"],
+    urls = ["https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.53.v20231009/jetty-distribution-9.4.53.v20231009.tar.gz"],
 )
 
 # rules_pkg setup

base/base.bzl

@@ -1,6 +1,7 @@
 "defines a function to replicate the container images for different distributions"
 
-load("@contrib_rules_oci//oci:defs.bzl", "oci_image", "oci_image_index", "structure_test")
+load("@container_structure_test//:defs.bzl", "container_structure_test")
+load("@contrib_rules_oci//oci:defs.bzl", "oci_image", "oci_image_index")
 load("@io_bazel_rules_go//go:def.bzl", "go_binary")
 load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("//:checksums.bzl", "ARCHITECTURES", "VARIANTS")
@@ -102,7 +103,6 @@ def base_images(distro):
 
             oci_image(
                 name = "base_nossl_" + user + "_" + arch + "_" + distro,
-                architecture = arch,
                 base = ":static_" + user + "_" + arch + "_" + distro,
                 tars = [
                     deb.package(arch, distro, "libc6"),
@@ -187,9 +187,9 @@ def base_images(distro):
             visibility = ["//visibility:private"],
         )
 
-        structure_test(
+        container_structure_test(
             name = "static_" + arch + "_" + distro + "_test",
-            config = ["testdata/static.yaml"],
+            configs = ["testdata/static.yaml"],
             image = ":check_certs_image_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
@@ -198,88 +198,88 @@ def base_images(distro):
         # Check that we can invoke openssl in the base image to check certificates (only debian11).
         ##########################################################################################
         if distro == "debian11":
-            structure_test(
+            container_structure_test(
                 name = "openssl_" + arch + "_" + distro + "_test",
-                config = ["testdata/certs.yaml"],
+                configs = ["testdata/certs.yaml"],
                 image = ":base_root_" + arch + "_" + distro,
                 tags = ["manual", arch],
             )
 
         ##########################################################################################
         # Check for common base files.
         ##########################################################################################
-        structure_test(
+        container_structure_test(
             name = "base_" + arch + "_" + distro + "_test",
-            config = ["testdata/base.yaml"],
+            configs = ["testdata/base.yaml"],
             image = ":base_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
-        structure_test(
+        container_structure_test(
             name = "base_nossl_" + arch + "_" + distro + "_test",
-            config = ["testdata/base.yaml"],
+            configs = ["testdata/base.yaml"],
             image = ":base_nossl_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
         ##########################################################################################
         # Check for busybox
         ##########################################################################################
-        structure_test(
+        container_structure_test(
             name = "debug_" + arch + "_" + distro + "_test",
-            config = ["testdata/debug.yaml"],
+            configs = ["testdata/debug.yaml"],
             image = ":debug_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
-        structure_test(
+        container_structure_test(
             name = "base_nossl_debug_" + arch + "_" + distro + "_test",
-            config = ["testdata/debug.yaml"],
+            configs = ["testdata/debug.yaml"],
             image = ":base_nossl_debug_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
-        structure_test(
+        container_structure_test(
             name = "static_debug_" + arch + "_" + distro + "_test",
-            config = ["testdata/debug.yaml"],
+            configs = ["testdata/debug.yaml"],
             image = ":static_debug_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
         ##########################################################################################
         # Check the /etc/os-release contents.
         ##########################################################################################
-        structure_test(
+        container_structure_test(
             name = "base_release_" + arch + "_" + distro + "_test",
-            config = ["testdata/" + distro + ".yaml"],
+            configs = ["testdata/" + distro + ".yaml"],
             image = ":base_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
-        structure_test(
+        container_structure_test(
             name = "base_nossl_release_" + arch + "_" + distro + "_test",
-            config = ["testdata/" + distro + ".yaml"],
+            configs = ["testdata/" + distro + ".yaml"],
             image = ":base_nossl_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
-        structure_test(
+        container_structure_test(
             name = "debug_release_" + arch + "_" + distro + "_test",
-            config = ["testdata/" + distro + ".yaml"],
+            configs = ["testdata/" + distro + ".yaml"],
             image = ":debug_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
-        structure_test(
+        container_structure_test(
             name = "static_release_" + arch + "_" + distro + "_test",
-            config = ["testdata/" + distro + ".yaml"],
+            configs = ["testdata/" + distro + ".yaml"],
             image = ":static_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )
 
-        structure_test(
+        container_structure_test(
             name = "static_debug_release_" + arch + "_" + distro + "_test",
-            config = ["testdata/" + distro + ".yaml"],
+            configs = ["testdata/" + distro + ".yaml"],
             image = ":static_debug_root_" + arch + "_" + distro,
             tags = ["manual", arch],
         )

base/testdata/debug.yaml

@@ -7,4 +7,4 @@ fileExistenceTests:
 commandTests:
   - name: busybox
     command: ["/busybox/busybox"]
-    expectedOutput: ['BusyBox v1\.35\.0']
+    expectedOutput: ['BusyBox v1\.36\.1']

busybox_archives.bzl

@@ -5,13 +5,13 @@ def repositories():
     # To update amd64 busybox binary (#1014)
     # Get the latest commit hash from dist-amd64 branch of docker-library repo. You can also view it
     # at https://github.com/docker-library/official-images/blob/master/library/busybox
-    # Substitute it in the link: https://github.com/docker-library/busybox/raw/<latest-commit-hash>/latest-1/musl/busybox.tar.xz
+    # Substitute it in the link: https://github.com/docker-library/busybox/raw/<latest-commit-hash>/latest/musl/busybox.tar.xz
     # Update the sha256 value. Since github api doesn't give sha256 value, it can be obtained using sha256sum command.
     http_file(
         name = "busybox_amd64",
         executable = True,
-        sha256 = "2af6ea3f9a4a3a19bf4924006f0e4797ea8fe8a370b99717dc0649a5a8af820a",
-        urls = ["https://github.com/docker-library/busybox/raw/c4c1b1f404daebc67a32c5949d5d5b3af3b14302/latest-1/musl/busybox.tar.xz"],
+        sha256 = "77b216d55c6895ddb04a90f3025b5ce2480140da779fe3dca91303b135a1fefe",
+        urls = ["https://github.com/docker-library/busybox/raw/09ee80aedec1d8c604f104e8bec41ed19274620a/latest/musl/busybox.tar.xz"],
     )
 
     http_file(
@@ -24,13 +24,13 @@ def repositories():
     # To update arm64 busybox binary (#657)
     # Get the latest commit hash from dist-arm64v8 branch of docker-library repo. You can also view it
     # at https://github.com/docker-library/official-images/blob/master/library/busybox
-    # Substitute it in the link: https://github.com/docker-library/busybox/raw/<latest-commit-hash>/latest-1/musl/busybox.tar.xz
+    # Substitute it in the link: https://github.com/docker-library/busybox/raw/<latest-commit-hash>/latest/musl/busybox.tar.xz
     # Update the sha256 value. Since github api doesn't give sha256 value, it can be obtained using sha256sum command.
     http_file(
         name = "busybox_arm64",
         executable = True,
-        sha256 = "2441ebc513f4a9d49e3f8e82a71ebc039cc330c611323eb2e11cc960f4ca83c3",
-        urls = ["https://github.com/docker-library/busybox/raw/905f4a7acda06df4b1d1884bd25f98f522f5afa8/latest-1/musl/busybox.tar.xz"],
+        sha256 = "1d0610f348ae3f95897a967fae429b0a0c712b252ca63e1547a89bf13a1a82c7",
+        urls = ["https://github.com/docker-library/busybox/raw/e5e22cb0710fe54da4beaa6a72c1bd56b8fc9c54/latest/musl/busybox.tar.xz"],
     )
 
     http_file(
@@ -43,11 +43,11 @@ def repositories():
     # To update ppc64le busybox binary (#723)
     # Get the latest commit hash from dist-ppc64le branch of docker-library repo. You can also view it
     # at https://github.com/docker-library/official-images/blob/master/library/busybox
-    # Substitute it in the link: https://github.com/docker-library/busybox/raw/<latest-commit-hash>/latest-1/musl/busybox.tar.xz
+    # Substitute it in the link: https://github.com/docker-library/busybox/raw/<latest-commit-hash>/latest/musl/busybox.tar.xz
     # Update the sha256 value. Since github api doesn't give sha256 value, it can be obtained using sha256sum command.
     http_file(
         name = "busybox_ppc64le",
         executable = True,
-        sha256 = "6b453957c98455b8e7ea3bf55e2f20888317100a597b76b6cab590c4a9412103",
-        urls = ["https://github.com/docker-library/busybox/raw/1a8d828e317a782249cb83ca3bae442b48f5f41c/latest-1/musl/busybox.tar.xz"],
+        sha256 = "2d898cab234190697e5df74c537dd86955e9f61725d6c86d97b97c3d58aed9ca",
+        urls = ["https://github.com/docker-library/busybox/raw/aa059e43d48801abcb012dfa965a432fa12c385d/latest/musl/busybox.tar.xz"],
     )

cc/BUILD

@@ -1,4 +1,4 @@
-load("@contrib_rules_oci//oci:defs.bzl", "oci_image", "oci_image_index")
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index")
 load("//:checksums.bzl", "ARCHITECTURES")
 load("//base:distro.bzl", "DISTROS")
 load("//private/util:deb.bzl", "deb")