wip: v48

- Update dependabot to properly scan the dev Dockerfile weekly
- Add syft, grype, oras, and cosign to the tools iamge
- Update various dependencies to be managed as OCI dependencies (for dependabot
  management)
- Update other dependencies, including Go (to 1.25) and Rust (to 1.90)
- setup-tools action:
  - Hack mandb to avoid slowness during apt installs in GitHub Actions
  - Unpack the tools binaries without doing a full docker buildx setup

Author: olix0r

.github/dependabot.yml

@@ -1,15 +1,11 @@
 version: 2
 updates:
   - package-ecosystem: "docker"
-    directory: "/.devcontainer"
+    directory: "/"
     schedule:
-      interval: daily
-      time: "05:00"
-      timezone: "UTC"
+      interval: "weekly"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-      time: "04:00"
-      timezone: "UTC"
+      interval: "weekly"

Dockerfile

@@ -5,8 +5,8 @@
 ##
 
 
-ARG GO_TAG=1.24
-ARG RUST_TAG=1.88.0
+ARG GO_TAG=1.25
+ARG RUST_TAG=1.90.0
 
 # These layers include Debian apt caches, so layers that extend `apt-base`
 # should not be published. Instead, these layers should be used to provide
@@ -45,13 +45,13 @@ RUN url="https://github.com/olix0r/j5j/releases/download/${J5J_VERSION}/j5j-${J5
 
 # just runs build/test recipes. Like `make` but a bit more ergonomic.
 FROM apt-base as just
-ARG JUST_VERSION=1.42.4 # repo=casey/just
+ARG JUST_VERSION=1.43.0 # repo=casey/just
 RUN url="https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin just
 
 # yq is kind of like jq, but for YAML.
 FROM apt-base as yq
-ARG YQ_VERSION=v4.47.1 # repo=mikefarah/yq
+ARG YQ_VERSION=v4.47.2 # repo=mikefarah/yq
 RUN url="https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" ; \
     scurl -o /yq "$url" && chmod +x /yq
 
@@ -67,7 +67,7 @@ COPY --link bin/scurl /bin/
 
 # helm templates kubernetes manifests.
 FROM apt-base as helm
-ARG HELM_VERSION=v3.18.4 # repo=helm/helm
+ARG HELM_VERSION=v3.19.0 # repo=helm/helm
 RUN url="https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" ; \
     scurl "$url" | tar xzvf - --strip-components=1 -C /usr/local/bin linux-amd64/helm
 
@@ -80,50 +80,34 @@ RUN url="https://github.com/norwoodj/helm-docs/releases/download/$HELM_DOCS_VERS
 
 # kubectl controls kubernetes clusters.
 FROM apt-base as kubectl
-ARG KUBECTL_VERSION=v1.33.3 # repo=kubernetes/kubernetes
+ARG KUBECTL_VERSION=v1.34.1 # repo=kubernetes/kubernetes
 RUN url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" ; \
     scurl -o /usr/local/bin/kubectl "$url" && chmod +x /usr/local/bin/kubectl
 
 # k3d runs kubernetes clusters in docker.
 FROM apt-base as k3d
-ARG K3D_VERSION=v5.8.3 # repo=rancher/k3d
-RUN url="https://raw.githubusercontent.com/rancher/k3d/$K3D_VERSION/install.sh" ; \
-    scurl "$url" | USE_SUDO=false K3D_INSTALL_DIR=/usr/local/bin bash
+COPY --link --from=ghcr.io/k3d-io/k3d-tools:5.8.3 /bin/k3d /usr/local/bin/
 # just-k3d is a utility that encodes many of the common k3d commands we use.
 COPY --link bin/just-k3d /usr/local/bin/
 # `K3S_IMAGES_JSON` configures just-k3d so that it uses a pinned version of k3s.
 # This is generated by `just sync-k3s-images` and i
 ENV K3S_IMAGES_JSON=/usr/local/etc/k3s-images.json
 COPY --link k3s-images.json "$K3S_IMAGES_JSON"
 
-# step is a tool for managing certificates.
-FROM apt-base as step
-ARG STEP_VERSION=v0.28.7 # repo=smallstep/cli
-RUN url="https://dl.smallstep.com/gh-release/cli/gh-release-header/${STEP_VERSION}/step_linux_${STEP_VERSION#v}_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - --strip-components=2 -C /usr/local/bin step_"${STEP_VERSION#v}"/bin/step
-
 FROM scratch as tools-k8s
 COPY --link --from=helm /usr/local/bin/helm /bin/
 COPY --link --from=helm-docs /usr/local/bin/helm-docs /bin/
 COPY --link --from=k3d /usr/local/bin/* /bin/
 ENV K3S_IMAGES_JSON=/etc/k3s-images.json
 COPY --link --from=k3d /usr/local/etc/k3s-images.json "$K3S_IMAGES_JSON"
 COPY --link --from=kubectl /usr/local/bin/kubectl /bin/
-COPY --link --from=step /usr/local/bin/step /bin/
-
-FROM apt-base as syft
-ARG SYFT_VERSION=v1.29.0 # repo=anchore/syft
-RUN url="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - -C /usr/local/bin syft
-
-FROM apt-base as grype
-ARG GRYPE_VERSION=v0.96.1 # repo=anchore/grype
-RUN url="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}/grype_${GRYPE_VERSION#v}_linux_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - -C /usr/local/bin grype
+COPY --link --from=docker.io/smallstep/step-cli:0.28.7 /usr/local/bin/step /bin/
 
 FROM scratch as tools-oci
-COPY --link --from=syft /usr/local/bin/syft /bin/
-COPY --link --from=grype /usr/local/bin/grype /bin/
+COPY --link --from=ghcr.io/sigstore/cosign/cosign:v2.4.1 /ko-app/cosign /bin/
+COPY --link --from=ghcr.io/oras-project/oras:v1.3.0 /bin/oras /bin/
+COPY --link --from=ghcr.io/anchore/syft:v1.33.0 /syft /bin/
+COPY --link --from=ghcr.io/anchore/grype:v0.96.1 /grype /bin/
 
 ##
 ## Linting tools
@@ -141,25 +125,18 @@ ARG CHECKSEC_VERSION=2.7.1 # ignore
 RUN url="https://raw.githubusercontent.com/slimm609/checksec/${CHECKSEC_VERSION}/checksec" ; \
     scurl -o /usr/local/bin/checksec "$url" && chmod 755 /usr/local/bin/checksec
 
-# shellcheck lints shell scripts.
-FROM apt-base as shellcheck
-ARG SHELLCHECK_VERSION=v0.10.0 # repo=koalaman/shellcheck
-RUN url="https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" ; \
-    scurl "$url" | tar xJvf - --strip-components=1 -C /usr/local/bin "shellcheck-${SHELLCHECK_VERSION}/shellcheck"
-COPY --link bin/just-sh /usr/local/bin/
-
 FROM scratch as tools-lint
 COPY --link --from=actionlint /usr/local/bin/actionlint /bin/
 COPY --link --from=checksec /usr/local/bin/checksec /bin/
-COPY --link --from=shellcheck /usr/local/bin/shellcheck /bin/
+COPY --link --from=docker.io/koalaman/shellcheck:v0.11.0 /bin/shellcheck /bin/
 COPY --link bin/action-* bin/just-dev bin/just-sh /bin/
 
 ##
 ## Protobuf
 ##
 
 FROM apt-base as protobuf
-ARG PROTOC_VERSION=v31.1 # repo=protocolbuffers/protobuf
+ARG PROTOC_VERSION=v32.1 # repo=protocolbuffers/protobuf
 RUN url="https://github.com/google/protobuf/releases/download/$PROTOC_VERSION/protoc-${PROTOC_VERSION#v}-linux-$(uname -m).zip" ; \
     cd $(mktemp -d) && \
     scurl -o protoc.zip  "$url" && \
@@ -186,13 +163,13 @@ RUN url="https://github.com/rust-secure-code/cargo-auditable/releases/download/$
 
 # cargo-deny checks cargo dependencies for licensing and RUSTSEC security issues.
 FROM apt-base as cargo-deny
-ARG CARGO_DENY_VERSION=0.18.3 # repo=EmbarkStudios/cargo-deny
+ARG CARGO_DENY_VERSION=0.18.5 # repo=EmbarkStudios/cargo-deny
 RUN url="https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - --strip-components=1 -C /usr/local/bin "cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny"
 
 # cargo-nextest is a nicer test runner.
 FROM apt-base as cargo-nextest
-ARG NEXTEST_VERSION=0.9.101 # repo=nextest-rs/nextest,prefix=cargo-nextest-
+ARG NEXTEST_VERSION=0.9.104 # repo=nextest-rs/nextest,prefix=cargo-nextest-
 RUN url="https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-${NEXTEST_VERSION}/cargo-nextest-${NEXTEST_VERSION}-x86_64-unknown-linux-gnu.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin cargo-nextest
 
@@ -248,7 +225,7 @@ FROM docker.io/library/golang:${GO_TAG} as gotests
 RUN go install github.com/cweill/gotests/gotests@latest
 
 FROM docker.io/library/golang:${GO_TAG} as gotestsum
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GOTESTSUM_VERSION=v1.13.0  # repo=gotestyourself/gotestsum
 RUN go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}
 
 FROM scratch as tools-go
@@ -344,6 +321,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
     --mount=type=cache,from=apt-base,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,from=apt-base,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \
     DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        binutils-aarch64-linux-gnu \
         g++-aarch64-linux-gnu \
         gcc-aarch64-linux-gnu \
         libc6-dev-arm64-cross

actions/setup-tools/action.yml

@@ -10,22 +10,31 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: docker/setup-buildx-action@v3
+    - name: "Hack mandb"
+      shell: bash
+      run: |
+        sudo dpkg-divert --local --rename --add /usr/bin/mandb
+        sudo ln -sf /bin/true /usr/bin/mandb
+
+    - shell: bash
+      run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo umoci
 
     - name: Extract tools
       shell: bash
       run: |
         set -xeuo pipefail
 
-        build=$(mktemp -d '${{ runner.temp }}/build.XXXX')
-        echo 'FROM ghcr.io/linkerd/dev:${{ inputs.version }}-tools' > "$build"/Dockerfile
+        oci_dir=$(mktemp -d '${{ runner.temp }}/oci.XXXX')
+        bundle_dir=$(mktemp -d '${{ runner.temp }}/bundle.XXXX')
 
-        tools=$(mktemp -d '${{ runner.temp }}/tools.XXXX')
-        docker buildx build "$build" --output="type=local,dest=$tools/"
+        skopeo copy \
+          "docker://ghcr.io/linkerd/dev:${{ inputs.version }}-tools" \
+          "oci:$oci_dir:tools"
+
+        umoci unpack --rootless --image "$oci_dir:tools" "$bundle_dir"
+
+        tools="$bundle_dir/rootfs"
         (
           echo K3S_IMAGES_JSON="$tools/etc/k3s-images.json"
           echo PATH="$tools/bin:$PATH"
         ) >> "$GITHUB_ENV"
-
-    - shell: bash
-      run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo jq