v48 (#69)

* fix: Setup devcontainers for building aws-lc-sys

This needs a few environment variables and debian packages installed to facilitate building that package. This includes the env vars in the `just-cargo` invocation, and the packages in the rust, rust-musl, and devcontainer images.

* fix: Remove CFLAGS from just-cargo

* v48

- Update dependabot to properly scan the dev Dockerfile weekly
- Add syft, grype, oras, and cosign to the tools iamge
- Update various dependencies to be managed as OCI dependencies (for dependabot
  management)
- Update other dependencies, including Go (to 1.25) and Rust (to 1.90)
- setup-tools action:
  - Hack mandb to avoid slowness during apt installs in GitHub Actions
  - Unpack the tools binaries without doing a full docker buildx setup

Author: olix0r

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
     "name": "linkerd-dev",
-    "image": "ghcr.io/linkerd/dev:v46",
+    "image": "ghcr.io/linkerd/dev:v48",
     "customizations": {
         "vscode": {
             "extensions": [

.github/dependabot.yml

@@ -1,15 +1,11 @@
 version: 2
 updates:
   - package-ecosystem: "docker"
-    directory: "/.devcontainer"
+    directory: "/"
     schedule:
-      interval: daily
-      time: "05:00"
-      timezone: "UTC"
+      interval: "weekly"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-      time: "04:00"
-      timezone: "UTC"
+      interval: "weekly"

Dockerfile

@@ -5,8 +5,8 @@
 ##
 
 
-ARG GO_TAG=1.24
-ARG RUST_TAG=1.88.0
+ARG GO_TAG=1.25
+ARG RUST_TAG=1.90.0
 
 # These layers include Debian apt caches, so layers that extend `apt-base`
 # should not be published. Instead, these layers should be used to provide
@@ -45,13 +45,13 @@ RUN url="https://github.com/olix0r/j5j/releases/download/${J5J_VERSION}/j5j-${J5
 
 # just runs build/test recipes. Like `make` but a bit more ergonomic.
 FROM apt-base as just
-ARG JUST_VERSION=1.42.4 # repo=casey/just
+ARG JUST_VERSION=1.43.0 # repo=casey/just
 RUN url="https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin just
 
 # yq is kind of like jq, but for YAML.
 FROM apt-base as yq
-ARG YQ_VERSION=v4.47.1 # repo=mikefarah/yq
+ARG YQ_VERSION=v4.47.2 # repo=mikefarah/yq
 RUN url="https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" ; \
     scurl -o /yq "$url" && chmod +x /yq
 
@@ -67,7 +67,7 @@ COPY --link bin/scurl /bin/
 
 # helm templates kubernetes manifests.
 FROM apt-base as helm
-ARG HELM_VERSION=v3.18.4 # repo=helm/helm
+ARG HELM_VERSION=v3.19.0 # repo=helm/helm
 RUN url="https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" ; \
     scurl "$url" | tar xzvf - --strip-components=1 -C /usr/local/bin linux-amd64/helm
 
@@ -80,50 +80,34 @@ RUN url="https://github.com/norwoodj/helm-docs/releases/download/$HELM_DOCS_VERS
 
 # kubectl controls kubernetes clusters.
 FROM apt-base as kubectl
-ARG KUBECTL_VERSION=v1.33.3 # repo=kubernetes/kubernetes
+ARG KUBECTL_VERSION=v1.34.1 # repo=kubernetes/kubernetes
 RUN url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" ; \
     scurl -o /usr/local/bin/kubectl "$url" && chmod +x /usr/local/bin/kubectl
 
 # k3d runs kubernetes clusters in docker.
 FROM apt-base as k3d
-ARG K3D_VERSION=v5.8.3 # repo=rancher/k3d
-RUN url="https://raw.githubusercontent.com/rancher/k3d/$K3D_VERSION/install.sh" ; \
-    scurl "$url" | USE_SUDO=false K3D_INSTALL_DIR=/usr/local/bin bash
+COPY --link --from=ghcr.io/k3d-io/k3d:5.8.3 /bin/k3d /usr/local/bin/
 # just-k3d is a utility that encodes many of the common k3d commands we use.
 COPY --link bin/just-k3d /usr/local/bin/
 # `K3S_IMAGES_JSON` configures just-k3d so that it uses a pinned version of k3s.
 # This is generated by `just sync-k3s-images` and i
 ENV K3S_IMAGES_JSON=/usr/local/etc/k3s-images.json
 COPY --link k3s-images.json "$K3S_IMAGES_JSON"
 
-# step is a tool for managing certificates.
-FROM apt-base as step
-ARG STEP_VERSION=v0.28.7 # repo=smallstep/cli
-RUN url="https://dl.smallstep.com/gh-release/cli/gh-release-header/${STEP_VERSION}/step_linux_${STEP_VERSION#v}_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - --strip-components=2 -C /usr/local/bin step_"${STEP_VERSION#v}"/bin/step
-
 FROM scratch as tools-k8s
 COPY --link --from=helm /usr/local/bin/helm /bin/
 COPY --link --from=helm-docs /usr/local/bin/helm-docs /bin/
 COPY --link --from=k3d /usr/local/bin/* /bin/
 ENV K3S_IMAGES_JSON=/etc/k3s-images.json
 COPY --link --from=k3d /usr/local/etc/k3s-images.json "$K3S_IMAGES_JSON"
 COPY --link --from=kubectl /usr/local/bin/kubectl /bin/
-COPY --link --from=step /usr/local/bin/step /bin/
-
-FROM apt-base as syft
-ARG SYFT_VERSION=v1.29.0 # repo=anchore/syft
-RUN url="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - -C /usr/local/bin syft
-
-FROM apt-base as grype
-ARG GRYPE_VERSION=v0.96.1 # repo=anchore/grype
-RUN url="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}/grype_${GRYPE_VERSION#v}_linux_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - -C /usr/local/bin grype
+COPY --link --from=docker.io/smallstep/step-cli:0.28.7 /usr/local/bin/step /bin/
 
 FROM scratch as tools-oci
-COPY --link --from=syft /usr/local/bin/syft /bin/
-COPY --link --from=grype /usr/local/bin/grype /bin/
+COPY --link --from=ghcr.io/sigstore/cosign/cosign:v2.6.0 /ko-app/cosign /bin/
+COPY --link --from=ghcr.io/oras-project/oras:v1.3.0 /bin/oras /bin/
+COPY --link --from=ghcr.io/anchore/syft:v1.33.0 /syft /bin/
+COPY --link --from=ghcr.io/anchore/grype:v0.96.1 /grype /bin/
 
 ##
 ## Linting tools
@@ -141,25 +125,18 @@ ARG CHECKSEC_VERSION=2.7.1 # ignore
 RUN url="https://raw.githubusercontent.com/slimm609/checksec/${CHECKSEC_VERSION}/checksec" ; \
     scurl -o /usr/local/bin/checksec "$url" && chmod 755 /usr/local/bin/checksec
 
-# shellcheck lints shell scripts.
-FROM apt-base as shellcheck
-ARG SHELLCHECK_VERSION=v0.10.0 # repo=koalaman/shellcheck
-RUN url="https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" ; \
-    scurl "$url" | tar xJvf - --strip-components=1 -C /usr/local/bin "shellcheck-${SHELLCHECK_VERSION}/shellcheck"
-COPY --link bin/just-sh /usr/local/bin/
-
 FROM scratch as tools-lint
 COPY --link --from=actionlint /usr/local/bin/actionlint /bin/
 COPY --link --from=checksec /usr/local/bin/checksec /bin/
-COPY --link --from=shellcheck /usr/local/bin/shellcheck /bin/
+COPY --link --from=docker.io/koalaman/shellcheck:v0.11.0 /bin/shellcheck /bin/
 COPY --link bin/action-* bin/just-dev bin/just-sh /bin/
 
 ##
 ## Protobuf
 ##
 
 FROM apt-base as protobuf
-ARG PROTOC_VERSION=v31.1 # repo=protocolbuffers/protobuf
+ARG PROTOC_VERSION=v32.1 # repo=protocolbuffers/protobuf
 RUN url="https://github.com/google/protobuf/releases/download/$PROTOC_VERSION/protoc-${PROTOC_VERSION#v}-linux-$(uname -m).zip" ; \
     cd $(mktemp -d) && \
     scurl -o protoc.zip  "$url" && \
@@ -186,13 +163,13 @@ RUN url="https://github.com/rust-secure-code/cargo-auditable/releases/download/$
 
 # cargo-deny checks cargo dependencies for licensing and RUSTSEC security issues.
 FROM apt-base as cargo-deny
-ARG CARGO_DENY_VERSION=0.18.3 # repo=EmbarkStudios/cargo-deny
+ARG CARGO_DENY_VERSION=0.18.5 # repo=EmbarkStudios/cargo-deny
 RUN url="https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - --strip-components=1 -C /usr/local/bin "cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny"
 
 # cargo-nextest is a nicer test runner.
 FROM apt-base as cargo-nextest
-ARG NEXTEST_VERSION=0.9.101 # repo=nextest-rs/nextest,prefix=cargo-nextest-
+ARG NEXTEST_VERSION=0.9.104 # repo=nextest-rs/nextest,prefix=cargo-nextest-
 RUN url="https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-${NEXTEST_VERSION}/cargo-nextest-${NEXTEST_VERSION}-x86_64-unknown-linux-gnu.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin cargo-nextest
 
@@ -248,7 +225,7 @@ FROM docker.io/library/golang:${GO_TAG} as gotests
 RUN go install github.com/cweill/gotests/gotests@latest
 
 FROM docker.io/library/golang:${GO_TAG} as gotestsum
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GOTESTSUM_VERSION=v1.13.0  # repo=gotestyourself/gotestsum
 RUN go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}
 
 FROM scratch as tools-go
@@ -310,6 +287,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
         cmake \
         curl \
         file \
+        gh \
         git \
         jo \
         jq \
@@ -344,6 +322,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
     --mount=type=cache,from=apt-base,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,from=apt-base,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \
     DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        binutils-aarch64-linux-gnu \
         g++-aarch64-linux-gnu \
         gcc-aarch64-linux-gnu \
         libc6-dev-arm64-cross

actions/setup-go/action.yml

@@ -5,7 +5,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches that in the Dockerfile
   version:
     description: Go version
-    default: 1.24
+    default: 1.25
 
 runs:
   using: composite

actions/setup-rust/action.yml

@@ -6,7 +6,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches that in the Dockerfile
   version:
     description: Container image version
-    default: 1.88.0
+    default: 1.90.0
 
   components:
     description: Rust components to install

actions/setup-tools/action.yml

@@ -5,27 +5,36 @@ inputs:
   # TODO(ver): CI should validate at this version matches the most recent release tag
   version:
     description: Container image version
-    default: v47
+    default: v48
 
 runs:
   using: composite
   steps:
-    - uses: docker/setup-buildx-action@v3
+    - name: "Hack mandb"
+      shell: bash
+      run: |
+        sudo dpkg-divert --local --rename --add /usr/bin/mandb
+        sudo ln -sf /bin/true /usr/bin/mandb
+
+    - shell: bash
+      run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo umoci
 
     - name: Extract tools
       shell: bash
       run: |
         set -xeuo pipefail
 
-        build=$(mktemp -d '${{ runner.temp }}/build.XXXX')
-        echo 'FROM ghcr.io/linkerd/dev:${{ inputs.version }}-tools' > "$build"/Dockerfile
+        oci_dir=$(mktemp -d '${{ runner.temp }}/oci.XXXX')
+        bundle_dir=$(mktemp -d '${{ runner.temp }}/bundle.XXXX')
 
-        tools=$(mktemp -d '${{ runner.temp }}/tools.XXXX')
-        docker buildx build "$build" --output="type=local,dest=$tools/"
+        skopeo copy \
+          "docker://ghcr.io/linkerd/dev:${{ inputs.version }}-tools" \
+          "oci:$oci_dir:tools"
+
+        umoci unpack --rootless --image "$oci_dir:tools" "$bundle_dir"
+
+        tools="$bundle_dir/rootfs"
         (
           echo K3S_IMAGES_JSON="$tools/etc/k3s-images.json"
           echo PATH="$tools/bin:$PATH"
         ) >> "$GITHUB_ENV"
-
-    - shell: bash
-      run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo jq

bin/just-cargo

@@ -9,7 +9,7 @@ profile := 'debug' # or 'release'
 _release := if profile == 'release' { '--release' } else { '' }
 
 toolchain := ""
-export CARGO := env_var_or_default("CARGO", "cargo" + if toolchain != "" { " +" + toolchain } else { "" })
+export CARGO := env_var_or_default("CARGO", "cargo auditable" + if toolchain != "" { " +" + toolchain } else { "" })
 
 target := ''
 _target := if target == '' {
@@ -33,14 +33,12 @@ _rustflags-self-contained := "-Clink-self-contained=yes -Clinker=rust-lld -Clink
 # linux/arm64 + gnu
 export AR_aarch64_unknown_linux_gnu := _ar
 export CC_aarch64_unknown_linux_gnu := _clang
-export CFLAGS_aarch64_unknown_linux_gnu := '--sysroot=/usr/aarch64-linux-gnu'
 export STRIP_aarch64_unknown_linux_gnu := _strip
 export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER := 'aarch64-linux-gnu-gcc'
 
 # linux/arm64 + musl
 export AR_aarch64_unknown_linux_musl := _ar
 export CC_aarch64_unknown_linux_musl := _clang
-export CFLAGS_aarch64_unknown_linux_musl := '--sysroot=/usr/aarch64-linux-gnu'
 export STRIP_aarch64_unknown_linux_musl := _strip
 export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS := _rustflags-self-contained
 

k3s-images.json

@@ -1,8 +1,8 @@
 {
   "name": "docker.io/rancher/k3s",
   "channels": {
-    "stable": "v1.32.6-k3s1",
-    "latest": "v1.33.2-k3s1",
+    "stable": "v1.33.5-k3s1",
+    "latest": "v1.34.1-k3s1",
     "v1.20": "v1.20.15-k3s1",
     "v1.21": "v1.21.14-k3s1",
     "v1.22": "v1.22.17-k3s1",
@@ -13,10 +13,11 @@
     "v1.27": "v1.27.16-k3s1",
     "v1.28": "v1.28.15-k3s1",
     "v1.29": "v1.29.15-k3s1",
-    "v1.30": "v1.30.14-k3s1",
-    "v1.31": "v1.31.10-k3s1",
-    "v1.32": "v1.32.6-k3s1",
-    "v1.33": "v1.33.2-k3s1"
+    "v1.30": "v1.30.14-k3s2",
+    "v1.31": "v1.31.13-k3s1",
+    "v1.32": "v1.32.9-k3s1",
+    "v1.33": "v1.33.5-k3s1",
+    "v1.34": "v1.34.1-k3s1"
   },
   "digests": {
     "v1.20.15-k3s1": "sha256:0e49b63b8ee234e308ff578682f8f4f2f95bffda7ba75077e5da29548cd2a6b3",
@@ -29,9 +30,10 @@
     "v1.27.16-k3s1": "sha256:b7bca8255da9e25a9fdd95bae61f99f8cd424d90691fc5125621b2955bebdfd2",
     "v1.28.15-k3s1": "sha256:af4f882a4cfaf418cb03d52c59cd150f42bf2b72f084c4592c6a133f4856660d",
     "v1.29.15-k3s1": "sha256:8f782bd47a41509e89c1ad1d60b02998cc5b0f1310a36c65aa0f331cde866c80",
-    "v1.30.14-k3s1": "sha256:cbed71f50f16fc98a7f64c6ecf21fd8fc04efc41ad7d664fb46b199c7bd3fda7",
-    "v1.31.10-k3s1": "sha256:8c7032ab267c3a571bac4fafffbb54e249386dbc73ebe5532fb390fa998a7936",
-    "v1.32.6-k3s1": "sha256:4cd4ccd268089f92e4efcc64916b1313ecdd38291a48129508cf47fa32934006",
-    "v1.33.2-k3s1": "sha256:d8f05b9043d136c3fb01d6cf677caaef304568b8c99bdd359b86d3d7286de1df"
+    "v1.30.14-k3s2": "sha256:5f02ba89b28861574b1677d91943b57f55f5fe0b451d539f83e650c8925fd9a2",
+    "v1.31.13-k3s1": "sha256:3f43b78b337265dc1c0540e1f88af18ca4826910353120991a0edfeaa68d1269",
+    "v1.32.9-k3s1": "sha256:af1f66e58580ea4027eeef9a65ef95cc29554ff96c8eddb4fc1267c71fe15328",
+    "v1.33.5-k3s1": "sha256:fd4740667b7033055c27d424d0d2d660bf66cedbdb225d68e0eab6dd48aa0fd2",
+    "v1.34.1-k3s1": "sha256:5e0707cfd1239b358ef73f3254bc3eadc027dd30cd5ec6ca41e29e47652a1b8c"
   }
 }