fulcio 1.3.2 -> 1.3.3 https://github.com/sigstore/fulcio/releases
attrpath: fulcio
Checking auto update branch...
No auto update branch exists
[version]
[version] generic version rewriter does not support multiple hashes
[rustCrateVersion]
[rustCrateVersion] No cargoSha256 or cargoHash found
[golangModuleVersion]
[golangModuleVersion] Found old vendorHash = "sha256-v027osOhD83tNjGfsJ6LDU4BVDBZVKRsc1ceF49G02c="
[golangModuleVersion] Replaced vendorHash with sha256-zbh/NWA9or3dIeAwQ/sUOKrq03d3KVa5G5JkPbissr8=
[golangModuleVersion] Finished updating vendorHash
[updateScript]
[updateScript] skipping because derivation has no updateScript
[quotedUrls]
[quotedUrls] nothing found to replace
Diff after rewrites:
diff --git a/pkgs/tools/security/fulcio/default.nix b/pkgs/tools/security/fulcio/default.nix
index 945524f9fdd..865f0d6a538 100644
--- a/pkgs/tools/security/fulcio/default.nix
+++ b/pkgs/tools/security/fulcio/default.nix
@@ -2,13 +2,13 @@
buildGoModule rec {
pname = "fulcio";
- version = "1.3.2";
+ version = "1.3.3";
src = fetchFromGitHub {
owner = "sigstore";
repo = pname;
rev = "v${version}";
- sha256 = "sha256-MkvHztIpPVUPeJbPOgeKbYCqXJHkOzmu4u5WdMaFL50=";
+ sha256 = "sha256-sDOsnpxvPTlexZFDEbF7kOl/1h/Xl3/ziBII95Oxqsw=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
@@ -20,7 +20,7 @@ buildGoModule rec {
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
- vendorHash = "sha256-v027osOhD83tNjGfsJ6LDU4BVDBZVKRsc1ceF49G02c=";
+ vendorHash = "sha256-zbh/NWA9or3dIeAwQ/sUOKrq03d3KVa5G5JkPbissr8=";
nativeBuildInputs = [ installShellFiles ];
Successfully finished processing
cachix "/nix/store/pzz3mj7g8fcyssvqmdkcsfpcjx7cmyr7-fulcio-1.3.3"
[check][nixpkgs-review]
Result of `nixpkgs-review` run on x86_64-linux [1](https://github.com/Mic92/nixpkgs-review)
1 package built:
Waiting for OfBorg: https://events.ofborg.org/stats.php's evaluator.messages.waiting = 3
Waiting for OfBorg: https://events.ofborg.org/stats.php's evaluator.messages.waiting = 3
Waiting for OfBorg: https://events.ofborg.org/stats.php's evaluator.messages.waiting = 3
Automatic update generated by [nixpkgs-update](https://github.com/ryantm/nixpkgs-update) tools. This update was made based on information from https://github.com/sigstore/fulcio/releases.
meta.description for fulcio is: A Root-CA for code signing certs - issuing certificates based on an OIDC email address
meta.homepage for fulcio is: https://github.com/sigstore/fulcio
meta.changelog for fulcio is: https://github.com/sigstore/fulcio/releases/tag/v1.3.3
###### Updates performed
- Golang update
###### To inspect upstream changes
###### Impact
Checks done (click to expand)
---
- built on NixOS
- The tests defined in `passthru.tests`, if any, passed
- found 1.3.3 with grep in /nix/store/pzz3mj7g8fcyssvqmdkcsfpcjx7cmyr7-fulcio-1.3.3
- found 1.3.3 in filename of file in /nix/store/pzz3mj7g8fcyssvqmdkcsfpcjx7cmyr7-fulcio-1.3.3
---
Rebuild report (if merged into master) (click to expand)
```
1 total rebuild path(s)
1 package rebuild(s)
First fifty rebuilds by attrpath
fulcio
```
Instructions to test this update (click to expand)
---
Either **download from Cachix**:
```
nix-store -r /nix/store/pzz3mj7g8fcyssvqmdkcsfpcjx7cmyr7-fulcio-1.3.3 \
--option binary-caches 'https://cache.nixos.org/ https://nix-community.cachix.org/' \
--option trusted-public-keys '
nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
'
```
(The Cachix cache is only trusted for this store-path realization.)
For the Cachix download to work, your user must be in the `trusted-users` list or you can use `sudo` since root is effectively trusted.
Or, **build yourself**:
```
nix-build -A fulcio https://github.com/r-ryantm/nixpkgs/archive/8f3121d74e2aafc4867eb07dbffb7a85600b5d96.tar.gz
```
After you've downloaded or built it, look at the files and if there are any, run the binaries:
```
ls -la /nix/store/pzz3mj7g8fcyssvqmdkcsfpcjx7cmyr7-fulcio-1.3.3
ls -la /nix/store/pzz3mj7g8fcyssvqmdkcsfpcjx7cmyr7-fulcio-1.3.3/bin
```
---
### Pre-merge build results
We have automatically built all packages that will get rebuilt due to
this change.
This gives evidence on whether the upgrade will break dependent packages.
Note sometimes packages show up as _failed to build_ independent of the
change, simply because they are already broken on the target branch.
Result of `nixpkgs-review` run on x86_64-linux [1](https://github.com/Mic92/nixpkgs-review)
1 package built:
---
###### Maintainer pings
cc @LeSuisse @06kellyjac for [testing](https://github.com/ryantm/nixpkgs-update/blob/master/doc/nixpkgs-maintainer-faq.md#r-ryantm-opened-a-pr-for-my-package-what-do-i-do).
https://api.github.com/repos/NixOS/nixpkgs/pulls/242976
fulcio 1.3.2 -> 1.3.3 https://github.com/sigstore/fulcio/releases
attrpath: fulcio
Checking auto update branch...
No auto update branch exists
Old version 1.3.2" not present in master derivation file with contents: { lib, buildGoModule, fetchFromGitHub, installShellFiles }:
buildGoModule rec {
pname = "fulcio";
version = "1.3.3";
src = fetchFromGitHub {
owner = "sigstore";
repo = pname;
rev = "v${version}";
sha256 = "sha256-sDOsnpxvPTlexZFDEbF7kOl/1h/Xl3/ziBII95Oxqsw=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
postFetch = ''
cd "$out"
git rev-parse HEAD > $out/COMMIT
# 0000-00-00T00:00:00Z
date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
vendorHash = "sha256-zbh/NWA9or3dIeAwQ/sUOKrq03d3KVa5G5JkPbissr8=";
nativeBuildInputs = [ installShellFiles ];
subPackages = [ "." ];
ldflags = [
"-s"
"-w"
"-X sigs.k8s.io/release-utils/version.gitVersion=v${version}"
"-X sigs.k8s.io/release-utils/version.gitTreeState=clean"
];
# ldflags based on metadata from git and source
preBuild = ''
ldflags+=" -X sigs.k8s.io/release-utils/version.gitCommit=$(cat COMMIT)"
ldflags+=" -X sigs.k8s.io/release-utils/version.buildDate=$(cat SOURCE_DATE_EPOCH)"
'';
preCheck = ''
# test all paths
unset subPackages
# skip test that requires networking
substituteInPlace pkg/config/config_network_test.go \
--replace "TestLoad" "SkipLoad"
'';
postInstall = ''
installShellCompletion --cmd fulcio \
--bash <($out/bin/fulcio completion bash) \
--fish <($out/bin/fulcio completion fish) \
--zsh <($out/bin/fulcio completion zsh)
'';
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
$out/bin/fulcio --help
$out/bin/fulcio version 2>&1 | grep "v${version}"
runHook postInstallCheck
'';
meta = with lib; {
homepage = "https://github.com/sigstore/fulcio";
changelog = "https://github.com/sigstore/fulcio/releases/tag/v${version}";
description = "A Root-CA for code signing certs - issuing certificates based on an OIDC email address";
longDescription = ''
Fulcio is a free code signing Certificate Authority, built to make
short-lived certificates available to anyone. Based on an Open ID Connect
email address, Fulcio signs x509 certificates valid for under 20 minutes.
Fulcio was designed to run as a centralized, public-good instance backed
up by other transparency logs. Development is now underway to support
different delegation models, and to deploy and run Fulcio as a
disconnected instance.
'';
license = licenses.asl20;
maintainers = with maintainers; [ lesuisse jk ];
};
}