chore(deps): update dependency dash14/buildcage to v2.2.3#173
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency dash14/buildcage to v2.2.3#173renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.2.2→v2.2.3v2.2.2→v2.2.3Release Notes
dash14/buildcage (dash14/buildcage)
v2.2.3Compare Source
Breaking Changes
Rename the
sandboxaction torun(#166)dash14/buildcage/sandbox@...doesn't describe what the action does — it applies buildcage's network-isolation technology to run an arbitrary command, not "sandbox" it in some more general sense. The action is nowdash14/buildcage/run, matching what a workflow author actually calls it for. No backward-compatible alias is kept.Before (v2.2.x):
After (v2.2.3):
Features
runaction's audit report (#170)reportaction's audit-mode Job Summary already includes a ready-to-paste restrict-mode YAML example built from the audited hosts, saving a workflow author from hand-copying hostnames out of the table. Therunaction's own report renderer now generates the same kind of example — arun@<ref>step withproxy_mode: restrictand the discovered allowlist rules, plus the originalrun:command preserved so it stays copy-pasteable on its ownBug Fixes
/procmounts (#167)run-isolated.sh's read-only pass walks every mount under/proc/self/mountinfoand fails closed if a remount is rejected. Under Docker Desktop,/proc/scsiand/proc/interruptsare masked before the sandbox re-parents them under a fresh procfs, and the kernel then rejects an otherwise-harmless remount on them, breaking the mac dev loop without indicating any actual isolation gap. Mounts already reported read-only are now skipped, and remaining rejections get one retry re-bound onto themselvesrun'sactionRef/actionRepofallback for local-path invocations (#171)run/src/main.jsfell through to an empty string instead ofreport/src/main.js's"v2"/"dash14/buildcage"defaults when invoked viauses: ./run, rendering a brokenuses: /run@in the generated audit-mode examplerun:block (#172)run: |block scalar always keeps one trailing newline, whichsplit()turned into a spurious empty lineparseVertexAllowedLogto handlebuildctl's multi-document JSON output (#172)JSON.parse()on the whole log text threw wheneverbuildctl debug logs --progress=rawjsonflushed more than one newline-separated JSON document, silently dropping theexplicitengine's Audited Hosts table and Communication details sectionImprovements
labelinput to therunaction (#172)## Outbound Traffic Report — <label> (mode)) and Audited/Blocked/Allowed Hosts sub-headings with thereportaction's, so multiplerunsteps in the same job can be told apart in the summaryDocumentation
example-explicit.yml, an example workflow for the experimentalexplicitproxy engine (#172)example-run-audit.yml, an example workflow for therunaction'sauditmode (#172)CI / Maintenance
test.ymlintotest-unit.yml,test-integration.yml, andtest-e2e.yml(#157)unit: test,integration: test (...),e2e: test (...)), replacing the singleall-tests-passedrequired check with one aggregator per tierrunaction's e2e tests by case and consolidate its integration tests (#171)writable:/privilege-drop/filesystem-default cases and direct concurrent proxy lifecycles don't depend on the action wrapper, so they've moved out oftest-e2e.ymlinto real shell scripts underrun/test/, run via a singlemake test_sandbox_integrationtarget; a newtest_sandbox_audit_modee2e job covers the restrict-mode example added in #170latestDocker tag on release publish, not draft creation (#169)docker-publish.ymlruns on tag push, which happens while creating the draft release, solatestwas moving onto a new version before anyone reviewed or published it. Tagginglatestis now handled byupdate-major-tag.yml, gated onrelease: published, alongside the existing major/minor floating tagsRefactoring
setup/docker/,sandbox/docker/(nowrun/docker/),setup/test/,sandbox/test/were shared across actions despite belonging to only one of them, making ownership unclear as the actions diverged. Code actually shared across actions (image verification, Sigstore, rule/log parsing) was consolidated into a newcore/Dependencies
dash14/buildcageaction pin to v2.2.2 (#130)github/codeql-actionto v4.36.3 (#158)docker/build-push-actionto v7.3.0 (#159)docker/login-actionto v4.4.0 (#161)docker/setup-buildx-actionto v4.2.0 (#162)docker/metadata-actionto v6.2.0 (#163)docker/setup-qemu-actionto v4.2.0 (#164)google.golang.org/grpcto v1.82.0 (#165)Full Changelog: v2.2.2...v2.2.3
Configuration
📅 Schedule: (UTC)
* * * * 6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.