Update dependency aquaproj/aqua to v2.27.3

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v2.16.2 -> v2.27.3

---

Release Notes

aquaproj/aqua (aquaproj/aqua)

v2.27.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.2...v2.27.3

Bug Fixes

#​2833 #​2834 Fix a bug that a checksum id of go_build type package is empty

aqua-checksums.json

    {
      "id": "",
      "checksum": "C4D72E482B85570A1A73776EEF47E993B5F8FA6C204E0B1CAA794E4DF4F13521",
      "algorithm": "sha256"
    }

v2.27.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.1...v2.27.2

Bug Fixes

#​2830 Improve handling of broken registry JSON files

When aqua reads Standard Registry and github_content Registries, aqua converts them to JSON once and saves them.
And aqua reads JSON files instead of YAML files from the next time.
This improves the performance a bit. #​2517

But if a JSON file got broken, aqua got not working.
In that case, you had to remove the file yourself.

This issue rarely occurs, but this release resolves it.
If a JSON file gets broken, aqua removes and recreates the file.
So aqua continues working and you don't have to remove the file yourself.

v2.27.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.0...v2.27.1

Others

#​2824 #​2825 Generate shell completion on brew install @​ryota2357

ref. https://github.com/aquaproj/homebrew-aqua/blob/c4731da7c66a797e93b5efbcc5340b39f86f559b/aqua.rb#L19

⚠️ To enable shell completion, you have to configure FPATH and so on.

#​2809 chore: update aqua-proy to v1.2.6

🎉 New Contributors

Thank you for your contribution!

@​ryota2357 #​2825

v2.27.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.26.0...v2.27.0

Features

#​2702 #​2806 checksum: Support enforcing checksum verification via environment variables

You can enforce checksum verification by environment variables AQUA_ENFORCE_CHECKSUM and AQUA_ENFORCE_REQUIRE_CHECKSUM.

export AQUA_ENFORCE_CHECKSUM=true
export AQUA_ENFORCE_REQUIRE_CHECKSUM=true

This is useful for both CI and local development.

Checksum verification is disabled by default, and you can disable checksum verification by setting.
If you manage a Monorepo and want to make checksum verification mandatory in CI, you can set these environment variables in CI. Then checksum verification is enabled regardless of the setting of aqua.yaml.

And if you want to enforce checksum verification on your laptop, you can set these environment variables in your shell configuration files such as .bashrc and .zshrc.

v2.26.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.25.2...v2.26.0

Features

#​2782 #​2804 generate: add -g option to add packages to a global configuration file

e.g.

$ aqua g -g cli/cli

You can add packages to a global configuration file with -g and -i option.

e.g.

$ aqua g -g -i cli/cli

If there are multiple global configuration files, a first global configuration file is used.

Others

#​2803 Update the help message of remove command

Note that this command remove files from AQUA_ROOT_DIR/pkgs, but doesn't remove packages from aqua.yaml and doesn't remove files from AQUA_ROOT_DIR/bin and AQUA_ROOT_DIR/bat.

v2.25.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.25.1...v2.25.2

Bug Fixes

#​2781 #​2786 list: Fix a bug that packages in that same aqua.yaml is outputted by aqua list --installed

Others

#​2779 #​2788 Update slsa-verifier to v2.5.1
#​2787 Update go directive to 1.22 and refactor codes with Go new features

v2.25.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.25.0...v2.25.1

Bug Fixes

#​1665 #​2757 Fix the verification error of Cosign
#​2764 #​2765 Fix SIGSEGV: segmentation violation of aqua update and aqua generate commands

Others

#​2756 Update the template of aqua.yaml generated by aqua init to follow a yamllint comment rule @​bhundven

v2.25.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.24.1...v2.25.0

Features

#​2749 #​2752 Support excluding some packages from the target of aqua update

e.g. aqua.yaml

packages:
  - name: golang/vuln/[email protected]
    update:

##### If enabled is false, aqua up command ignores the package.
##### If the package name is passed to aqua up command explicitly, enabled is ignored.

##### By default, enabled is true.
      enabled: false

Fixes

#​2747 #​2354 #​2750 #​2751 Improve the logic to get the latest version

We've changed the logic to get the latest version in some commands such as aqua update and aqua generate.
The original logic was to call GitHub API Get a latest release, but a latest release wan't necessarily a latest version.
So we changed the logic to list the recent releases and get a latest version by semver.

v2.24.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.24.0...v2.24.1

Bug Fixes

#​2742 #​2744 fix a bug that aqua g and aqua gr commands don't work for cargo package

This bug was due to crates.io crawler policy.

We are unable to process your request at this time.
This usually means that you are in violation of our crawler policy.

We could resolve the issue by setting the User-Agent header.

v2.24.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.23.2...v2.24.0

Features

#​2709 #​2733 Support listing installed packages

Command line options -installed and -all [-a] were added to aqua list command.

aqua list -installed [-a]

If -installed is set, installed packages are outputted.

e.g.

$ aqua list -installed   
rhysd/actionlint	v1.6.27	standard
suzuki-shunsuke/cmdx	v1.7.4	standard
sigstore/cosign	v1.13.2	standard
suzuki-shunsuke/ghalint	v0.2.9	standard
int128/ghcp	v1.13.2	standard
golangci/golangci-lint	v1.56.2	standard
goreleaser/goreleaser	v1.24.0	standard
reviewdog/reviewdog	v0.17.1	standard

By default, global configuration files are ignored.
To output packages in global configuration files too, please set the option -all [-a].

$ aqua list -a -installed

v2.23.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.23.1...v2.23.2

Fixes

#​2714 Fix a bug that it fails to download large files from GitHub repositories

Use the API RepositoriesService.DownloadContents instead of RepositoriesService.GetContents to download large files from GitHub.

https://pkg.go.dev/github.com/google/go-github/v60/github#RepositoriesService.DownloadContents

DownloadContents returns an io.ReadCloser that reads the contents of the specified file.
This function will work with files of any size, as opposed to GetContents which is limited to 1 Mb files. It is the caller's responsibility to close the ReadCloser.

If you use old aqua and face the following error, please update aqua to v2.23.2 or newer.

unsupported content encoding: none, this may occur when file size > 1 MB, if that is the case consider using DownloadContents

Others

Update Go 1.21.6 to 1.22.0

v2.23.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.23.0...v2.23.1

Bug Fixes

#​2661 #​2662 update-checksum: Fix a bug that update-checksum doesn't work well if packages use both cargo or go_install types and other types

For example, the package eza-community/eza uses cargo type for darwin and windows/arm64 and github_relaese type for other platforms. In this case, aqua update-checksum didn't work well.

https://github.com/aquaproj/aqua-registry/blob/15d67414625ea37e68ea8436dba9413d9bd9b540/pkgs/eza-community/eza/registry.yaml#L2
https://github.com/aquaproj/aqua-registry/blob/15d67414625ea37e68ea8436dba9413d9bd9b540/pkgs/eza-community/eza/registry.yaml#L54-L57

This release fixed the issue.

v2.23.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.22.0...v2.23.0

Features

#​2649 #​2652 cargo: Trim a prefix from cargo package's version

Bug Fixes

#​2642 info: Output AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA

https://aquaproj.github.io/docs/reference/security/cosign-slsa/#disable-the-verification-with-cosign-and-slsa-provenance

#​2654 generate-registry: Fix a bug that same version_overrides aren't merged properly

Others

#​2644 Update aqua-proxy to v1.2.5
#​2653 Update JSON Schema

v2.22.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.3...v2.22.0

Features

#​2631 #​2633 #​2634 Support disabling the verification with Cosign and SLSA Provenance

You can disable the verification with Cosign and SLSA Provenance if you can't use them.

Why is the feature needed?

[!CAUTION]
This feature is for users who can't use Cosign and slsa-verifier.
Most users can use them, so most users don't need this feature.
aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself.
If you can use Cosign and slsa-verifier, you should not disable them because they are important for security.

Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.

But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.

To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.

How to use

You can use command line options -disable-cosign and -disable-slsa or environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.

e.g.

aqua [-disable-cosign] [-disable-slsa] i

env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i

Update dependencies

• Go 1.21.5 to 1.21.6
• goreleaser v1.22.1 to v1.23.0
• go.mod

v2.21.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.2...v2.21.3

Bug Fixes

#​2585 #​2586 Update checksums of cosign

v2.21.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.1...v2.21.2

⚠️ This release has a bug

The bug was already fixed at v2.21.3

Others

#​2582 Fix a bug of release workflow

v2.21.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.0...v2.21.1

⚠️ The release failed

https://github.com/aquaproj/aqua/actions/runs/7260967360/job/19781204828#step:10:147

  ⨯ release failed after 2m26s               error=1 error occurred:
	* scoop manifests: could not update "aqua.json": PUT https://api.github.com/repos/aquaproj/scoop-bucket/contents/aqua.json: 403 Resource not accessible by integration []

We fixed the bug and release v2.21.2.

Bug Fixes

#​2534 Fix a bug of root dir on Windows
#​2580 #​2581 Fix a bug that validation fails even if no_asset or error_message is set https://github.com/aquaproj/aqua-registry/pull/18326#issuecomment-1862164476

v2.21.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.20.0...v2.21.0

Features

#​2517 #​2518 perf: Convert Standard Registry and github_content Registries from YAML to JSON when installing them

This update improves the performance to read Registries.
Stanard registry is a huge YAML file over 30,000 lines so it has a little overhead to read it.
By this update, aqua converts Standard Registry and github_content Registries from YAML to JSON.
JSON format decreases the overhead.
aqua converts them internally, so we don't need to do anything.

v2.20.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.19.0...v2.20.0

Features

#​2514 #​2515 Add a field windows_arm_emulation for Windows ARM Emulation

ARM based Windows 11 supports the emulation to run x64 Windows apps.

https://learn.microsoft.com/en-us/windows/arm/add-arm-support#emulation-on-arm-based-devices-for-x86-or-x64-windows-apps

Windows 11 extends that emulation to run unmodified x64 Windows apps on Arm-powered devices.

If the field windows_arm_emulation is true, aqua uses pre built binaries for Windows amd64 on Windows arm64. windows_arm_emulation must be boolean. By default, windows_arm_emulation is false.

windows_arm_emulation is similar with rosetta2.

v2.19.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.18.0...v2.19.0

Features

#​2506 #​2507 which: Add the command line option --version

e.g.

$ aqua which --version yq
v4.40.2

Bug Fixes

#​2508 #​2512 Fix a bug of bash scripts for Git Bash

https://www.shellcheck.net/wiki/SC2086

Bash scripts generated by aqua had a bug that command line arguments having spaces were separated to multiple arguments incorrectly.

$  curl -sSfL https://jsonplaceholder.typicode.com/todos | jq '.[] | .id'
jq: error: Could not open file |: Invalid argument
jq: error: Could not open file .id: No such file or directory

v2.18.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.17.4...v2.18.0

Features

#​2494 update: Support specifying new package versions

e.g.

aqua up [email protected]

#​2461 Add debug logs of update and generate commands @​dreamjz

Bug Fixes

#​2493 #​2495 generate-registry: Fix the pagination of GitHub API List Releases

v2.17.4

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.17.3...v2.17.4

Others

#​2401 #​2483 Release aqua to Winget 🎉

https://github.com/microsoft/winget-pkgs/pull/127174

v2.17.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.17.2...v2.17.3

Bug Fixes 🐞

#​2476 #​2479 policy: fix a bug that the Git Repository root's policy file doesn't work well in working trees

Others

#​2470 #​2472 Replace the third party library github.com/codingsince1985/checksum with standard libraries

This library caused the bug #​2467 and we can replace the library with standard libraries easily.
We should use standard libraries as much as possible.

#​2473 Revert #​2469

#​2469 was required to resolve #​2467 , but #​2467 was resolved by #​2472 so #​2469 is unnecessary anymore.

https://github.com/aquaproj/aqua/pull/2472#issuecomment-1812023515

v2.17.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.17.1...v2.17.2

Bug Fixes

#​2457 #​2458 update: Fix a panic when trying to update commands unmanaged by aqua @​dreamjz
#​2468 policy init: Fix typo in CLI output @​ka2n
#​2467 #​2469 update-checksum: Copy an asset to a temporal file to calculate the checksum correctly

update-checksum: Copy an asset to a temporal file to calculate the checksum correctly

#​2467 #​2469

This fixes a bug that the checksum verification of aws/aws-cli fails because the expected checksum of aws/aws-cli is wrong.

If you face the issue already, please remove checksums of aws/aws-cli from aqua-checksums.json and run aqua update-checksum with aqua v2.17.2 or newer.

aqua-checksums.json

    // Delete this element
    {
      "id": "http/awscli.amazonaws.com/AWSCLIV2-2.13.35.pkg",
      "checksum": "520E1CB49004ECED7DB1CFE70E6FA73EFC6EDDF1CDB38AF535D126F1DB6574C8",
      "algorithm": "sha256"
    },

🎉 New Contributors

Thank you for your contribution!

@​ka2n #​2468

v2.17.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.17.0...v2.17.1

Bug Fixes 🐞

#​2456 generate-registry: Fix a bug that the order of versions in pkg.yaml is wrong

v2.17.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.16.4...v2.17.0

Features

#​2355 #​2447 Limit the number of versions retrieved by command generate and update @​dreamjz

With aqua v2.16.4 or earlier, aqua generate -s and aqua update -s retrieved all versions and these commands couldn't change the number of versions.
This release adds the command line option --limit/-l to these commands.
The value of this option is the number of versions.
The default value is 30.
If the value is less than zero, all versions are retrieved.

This change would reduced useless GitHub API calls and make these commands faster.

e.g.

aqua g -s # Retrieve 30 versions
aqua g -s -l 10 # Retrieve 10 versions
aqua g -s -l -1 # Retrieve all versions

#​2445 Change the default checksum algorithm from sha512 to sha256

sha256 is enough.
We don't need to use sha512.

#​2428 Add an alias of update-checksum command

aqua upc

#​2105 #​2425 #​2413 generate-registry: Improve the format of version_overrides and improve the logic to generate version_overrides

Bug Fixes 🐞

#​2444 generate-registry: Fix checksum filename for sha1

Others

#​2436 chore(deps): update dependency slsa-framework/slsa-verifier to v2.4.1
#​2395 change the format of prebuilt binaries for Windows to zip

Before:

aqua_windows_amd64.tar.gz
aqua_windows_arm64.tar.gz

After:

aqua_windows_amd64.zip
aqua_windows_arm64.zip

On Windows zip is more user friendly than tar.gz.
And to support Winget for Windows, it seems we need to change the format to zip.

• https://github.com/aquaproj/aqua/issues/2401

  • winget
  ⨯ release failed after 1m11s               error=no zip archives found matching goos=[windows] goarch=[amd64 386] goamd64=v1 ids=[]
Error: Process completed with exit code 1.

⚠️ To upgrade aqua to v2.17.0 or newer on Windows, you need to upgrade aqua to v2.16.1 ~ v2.16.4 once.

e.g.

aqua upa v2.16.4
aqua upa

New Contributors 🎉

Thank you for your contribution!

@​dreamjz #​2447

v2.16.4

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.16.3...v2.16.4

Bug Fixes

#​2420 generate-registry: Get latest versions of cargo packages

v2.16.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.16.2...v2.16.3

Bug Fixes

#​2414 #​2415 fix a bug that AQUA_DISABLE_POLIDY doesn't work
#​2412 generate-registry: Improve the judgement of OS by file extensions such as .exe, .pkg, and .dmg

Others

Refactoring

---

Configuration

📅 Schedule: Branch creation - "before 10am on the first day of the month" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.