chore(deps): bump the go group across 1 directory with 11 updates - r…

…ecreaion of #956 (#959)

github seems to have some hickups and doesn't reflect latest changes on
branch 'dependabot/go_modules/go-bf3991935e'

so this PR is a recreation of:
#956

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/config/wordlist.txt

@@ -35,6 +35,7 @@ closable
 closeable
 cmds
 cncf
+codeowners
 codeql
 commontransportarchive
 componentaccess
@@ -142,6 +143,7 @@ installable
 instantiation
 io
 ioutils
+ipcei
 iterable
 json
 jsonschema
@@ -201,12 +203,14 @@ ocmconfig
 oncefunc
 oo
 oras
+oras
 os
 outputspecification
-PackageIdentifier
-PackageName
+overwritable
+packageidentifier
+packagename
 packagespec
-PackageVersion
+packageversion
 parameterization
 pendingdeprecationwarning
 pflag
@@ -245,7 +249,7 @@ semver
 sequent
 serializable
 sha
-ShortDescription
+shortdescription
 signingserver
 sigstore
 simplemapmerge
@@ -274,6 +278,7 @@ toolset
 transportarchive
 typehandler
 typename
+unmarshaller
 unmodifiable
 untrusted
 updatevendorhash
@@ -293,6 +298,7 @@ versionedtypedobjects
 walkthrough
 wget
 winget
+wingetcreate
 xml
 yaml
 yitsushi

api/utils/dirtree/tar.go

@@ -7,7 +7,6 @@ import (
 	"path"
 
 	"github.com/mandelsoft/goutils/errors"
-	"github.com/mandelsoft/vfs/pkg/vfs"
 )
 
 func NewTarDirNode(ctx Context, tr *tar.Reader) (*DirNode, error) {
@@ -42,7 +41,7 @@ func NewTarDirNode(ctx Context, tr *tar.Reader) (*DirNode, error) {
 				return nil, fmt.Errorf("file %s: %w", header.Name, err)
 			}
 		case tar.TypeReg:
-			_, err := createFile(d, header.Name, vfs.FileMode(header.Mode), header.Size, tr)
+			_, err := createFile(d, header, tr)
 			if err != nil {
 				return nil, fmt.Errorf("file %s: %w", header.Name, err)
 			}

api/utils/dirtree/utils.go

@@ -1,24 +1,29 @@
 package dirtree
 
 import (
+	"archive/tar"
 	"fmt"
 	"io"
+	"math"
 	"path"
 	"strings"
 
 	"github.com/mandelsoft/vfs/pkg/vfs"
 )
 
-func createFile(d *DirNode, p string, mode vfs.FileMode, size int64, r io.Reader) (*FileNode, error) {
-	dir := path.Dir(p)
-	name := path.Base(path.Clean(p))
+func createFile(d *DirNode, header *tar.Header, r io.Reader) (*FileNode, error) {
+	dir := path.Dir(header.Name)
+	name := path.Base(path.Clean(header.Name))
 	d, err := lookupDir(d, dir, true)
 	if err != nil {
 		return nil, err
 	}
-	n, err := NewFileNode(d.ctx, mode, size, r)
+	if header.Mode < 0 || header.Mode > math.MaxUint32 {
+		return nil, fmt.Errorf("file %s: mode %d out of range for uint32", header.Name, header.Mode)
+	}
+	n, err := NewFileNode(d.ctx, vfs.FileMode(header.Mode), header.Size, r) //nolint:gosec // disable G115
 	if err == nil {
-		d.AddNode(name, n)
+		err = d.AddNode(name, n)
 	}
 	return n, err
 }

api/utils/tarutils/extract.go

@@ -4,6 +4,7 @@ import (
 	"archive/tar"
 	"fmt"
 	"io"
+	"math"
 
 	"github.com/mandelsoft/goutils/errors"
 	"github.com/mandelsoft/vfs/pkg/osfs"
@@ -87,9 +88,14 @@ func ExtractTarToFsWithInfo(fs vfs.FileSystem, in io.Reader) (fcnt int64, bcnt i
 			return fcnt, bcnt, err
 		}
 
+		if header.Mode < 0 || header.Mode > math.MaxUint32 {
+			return fcnt, bcnt, fmt.Errorf("file %s: mode %d out of range for uint32", header.Name, header.Mode)
+		}
+		fileMode := vfs.FileMode(header.Mode) //nolint:gosec // disable G115
+
 		switch header.Typeflag {
 		case tar.TypeDir:
-			if err := fs.MkdirAll(header.Name, vfs.FileMode(header.Mode)); err != nil {
+			if err := fs.MkdirAll(header.Name, fileMode); err != nil {
 				return fcnt, bcnt, fmt.Errorf("unable to create directory %s: %w", header.Name, err)
 			}
 		case tar.TypeSymlink, tar.TypeLink:
@@ -107,7 +113,7 @@ func ExtractTarToFsWithInfo(fs vfs.FileSystem, in io.Reader) (fcnt int64, bcnt i
 			if err := fs.MkdirAll(dir, 0o766); err != nil {
 				return fcnt, bcnt, fmt.Errorf("unable to create directory %s: %w", dir, err)
 			}
-			file, err := fs.OpenFile(header.Name, vfs.O_WRONLY|vfs.O_CREATE|vfs.O_TRUNC, vfs.FileMode(header.Mode))
+			file, err := fs.OpenFile(header.Name, vfs.O_WRONLY|vfs.O_CREATE|vfs.O_TRUNC, fileMode)
 			if err != nil {
 				return fcnt, bcnt, fmt.Errorf("unable to open file %s: %w", header.Name, err)
 			}
@@ -116,7 +122,7 @@ func ExtractTarToFsWithInfo(fs vfs.FileSystem, in io.Reader) (fcnt int64, bcnt i
 			// archive can be an image layer and that can even reach the gigabyte range.
 			// For now, we acknowledge the risk.
 			//
-			// We checked other softwares and tried to figure out how they manage this,
+			// We checked other software and tried to figure out how they manage this,
 			// but it's handled the same way.
 			if _, err := io.Copy(file, tr); err != nil {
 				return fcnt, bcnt, fmt.Errorf("unable to copy tar file to filesystem: %w", err)

docs/releasenotes/v0.16.0.md

@@ -1,25 +1,25 @@
 # Release v0.16.0
 
 - Support standard object types for command plugins + options for templater types (#958)
-- feat: add function to satisfy accessMethodView interface (#955)
+- feat: add function to satisfy access-Method-View interface (#955)
 - CLI:  fix recursive mode for ocm hash component (#954)
 - OCI: prefer digest over tag (#953)
 - fix: docker registry returning internal server error on blobs not found (#950)
-- fix + doc for VerifyResourceDigest (#946)
+- fix + doc for Verify-Resource-Digest (#946)
 - Adjust verify digest again (#945)
 - Add a simpler digest verify function (#943)
 - [chore] fix: publish release (#940)
 - Fix/publish release (#939)
-- feat: replace docker with oras (#904)
-- feat: add gav matching and overwritable mediatype for file types (#932)
+- feat: replace docker with ORAS (#904)
+- feat: add gav matching and overwritable media type for file types (#932)
 - fix: some weird maven repositories do return bad index-of listings (#938)
 - Release process documentation (#931)
 - some fixes and alignments (#934)
 - Update CODEOWNERS (#933)
 - fix busy text file during plugin installation (#929)
-- Custom Unmarshaler for Consumer Identity (#927)
+- Custom Unmarshaller for Consumer Identity (#927)
 - Documentation: \`If the option ...\` (#928)
-- feat: automatically label all issues with ipcei (#923)
+- feat: automatically label all issues with IPCEI (#923)
 
 ## 🐛 Bug Fixes
 
@@ -31,10 +31,12 @@
 <details>
 <summary>5 changes</summary>
 
-- chore(deps): bump the ci group across 1 directory with 3 updates (#957)
+- chore(dependencies): bump the ci group across 1 directory with 3 updates (#957)
 - Bump the go group with 7 updates (#941)
 - Bump the go group with 9 updates (#936)
 - Bump the go group with 13 updates (#925)
-- Bump DeterminateSystems/nix-installer-action from 13 to 14 in the ci group (#926)
-</details>
+- Bump Determinate Systems/nix-installer-action from 13 to 14 in the ci group (#926)
+
+-
 
+</details>

examples/lib/tour/01-getting-started/README.md

@@ -168,32 +168,32 @@ differ, because the code always describes the latest version):
 
 ```text
 resources of the latest version:
-  version:  0.15.0
+  version:  0.16.0
   provider: ocm.software
    1: name:           ocmcli
       extra identity: "architecture"="amd64","os"="linux"
       resource type:  executable
-      access:         Local blob sha256:e337369669efecc54ed115e1f7425ec104064daabed5646a00a9d850b76fbf53[]
+      access:         Local blob sha256:8477c859ef75d752db78d996db361093153fe63420175cb8eadc2b8fa321ad9d[]
    2: name:           ocmcli
       extra identity: "architecture"="arm64","os"="linux"
       resource type:  executable
-      access:         Local blob sha256:507457eeafe998febe157e9868c04b87fbaa6021c7e3327003ba9caeda7ac7fe[]
+      access:         Local blob sha256:15063be2188d0f5ad4cc21ddf58f6ca1ddb74238826a6de6cc9e7436397e8b11[]
    3: name:           ocmcli
       extra identity: "architecture"="arm64","os"="darwin"
       resource type:  executable
-      access:         Local blob sha256:05fbbdca90316b267cedf67849fc5d0fa9076f72272b01f77434b2ffc079c1a1[]
+      access:         Local blob sha256:cdeb8bcd6ff6a9270ae9fbc3f0b3534bb97c08907346508162c31849f49fb32d[]
    4: name:           ocmcli
       extra identity: "architecture"="amd64","os"="darwin"
       resource type:  executable
-      access:         Local blob sha256:d15c720b33fd70da728dd0264e855b0d3ea3e4a7b129a5f97b5ca8584c6038d0[]
+      access:         Local blob sha256:41816674edf557b4c14fac2c2179c13ae3f6252930738c95cedd30032fe0544e[]
    5: name:           ocmcli
       extra identity: "architecture"="amd64","os"="windows"
       resource type:  executable
-      access:         Local blob sha256:11aa1f6dcbac554dc3c5830812ad5e6044d715126d1b34c6986c6b530cb2c783[]
+      access:         Local blob sha256:a4a792802c6e5ba32393e42dd704c8f59949db76da78439534d6c0ec02b202ec[]
    6: name:           ocmcli-image
       extra identity: 
       resource type:  ociImage
-      access:         OCI artifact ghcr.io/open-component-model/ocm/ocm.software/ocmcli/ocmcli-image:0.15.0
+      access:         OCI artifact ghcr.io/open-component-model/ocm/ocm.software/ocmcli/ocmcli-image:0.16.0@sha256:3e1f4ffdb18f07d17ff949bd82d2193283947aabfd5aab562576b8df59d653d2
 ```
 
 Resources have some metadata, like their identity and a resource type.

flake.nix

@@ -2,7 +2,8 @@
   description = "Nix flake for ocm";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; # doesn
   };
 
   outputs = { self, nixpkgs, ... }:
@@ -27,14 +28,14 @@
           inherit (pkgs) stdenv lib ;
         in
         {
-          ${pname} = pkgs.buildGo122Module rec {
+          ${pname} = pkgs.buildGoModule.override { go = pkgs.go_1_23; } rec {
             inherit pname self;
             version = lib.fileContents ./VERSION;
             gitCommit = if (self ? rev) then self.rev else self.dirtyRev;
             state = if (self ? rev) then "clean" else "dirty";
 
-            # This vendorHash represents a dervative of all go.mod dependancies and needs to be adjusted with every change
-            vendorHash = "sha256-p5Edm9XqifVFq7KbSPj16p+OvpQl+n+5rEdkdo79OTo=";
+            # This vendorHash represents a derivative of all go.mod dependencies and needs to be adjusted with every change
+            vendorHash = "sha256-pfnq3+5xmybYvevMrWOP2UmMnN1lApTcq/oaq91Yrs0=";
 
             src = ./.;
 
@@ -85,7 +86,7 @@
         {
           default = pkgs.mkShell {
             buildInputs = with pkgs; [
-              go_1_22   # golang 1.22
+              go_1_23   # golang 1.23
               gopls     # go language server
               gotools   # go imports
               go-tools  # static checks