DO NOT MERGE: Testing https://github.com/containers/image/pull/2636

[mtrmac]

Does this PR introduce a user-facing change?

None

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtrmac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [mtrmac]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[mtrmac]

For transparency, note the “HACK DO NOT MERGE: Skip testing on F40” commit.

[Luap99]

@mtrmac We cannot bump go versions so aggressively, should we add fedora -1 tests to c/common,image,storage to prevent bumps that cannot be build later down in the stack?

I have hopes that this specific instance may get fixed with sigstore/sigstore#1878 but then again any dependency can introduce a bump so I feel like we must guard against that early

[mtrmac]

@Luap99 Yes, this is now a problem.

Historically, the Go patch version bumps typically included a vulnerability fix, which meant that Fedora would update quickly. That hasn’t now been the case in Go 1.22.{7,8}.

I don’t feel strongly about automation forcing us to build on Fedora N-1. On the one hand, it would certainly prevent inconvenience like this, OTOH it might delay us from making updates (e.g. updates of dependencies fixing vulnerabilities) until a Fedora Go RPM lands in the stable stream.

Let’s see how the sigstore PR fares; in the worst case we can downgrade the sigstore dependency in c/image (and others?) at the last moment, on a short notice.

[mtrmac]

The c/image PR was merged.