From b21da8c34975ed0ac9bb67786096b03bf641e844 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Mon, 25 May 2026 21:07:59 -0400 Subject: [PATCH 1/5] Use alpine based builder Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 3 +-- Dockerfile | 5 ----- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 78d4a74..f456866 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -105,12 +105,11 @@ jobs: docker buildx build \ --builder container \ --output type=oci,dest="./wasmtime-${{ inputs.tag }}-${{ matrix.arch }}.tar" \ - --platform "linux/${{ matrix.arch }}" \ --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ --build-arg "wasmtime_crate=${{ inputs.wasmtime-crate }}" \ --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \ --build-arg "from_base=${{ needs.preflight.outputs.base }}@${{ needs.preflight.outputs.base-digest }}" \ - --build-arg "from_build=rust:${{ inputs.rust-version }}" \ + --build-arg "from_build=rust:${{ inputs.rust-version }}-alpine" \ --label org.opencontainers.image.authors="Bytecode Alliance " \ --label org.opencontainers.image.base.digest="${{ needs.preflight.outputs.base-digest }}" \ --label org.opencontainers.image.base.name="${{ needs.preflight.outputs.base }}" \ diff --git a/Dockerfile b/Dockerfile index 09688b3..3dab9c1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,13 +2,9 @@ ARG from_build from_base FROM ${from_build} AS build ARG wasmtime_crate wasmtime_git_rev RUN \ - apt-get update ; \ - apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y ; \ - rustup target add $(arch)-unknown-linux-musl ; \ cargo install --locked cargo-auditable ; \ if [ "${wasmtime_crate}" = "" ] ; then \ cargo auditable install \ - --target "$(arch)-unknown-linux-musl" \ --git https://github.com/bytecodealliance/wasmtime.git \ --rev "${wasmtime_git_rev}" \ --locked \ @@ -16,7 +12,6 @@ RUN \ ; \ else \ cargo auditable install \ - --target "$(arch)-unknown-linux-musl" \ --locked \ wasmtime-cli@${wasmtime_crate} \ ; \ From 03fe6b40b3af258a1b64ea36f98ac1a32904aa92 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Tue, 26 May 2026 10:28:52 -0400 Subject: [PATCH 2/5] Back off platform changes Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 1 + Dockerfile | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index f456866..b771d6f 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -105,6 +105,7 @@ jobs: docker buildx build \ --builder container \ --output type=oci,dest="./wasmtime-${{ inputs.tag }}-${{ matrix.arch }}.tar" \ + --platform "linux/${{ matrix.arch }}" \ --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ --build-arg "wasmtime_crate=${{ inputs.wasmtime-crate }}" \ --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \ diff --git a/Dockerfile b/Dockerfile index 3dab9c1..c8a0269 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ RUN \ cargo install --locked cargo-auditable ; \ if [ "${wasmtime_crate}" = "" ] ; then \ cargo auditable install \ + --target "$(arch)-unknown-linux-musl" \ --git https://github.com/bytecodealliance/wasmtime.git \ --rev "${wasmtime_git_rev}" \ --locked \ @@ -12,6 +13,7 @@ RUN \ ; \ else \ cargo auditable install \ + --target "$(arch)-unknown-linux-musl" \ --locked \ wasmtime-cli@${wasmtime_crate} \ ; \ From fc1922a91fbd302cee37445dfcdd05517801aa21 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Tue, 26 May 2026 11:36:05 -0400 Subject: [PATCH 3/5] Pin cargo-auditable version Use dependabot to manage updates. Signed-off-by: Scott Andrews --- .github/dependabot.yml | 6 + .github/workflows/publish.yaml | 6 + Dockerfile | 4 +- versions/cargo-auditable/Cargo.lock | 310 ++++++++++++++++++++++++++++ versions/cargo-auditable/Cargo.toml | 8 + versions/cargo-auditable/src/lib.rs | 0 6 files changed, 332 insertions(+), 2 deletions(-) create mode 100644 versions/cargo-auditable/Cargo.lock create mode 100644 versions/cargo-auditable/Cargo.toml create mode 100644 versions/cargo-auditable/src/lib.rs diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 353fe8f..28bdb37 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,12 @@ updates: directory: "/" schedule: interval: daily +- package-ecosystem: cargo + directory: "/versions/cargo-auditable" + allow: + - dependency-name: "cargo-auditable" + schedule: + interval: daily - package-ecosystem: cargo directory: "/versions/stable" allow: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index b771d6f..f14bbc5 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -56,6 +56,7 @@ jobs: base: ${{ steps.existing.outputs.base }} base-digest: ${{ steps.existing.outputs.base-digest }} wasmtime-commit-date: ${{ steps.existing.outputs.wasmtime-commit-date }} + cargo-auditable-version: ${{ steps.existing.outputs.cargo-auditable-version }} steps: - uses: actions/checkout@v6 - name: Install crane @@ -75,6 +76,10 @@ jobs: wasmtime_commit_date="$(gh api "repos/bytecodealliance/wasmtime/commits/${{ inputs.wasmtime-git-sha }}" --template '{{.commit.committer.date}}')" echo "wasmtime-commit-date=${wasmtime_commit_date}" | tee -a "${GITHUB_OUTPUT}" + + cargo_auditable_version="$(cd versions/cargo-auditable ; yq -p toml -oj -r '.package[] | select(.name == "cargo-auditable") | .version' Cargo.lock)" + echo "cargo-auditable-version=${cargo_auditable_version}" | tee -a "${GITHUB_OUTPUT}" + env: GH_TOKEN: ${{ github.token }} @@ -109,6 +114,7 @@ jobs: --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ --build-arg "wasmtime_crate=${{ inputs.wasmtime-crate }}" \ --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \ + --build-arg "cargo_auditable_version=${{ needs.preflight.outputs.cargo-auditable-version }}" \ --build-arg "from_base=${{ needs.preflight.outputs.base }}@${{ needs.preflight.outputs.base-digest }}" \ --build-arg "from_build=rust:${{ inputs.rust-version }}-alpine" \ --label org.opencontainers.image.authors="Bytecode Alliance " \ diff --git a/Dockerfile b/Dockerfile index c8a0269..e5ed6ec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ ARG from_build from_base FROM ${from_build} AS build -ARG wasmtime_crate wasmtime_git_rev +ARG wasmtime_crate wasmtime_git_rev cargo_auditable_version RUN \ - cargo install --locked cargo-auditable ; \ + cargo install --locked "cargo-auditable@${cargo_auditable_version}" ; \ if [ "${wasmtime_crate}" = "" ] ; then \ cargo auditable install \ --target "$(arch)-unknown-linux-musl" \ diff --git a/versions/cargo-auditable/Cargo.lock b/versions/cargo-auditable/Cargo.lock new file mode 100644 index 0000000..880967c --- /dev/null +++ b/versions/cargo-auditable/Cargo.lock @@ -0,0 +1,310 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 4 + +[[package]] +name = "adler2" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa" + +[[package]] +name = "auditable-serde" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d026218ae25ba5c72834245412dd1338f6d270d2c5109ee03a4badec288d4056" +dependencies = [ + "semver", + "serde", + "serde_json", + "topological-sort", +] + +[[package]] +name = "byteorder" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fc10e8cc6b2580fda3f36eb6dc5316657f812a3df879a44a66fc9f0fdbc4855" + +[[package]] +name = "camino" +version = "1.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48" +dependencies = [ + "serde_core", +] + +[[package]] +name = "cargo-auditabl" +version = "0.1.0" +dependencies = [ + "cargo-auditable", +] + +[[package]] +name = "cargo-auditable" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c30906ad94da619129898d934bdaa6264e947a59d575e7e4c70194e95d4d633d" +dependencies = [ + "auditable-serde", + "cargo_metadata", + "miniz_oxide", + "object", + "pico-args", + "serde", + "serde_json", + "wasm-gen", +] + +[[package]] +name = "cargo-platform" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dd0061da739915fae12ea00e16397555ed4371a6bb285431aab930f61b0aa4ba" +dependencies = [ + "serde", + "serde_core", +] + +[[package]] +name = "cargo_metadata" +version = "0.23.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ef987d17b0a113becdd19d3d0022d04d7ef41f9efe4f3fb63ac44ba61df3ade9" +dependencies = [ + "camino", + "cargo-platform", + "semver", + "serde", + "serde_json", + "thiserror", +] + +[[package]] +name = "cfg-if" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" + +[[package]] +name = "crc32fast" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "equivalent" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" + +[[package]] +name = "foldhash" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" + +[[package]] +name = "hashbrown" +version = "0.15.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" +dependencies = [ + "foldhash", +] + +[[package]] +name = "hashbrown" +version = "0.17.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a" + +[[package]] +name = "indexmap" +version = "2.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9" +dependencies = [ + "equivalent", + "hashbrown 0.17.1", +] + +[[package]] +name = "itoa" +version = "1.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682" + +[[package]] +name = "leb128" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6cc46bac87ef8093eed6f272babb833b6443374399985ac8ed28471ee0918545" + +[[package]] +name = "memchr" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" + +[[package]] +name = "miniz_oxide" +version = "0.8.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316" +dependencies = [ + "adler2", +] + +[[package]] +name = "object" +version = "0.37.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe" +dependencies = [ + "crc32fast", + "hashbrown 0.15.5", + "indexmap", + "memchr", +] + +[[package]] +name = "pico-args" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315" + +[[package]] +name = "proc-macro2" +version = "1.0.106" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "semver" +version = "1.0.28" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd" +dependencies = [ + "serde", + "serde_core", +] + +[[package]] +name = "serde" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e" +dependencies = [ + "serde_core", + "serde_derive", +] + +[[package]] +name = "serde_core" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.150" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e8014e44b4736ed0538adeecded0fce2a272f22dc9578a7eb6b2d9993c74cfb9" +dependencies = [ + "itoa", + "memchr", + "serde", + "serde_core", + "zmij", +] + +[[package]] +name = "syn" +version = "2.0.117" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "thiserror" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" +dependencies = [ + "thiserror-impl", +] + +[[package]] +name = "thiserror-impl" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "topological-sort" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea68304e134ecd095ac6c3574494fc62b909f416c4fca77e440530221e549d3d" + +[[package]] +name = "unicode-ident" +version = "1.0.24" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" + +[[package]] +name = "wasm-gen" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b854b1461005a7b3365742310f7faa3cac3add809d66928c64a40c7e9e842ebb" +dependencies = [ + "byteorder", + "leb128", +] + +[[package]] +name = "zmij" +version = "1.0.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa" diff --git a/versions/cargo-auditable/Cargo.toml b/versions/cargo-auditable/Cargo.toml new file mode 100644 index 0000000..6fe88db --- /dev/null +++ b/versions/cargo-auditable/Cargo.toml @@ -0,0 +1,8 @@ +[package] +name = "cargo-auditable-version" +version = "0.1.0" +edition = "2024" + +[dependencies] +cargo-auditable = "=0.7.4" + diff --git a/versions/cargo-auditable/src/lib.rs b/versions/cargo-auditable/src/lib.rs new file mode 100644 index 0000000..e69de29 From c64c98b84132d7abf8178d28c5324e3ca172b934 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Tue, 26 May 2026 12:04:42 -0400 Subject: [PATCH 4/5] try mimalloc Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 1 - Dockerfile | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index f14bbc5..fe267e5 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -110,7 +110,6 @@ jobs: docker buildx build \ --builder container \ --output type=oci,dest="./wasmtime-${{ inputs.tag }}-${{ matrix.arch }}.tar" \ - --platform "linux/${{ matrix.arch }}" \ --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ --build-arg "wasmtime_crate=${{ inputs.wasmtime-crate }}" \ --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \ diff --git a/Dockerfile b/Dockerfile index e5ed6ec..e828c73 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,10 +2,11 @@ ARG from_build from_base FROM ${from_build} AS build ARG wasmtime_crate wasmtime_git_rev cargo_auditable_version RUN \ + apk add mimalloc ; \ + export LD_PRELOAD=/usr/lib/libmimalloc.so ; \ cargo install --locked "cargo-auditable@${cargo_auditable_version}" ; \ if [ "${wasmtime_crate}" = "" ] ; then \ cargo auditable install \ - --target "$(arch)-unknown-linux-musl" \ --git https://github.com/bytecodealliance/wasmtime.git \ --rev "${wasmtime_git_rev}" \ --locked \ @@ -13,7 +14,6 @@ RUN \ ; \ else \ cargo auditable install \ - --target "$(arch)-unknown-linux-musl" \ --locked \ wasmtime-cli@${wasmtime_crate} \ ; \ From 3a537f3fec8b674e0bc264d90f17c281c24d5116 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Tue, 26 May 2026 12:27:07 -0400 Subject: [PATCH 5/5] use glibc Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 4 ++-- Dockerfile | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index fe267e5..b1d0301 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -69,7 +69,7 @@ jobs: digest="$(crane digest "${{ env.image }}" || echo -n '')" echo "digest=${digest}" | tee -a "${GITHUB_OUTPUT}" - base="cgr.dev/chainguard/static:latest" + base="cgr.dev/chainguard/glibc-dynamic:latest" echo "base=${base}" | tee -a "${GITHUB_OUTPUT}" base_digest="$(crane digest "${base}")" echo "base-digest=${base_digest}" | tee -a "${GITHUB_OUTPUT}" @@ -115,7 +115,7 @@ jobs: --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \ --build-arg "cargo_auditable_version=${{ needs.preflight.outputs.cargo-auditable-version }}" \ --build-arg "from_base=${{ needs.preflight.outputs.base }}@${{ needs.preflight.outputs.base-digest }}" \ - --build-arg "from_build=rust:${{ inputs.rust-version }}-alpine" \ + --build-arg "from_build=rust:${{ inputs.rust-version }}" \ --label org.opencontainers.image.authors="Bytecode Alliance " \ --label org.opencontainers.image.base.digest="${{ needs.preflight.outputs.base-digest }}" \ --label org.opencontainers.image.base.name="${{ needs.preflight.outputs.base }}" \ diff --git a/Dockerfile b/Dockerfile index e828c73..5661f1d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,6 @@ ARG from_build from_base FROM ${from_build} AS build ARG wasmtime_crate wasmtime_git_rev cargo_auditable_version RUN \ - apk add mimalloc ; \ - export LD_PRELOAD=/usr/lib/libmimalloc.so ; \ cargo install --locked "cargo-auditable@${cargo_auditable_version}" ; \ if [ "${wasmtime_crate}" = "" ] ; then \ cargo auditable install \