Skip to content

Merge origin/main into delivery-kit/main#80

Merged
alexey-igrychev merged 80 commits intomainfrom
delivery-kit-main
Apr 22, 2026
Merged

Merge origin/main into delivery-kit/main#80
alexey-igrychev merged 80 commits intomainfrom
delivery-kit-main

Conversation

@alexey-igrychev
Copy link
Copy Markdown
Collaborator

@alexey-igrychev alexey-igrychev commented Apr 21, 2026

Summary

Merge upstream werf/werf main branch into delivery-kit/main, incorporating 74 commits. Fix werf verify crash caused by missing --docker-config flag registration.

Key changes

  • Merge 74 upstream commits from origin/main
  • Resolve conflicts across CI workflows, docs, go.mod, and source files
  • Uncomment common.SetupDockerConfig(...) in cmd/werf/verify/verify.go — the call was commented out but required by InitDockerRegistry: true in runMain, causing a nil pointer dereference on *opts.Cmd.DockerConfig

Why

werf verify panics at runtime because InitCommonComponents with InitDockerRegistry: true dereferences DockerConfig, which is never allocated without SetupDockerConfig. Every other command that uses InitDockerRegistry or InitProcessContainerBackend properly calls SetupDockerConfigverify was the only inconsistency.

Conflict resolutions

Area Resolution
7 CI workflows (docs, registry cleanup, test cr) Kept deleted per delivery-kit
3 CI workflows (issues, test_daily, tests) Kept delivery-kit versions with custom runners
CHANGELOG.md Combined both sets of entries
Docs (EN/RU build/process.md) Kept both SBOM + envfile/build-report sections
go.mod (nelm) Upgraded to origin's v1.23.3, merged all indirect deps
buildah_backend.go Kept both SBOM + lchown/extractTar functions
legacy_stage_image.go Used origin's improved GetID() with digest fallback
stages_storage.go Added new error sentinels (existing ones kept in errors.go)
Test files Combined both test sets
sbom commands Fixed CreateDockerRegistry signature for new param

Review focus / risks

  • cmd/werf/verify/verify.go:73 — the only code change beyond the merge; verify that no other Setup* calls need uncommenting (audited: remaining commented-out calls correspond to disabled InitCommonComponentsOptions, so they are consistent)
  • Large merge — review conflict resolutions in CI workflows and go.mod for correctness

ilya-lesikov and others added 30 commits March 23, 2026 17:55
Signed-off-by: Ilya Lesikov <ilya@lesikov.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
…f#7407)

Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Co-authored-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
werf#7394)

Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Alexandr Zaytsev <alexandr.zaytsev@flant.com>
…werf#7416)

Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
…ges (werf#7413)

Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
…seInstall, ReleaseUninstall and ReleaseRollback (werf#7418)

Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
…f#7258)

On Windows, filepath.Join produces backslash-separated paths that break
Docker container execution. Replace filepath.Join with path.Join for all
container-internal path construction in pkg/stapel/stapel.go, which
always uses forward slashes regardless of host OS.

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
werf#7414)

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
… disappear between readdir and stat

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
…nfig from DOCKER_AUTH_CONFIG env var

When enabled, werf ci-env creates a fresh temporary Docker config directory
from the DOCKER_AUTH_CONFIG environment variable instead of copying the
existing Docker config. This is useful in CI environments like GitLab where
DOCKER_AUTH_CONFIG is already set with registry credentials.

The flag is opt-in (default false) and does not change existing behavior.
Errors if DOCKER_AUTH_CONFIG is empty when the flag is enabled.

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Comment out the check for up-to-date mocks in the lint workflow.
Extend .env build report generation (ToEnvFileData) with additional
fields (DockerImageID, DockerImageDigest, DockerRepo, DockerTag,
WerfImageName, Final) and add a parser (parseEnvFileBuildReport) to
read them back into ImagesReport. LoadBuildReportFromFile now detects
.env extension and routes to the appropriate parser, enabling
'werf export --use-build-report --build-report-path=report.env'.

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
…ario (werf#7423)

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
🤖 I have created a release *beep* *boop*
---


## [2.65.0](werf/werf@v2.64.0...v2.65.0)
(2026-03-29)


### Features

* **build-report:** support reading .env format build reports
([8e1501c](werf@8e1501c))
* **ci-env:** add --use-docker-auth-config flag to generate Docker
config from DOCKER_AUTH_CONFIG env var
([c2701f7](werf@c2701f7))
* **deploy:** add structured image values to $.Values.global.werf.images
([werf#7413](werf#7413))
([1b93dcc](werf@1b93dcc))


### Bug Fixes

* **build:** fix git owner and group with buildah backend
([werf#7415](werf#7415))
([7af23b6](werf@7af23b6))
* **build:** use path.Join for container-internal paths in stapel
([werf#7258](werf#7258))
([c974594](werf@c974594))
* **deploy:** goroutine leak in watch error channel consumer for
ReleaseInstall, ReleaseUninstall and ReleaseRollback
([werf#7418](werf#7418))
([f2d817c](werf@f2d817c))
* **deploy:** release had pending status after error instead of failed
([werf#7416](werf#7416))
([b523cf2](werf@b523cf2))
* **host-cleanup:** handle race condition in tmp files GC when entries
disappear between readdir and stat
([18ff151](werf@18ff151))
* **includes:** respect --loose-giterminism for --allow-includes-update
([werf#7414](werf#7414))
([db75a5a](werf@db75a5a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
…Fetch (werf#7425)

## Summary

- Fix `werf export` failing with `reference not found` when
`werf-includes.yaml` specifies a non-default branch name (e.g. `branch:
devops/includes-problem`)
- Extract `syncLocalBranches` helper from `FetchOrigin` and call it from
`CloneAndFetch` after a fresh clone, so local `refs/heads/*` branches
are created from `refs/remotes/origin/*` immediately — not only after
the next fetch

## Problem

When `CloneAndFetch` performs a fresh `git clone`, the cloned repo only
has remote-tracking refs (`refs/remotes/origin/*`). The `branchRef`
function in `pkg/includes/repo.go` resolves branch names via
`refs/heads/*`, which don't exist yet. This causes `reference not found`
for any non-default branch on the first run.

The existing `syncLocalBranches` logic (creating local refs from remote
refs) already existed in `FetchOrigin`, but was never called after the
initial clone path — only after subsequent fetches.

## Changes

- **`pkg/git_repo/remote.go`**: Extract `syncLocalBranches` private
method from `FetchOrigin`; call it from `CloneAndFetch` after fresh
clone; reuse in `FetchOrigin`
- **`pkg/git_repo/remote_ai_test.go`**: Add test covering 3 branch
patterns: `main`, `feature-branch`, `devops/includes-problem`
(slash-containing)

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
… stage with no instructions (werf#7434)

When stageDependencies.install (or beforeSetup/setup) has paths but the
corresponding shell/ansible section is empty or missing, the stage is
never generated and the dependency paths are silently ignored. This
causes changes to matched files to not trigger rebuilds.

Emit a global warning in this case. Marked with TODO(v3) to become a
hard error in v3.

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
flant-team-sysdev and others added 22 commits April 14, 2026 11:55
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
…builds (werf#7480)

Signed-off-by: Evgeniy Frolov <evgeniy.frolov@flant.com>
🤖 I have created a release *beep* *boop*
---


## [2.67.2](werf/werf@v2.67.1...v2.67.2)
(2026-04-21)


### Bug Fixes

* **build, docker, stapel:** fix stage image cache for multi-platform
builds ([werf#7480](werf#7480))
([23f89b3](werf@23f89b3))
* **build, docker:** handle `no such container` error
([werf#7482](werf#7482))
([83b3227](werf@83b3227))
* **ci:** pr docs preview
([werf#7485](werf#7485))
([d29c18b](werf@d29c18b))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
…7448)

## Summary

Fixes werf#6755

When running `werf bundle copy --docker-config=<dir>`, the custom docker
config is used for pulling the bundle chart itself but **not** for
pulling the associated images. This results in a `DENIED: Permission
denied` error when pulling images from a registry that requires the
custom credentials.

## Root Cause

The `bundle copy` command initializes the docker registry via
`InitCommonComponents` with `InitDockerRegistry: true`, which calls
`DockerRegistryInit` → `docker_registry.Init`. However, it does **not**
call `docker.InitDockerConfig()`, so the `DOCKER_CONFIG` environment
variable is never set.

The image pulling code in `PullImageArchive` uses
`authn.DefaultKeychain` from `go-containerregistry`, which reads from
`$DOCKER_CONFIG` to locate credentials. Without the env var set, it
falls back to `~/.docker/config.json` and cannot find the custom
credentials.

Other commands (like `werf build`) call `InitProcessContainerBackend`,
which calls `docker.Init()` → `docker.InitDockerConfig()`, so they work
correctly. But `bundle copy` skips this step since it doesn't need a
full container backend.

## Fix

Call `docker.InitDockerConfig()` with the configured docker config
directory in `runCopy()` after `InitCommonComponents`. This sets the
`DOCKER_CONFIG` environment variable so that `authn.DefaultKeychain` can
find the credentials for image pulling.

## Files Changed

- `cmd/werf/bundle/copy/copy.go` — Add `docker.InitDockerConfig()` call
with the `--docker-config` value

Co-authored-by: rvasikarla <rvasikarla@splunk.com>
…is requested (werf#7488)

## Summary

Systemic follow-up to werf#7448. Centralizes `docker.InitDockerConfig` in
`InitCommonComponents` as the single source of truth for `DOCKER_CONFIG`
initialization.

## Problem

`docker.InitDockerConfig` was called in multiple places:
- Buildah branch of `InitProcessContainerBackend`
(`container_backend.go`)
- Docker branch via `InitProcessDocker` → `docker.Init` →
`docker.InitDockerConfig`
- Per-command band-aid in `bundle copy` (added by werf#7448)

Any command using `InitDockerRegistry` without
`InitProcessContainerBackend` didn't get `DOCKER_CONFIG` set, breaking
`authn.DefaultKeychain` credential lookup.

## Fix

- Call `docker.InitDockerConfig` once in `InitCommonComponents` when
either `InitDockerRegistry` or `InitProcessContainerBackend` is
requested — early, before any registry interaction.
- Remove the duplicate call from `InitProcessContainerBackend` buildah
branch.
- Remove the per-command band-aid from `bundle copy`.

`InitDockerConfig` is idempotent (just `os.Setenv` + global var), so the
docker path (`InitProcessDocker` → `docker.Init`) calling it again is
harmless.

## Files Changed

- `cmd/werf/common/components_manager.go` — Add centralized
`docker.InitDockerConfig` call
- `cmd/werf/common/container_backend.go` — Remove duplicate from buildah
branch
- `cmd/werf/bundle/copy/copy.go` — Remove per-command band-aid from
werf#7448

Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>

# Conflicts:
#	.github/workflows/_docs_deploy.yml
#	.github/workflows/docs_cleanup-registry.yml
#	.github/workflows/docs_deploy_latest.yml
#	.github/workflows/docs_deploy_pr.yml
#	.github/workflows/docs_deploy_tag.yml
#	.github/workflows/issues_delayed-auto-close.yml
#	.github/workflows/release_registry-cleanup.yml
#	.github/workflows/test_cr-cleanup.yml
#	.github/workflows/test_daily.yml
#	.github/workflows/tests.yml
#	CHANGELOG.md
#	docs/pages_en/usage/build/process.md
#	docs/pages_ru/usage/build/process.md
#	go.mod
#	go.sum
#	pkg/container_backend/buildah_backend.go
#	pkg/container_backend/legacy_stage_image.go
#	pkg/storage/repo_stages_storage_test.go
#	pkg/storage/stages_storage.go
#	pkg/storage/suite_test.go
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
@alexey-igrychev alexey-igrychev marked this pull request as draft April 21, 2026 23:00
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
@alexey-igrychev alexey-igrychev marked this pull request as ready for review April 22, 2026 11:03
@alexey-igrychev alexey-igrychev merged commit 466bc95 into main Apr 22, 2026
15 checks passed
@alexey-igrychev alexey-igrychev deleted the delivery-kit-main branch April 22, 2026 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants