Merge origin/main into delivery-kit/main#80
Merged
alexey-igrychev merged 80 commits intomainfrom Apr 22, 2026
Merged
Conversation
Signed-off-by: Ilya Lesikov <ilya@lesikov.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
…f#7407) Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com> Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com> Co-authored-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
werf#7394) Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Alexandr Zaytsev <alexandr.zaytsev@flant.com>
…werf#7416) Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
…ges (werf#7413) Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
…seInstall, ReleaseUninstall and ReleaseRollback (werf#7418) Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
…f#7258) On Windows, filepath.Join produces backslash-separated paths that break Docker container execution. Replace filepath.Join with path.Join for all container-internal path construction in pkg/stapel/stapel.go, which always uses forward slashes regardless of host OS. Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
werf#7414) Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
… disappear between readdir and stat Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
…nfig from DOCKER_AUTH_CONFIG env var When enabled, werf ci-env creates a fresh temporary Docker config directory from the DOCKER_AUTH_CONFIG environment variable instead of copying the existing Docker config. This is useful in CI environments like GitLab where DOCKER_AUTH_CONFIG is already set with registry credentials. The flag is opt-in (default false) and does not change existing behavior. Errors if DOCKER_AUTH_CONFIG is empty when the flag is enabled. Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Comment out the check for up-to-date mocks in the lint workflow.
Extend .env build report generation (ToEnvFileData) with additional fields (DockerImageID, DockerImageDigest, DockerRepo, DockerTag, WerfImageName, Final) and add a parser (parseEnvFileBuildReport) to read them back into ImagesReport. LoadBuildReportFromFile now detects .env extension and routes to the appropriate parser, enabling 'werf export --use-build-report --build-report-path=report.env'. Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
…ario (werf#7423) Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
🤖 I have created a release *beep* *boop* --- ## [2.65.0](werf/werf@v2.64.0...v2.65.0) (2026-03-29) ### Features * **build-report:** support reading .env format build reports ([8e1501c](werf@8e1501c)) * **ci-env:** add --use-docker-auth-config flag to generate Docker config from DOCKER_AUTH_CONFIG env var ([c2701f7](werf@c2701f7)) * **deploy:** add structured image values to $.Values.global.werf.images ([werf#7413](werf#7413)) ([1b93dcc](werf@1b93dcc)) ### Bug Fixes * **build:** fix git owner and group with buildah backend ([werf#7415](werf#7415)) ([7af23b6](werf@7af23b6)) * **build:** use path.Join for container-internal paths in stapel ([werf#7258](werf#7258)) ([c974594](werf@c974594)) * **deploy:** goroutine leak in watch error channel consumer for ReleaseInstall, ReleaseUninstall and ReleaseRollback ([werf#7418](werf#7418)) ([f2d817c](werf@f2d817c)) * **deploy:** release had pending status after error instead of failed ([werf#7416](werf#7416)) ([b523cf2](werf@b523cf2)) * **host-cleanup:** handle race condition in tmp files GC when entries disappear between readdir and stat ([18ff151](werf@18ff151)) * **includes:** respect --loose-giterminism for --allow-includes-update ([werf#7414](werf#7414)) ([db75a5a](werf@db75a5a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
…Fetch (werf#7425) ## Summary - Fix `werf export` failing with `reference not found` when `werf-includes.yaml` specifies a non-default branch name (e.g. `branch: devops/includes-problem`) - Extract `syncLocalBranches` helper from `FetchOrigin` and call it from `CloneAndFetch` after a fresh clone, so local `refs/heads/*` branches are created from `refs/remotes/origin/*` immediately — not only after the next fetch ## Problem When `CloneAndFetch` performs a fresh `git clone`, the cloned repo only has remote-tracking refs (`refs/remotes/origin/*`). The `branchRef` function in `pkg/includes/repo.go` resolves branch names via `refs/heads/*`, which don't exist yet. This causes `reference not found` for any non-default branch on the first run. The existing `syncLocalBranches` logic (creating local refs from remote refs) already existed in `FetchOrigin`, but was never called after the initial clone path — only after subsequent fetches. ## Changes - **`pkg/git_repo/remote.go`**: Extract `syncLocalBranches` private method from `FetchOrigin`; call it from `CloneAndFetch` after fresh clone; reuse in `FetchOrigin` - **`pkg/git_repo/remote_ai_test.go`**: Add test covering 3 branch patterns: `main`, `feature-branch`, `devops/includes-problem` (slash-containing) Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
… stage with no instructions (werf#7434) When stageDependencies.install (or beforeSetup/setup) has paths but the corresponding shell/ansible section is empty or missing, the stage is never generated and the dependency paths are silently ignored. This causes changes to matched files to not trigger rebuilds. Emit a global warning in this case. Marked with TODO(v3) to become a hard error in v3. Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Polina Sizintseva <polina.sizintseva@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
…builds (werf#7480) Signed-off-by: Evgeniy Frolov <evgeniy.frolov@flant.com>
🤖 I have created a release *beep* *boop* --- ## [2.67.2](werf/werf@v2.67.1...v2.67.2) (2026-04-21) ### Bug Fixes * **build, docker, stapel:** fix stage image cache for multi-platform builds ([werf#7480](werf#7480)) ([23f89b3](werf@23f89b3)) * **build, docker:** handle `no such container` error ([werf#7482](werf#7482)) ([83b3227](werf@83b3227)) * **ci:** pr docs preview ([werf#7485](werf#7485)) ([d29c18b](werf@d29c18b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
…7448) ## Summary Fixes werf#6755 When running `werf bundle copy --docker-config=<dir>`, the custom docker config is used for pulling the bundle chart itself but **not** for pulling the associated images. This results in a `DENIED: Permission denied` error when pulling images from a registry that requires the custom credentials. ## Root Cause The `bundle copy` command initializes the docker registry via `InitCommonComponents` with `InitDockerRegistry: true`, which calls `DockerRegistryInit` → `docker_registry.Init`. However, it does **not** call `docker.InitDockerConfig()`, so the `DOCKER_CONFIG` environment variable is never set. The image pulling code in `PullImageArchive` uses `authn.DefaultKeychain` from `go-containerregistry`, which reads from `$DOCKER_CONFIG` to locate credentials. Without the env var set, it falls back to `~/.docker/config.json` and cannot find the custom credentials. Other commands (like `werf build`) call `InitProcessContainerBackend`, which calls `docker.Init()` → `docker.InitDockerConfig()`, so they work correctly. But `bundle copy` skips this step since it doesn't need a full container backend. ## Fix Call `docker.InitDockerConfig()` with the configured docker config directory in `runCopy()` after `InitCommonComponents`. This sets the `DOCKER_CONFIG` environment variable so that `authn.DefaultKeychain` can find the credentials for image pulling. ## Files Changed - `cmd/werf/bundle/copy/copy.go` — Add `docker.InitDockerConfig()` call with the `--docker-config` value Co-authored-by: rvasikarla <rvasikarla@splunk.com>
…is requested (werf#7488) ## Summary Systemic follow-up to werf#7448. Centralizes `docker.InitDockerConfig` in `InitCommonComponents` as the single source of truth for `DOCKER_CONFIG` initialization. ## Problem `docker.InitDockerConfig` was called in multiple places: - Buildah branch of `InitProcessContainerBackend` (`container_backend.go`) - Docker branch via `InitProcessDocker` → `docker.Init` → `docker.InitDockerConfig` - Per-command band-aid in `bundle copy` (added by werf#7448) Any command using `InitDockerRegistry` without `InitProcessContainerBackend` didn't get `DOCKER_CONFIG` set, breaking `authn.DefaultKeychain` credential lookup. ## Fix - Call `docker.InitDockerConfig` once in `InitCommonComponents` when either `InitDockerRegistry` or `InitProcessContainerBackend` is requested — early, before any registry interaction. - Remove the duplicate call from `InitProcessContainerBackend` buildah branch. - Remove the per-command band-aid from `bundle copy`. `InitDockerConfig` is idempotent (just `os.Setenv` + global var), so the docker path (`InitProcessDocker` → `docker.Init`) calling it again is harmless. ## Files Changed - `cmd/werf/common/components_manager.go` — Add centralized `docker.InitDockerConfig` call - `cmd/werf/common/container_backend.go` — Remove duplicate from buildah branch - `cmd/werf/bundle/copy/copy.go` — Remove per-command band-aid from werf#7448 Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Dmitry Mordvinov <dmitry.mordvinov@flant.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com> # Conflicts: # .github/workflows/_docs_deploy.yml # .github/workflows/docs_cleanup-registry.yml # .github/workflows/docs_deploy_latest.yml # .github/workflows/docs_deploy_pr.yml # .github/workflows/docs_deploy_tag.yml # .github/workflows/issues_delayed-auto-close.yml # .github/workflows/release_registry-cleanup.yml # .github/workflows/test_cr-cleanup.yml # .github/workflows/test_daily.yml # .github/workflows/tests.yml # CHANGELOG.md # docs/pages_en/usage/build/process.md # docs/pages_ru/usage/build/process.md # go.mod # go.sum # pkg/container_backend/buildah_backend.go # pkg/container_backend/legacy_stage_image.go # pkg/storage/repo_stages_storage_test.go # pkg/storage/stages_storage.go # pkg/storage/suite_test.go
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Merge upstream
werf/werfmain branch intodelivery-kit/main, incorporating 74 commits. Fixwerf verifycrash caused by missing--docker-configflag registration.Key changes
origin/maingo.mod, and source filescommon.SetupDockerConfig(...)incmd/werf/verify/verify.go— the call was commented out but required byInitDockerRegistry: trueinrunMain, causing a nil pointer dereference on*opts.Cmd.DockerConfigWhy
werf verifypanics at runtime becauseInitCommonComponentswithInitDockerRegistry: truedereferencesDockerConfig, which is never allocated withoutSetupDockerConfig. Every other command that usesInitDockerRegistryorInitProcessContainerBackendproperly callsSetupDockerConfig—verifywas the only inconsistency.Conflict resolutions
Review focus / risks
cmd/werf/verify/verify.go:73— the only code change beyond the merge; verify that no otherSetup*calls need uncommenting (audited: remaining commented-out calls correspond to disabledInitCommonComponentsOptions, so they are consistent)go.modfor correctness