chore(deps): update ⬆️ regex matched resources to v2.29.0

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v2.21.3 -> v2.29.0

---

Release Notes

aquaproj/aqua (aquaproj/aqua)

v2.29.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.28.1...v2.29.0

Features

#​2929 Support fish completion

Added a sub command aqua completion fish, which outputs scripts for fish completion

You can source the output to enable the completion.

aqua completion fish | source

Or you can write the output to a file.

https://fishshell.com/docs/current/completions.html#where-to-put-completions

aqua completion fish > ~/.config/fish/completions/aqua.fish

v2.28.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.28.0...v2.28.1

Bug Fixes

#​2904 generate: Fix a bug that aqua g -i fails if aqua.yaml doesn't have the field packages
#​2902 info: Fix a bug that user names aren't masked on Windows @​sapphi-red

v2.28.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.4...v2.28.0

Features

#​2609 #​2730 #​2632 Support getting a package version from go directive in go.mod or go.work

From Go 1.21, the version of Go is decided by go directive in go.mod or go.work.

https://go.dev/doc/toolchain

e.g.

module github.com/aquaproj/aqua/v2

go 1.22.3

This can cause an issue that the version of Go may be different from the version defined in aqua.yaml.
And we need to define go version in two places.

To solve the issue, this pull request enables aqua to get the version of go from go directive in go.mod or go.work.
You can specify the path to go.mod or go.work by a field go_version_file.

e.g.

packages:
- name: golang/go
  go_version_file: go.mod

Then you can define go version only in go.mod or go.work.

[!CAUTION]
The version of Go must be a semver x.y.z.
You can't omit a patch version.

#​2880 Ignore invalid packages and continue working

When reading aqua.yaml, aqua ignores invalid packages and continues working.
This improves the robustness.

v2.27.4

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.3...v2.27.4

Bug Fixes

#​2144 #​2510 #​2871 Fix a bug that update-aqua fails on Windows

Others

Update Go 1.22.2 to 1.22.3

v2.27.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.2...v2.27.3

Bug Fixes

#​2833 #​2834 Fix a bug that a checksum id of go_build type package is empty

aqua-checksums.json

    {
      "id": "",
      "checksum": "C4D72E482B85570A1A73776EEF47E993B5F8FA6C204E0B1CAA794E4DF4F13521",
      "algorithm": "sha256"
    }

v2.27.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.1...v2.27.2

Bug Fixes

#​2830 Improve handling of broken registry JSON files

When aqua reads Standard Registry and github_content Registries, aqua converts them to JSON once and saves them.
And aqua reads JSON files instead of YAML files from the next time.
This improves the performance a bit. #​2517

But if a JSON file got broken, aqua got not working.
In that case, you had to remove the file yourself.

This issue rarely occurs, but this release resolves it.
If a JSON file gets broken, aqua removes and recreates the file.
So aqua continues working and you don't have to remove the file yourself.

v2.27.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.0...v2.27.1

Others

#​2824 #​2825 Generate shell completion on brew install @​ryota2357

ref. https://github.com/aquaproj/homebrew-aqua/blob/c4731da7c66a797e93b5efbcc5340b39f86f559b/aqua.rb#L19

⚠️ To enable shell completion, you have to configure FPATH and so on.

#​2809 chore: update aqua-proy to v1.2.6

🎉 New Contributors

Thank you for your contribution!

@​ryota2357 #​2825

v2.27.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.26.0...v2.27.0

Features

#​2702 #​2806 checksum: Support enforcing checksum verification via environment variables

You can enforce checksum verification by environment variables AQUA_ENFORCE_CHECKSUM and AQUA_ENFORCE_REQUIRE_CHECKSUM.

export AQUA_ENFORCE_CHECKSUM=true
export AQUA_ENFORCE_REQUIRE_CHECKSUM=true

This is useful for both CI and local development.

Checksum verification is disabled by default, and you can disable checksum verification by setting.
If you manage a Monorepo and want to make checksum verification mandatory in CI, you can set these environment variables in CI. Then checksum verification is enabled regardless of the setting of aqua.yaml.

And if you want to enforce checksum verification on your laptop, you can set these environment variables in your shell configuration files such as .bashrc and .zshrc.

v2.26.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.25.2...v2.26.0

Features

#​2782 #​2804 generate: add -g option to add packages to a global configuration file

e.g.

$ aqua g -g cli/cli

You can add packages to a global configuration file with -g and -i option.

e.g.

$ aqua g -g -i cli/cli

If there are multiple global configuration files, a first global configuration file is used.

Others

#​2803 Update the help message of remove command

Note that this command remove files from AQUA_ROOT_DIR/pkgs, but doesn't remove packages from aqua.yaml and doesn't remove files from AQUA_ROOT_DIR/bin and AQUA_ROOT_DIR/bat.

v2.25.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.25.1...v2.25.2

Bug Fixes

#​2781 #​2786 list: Fix a bug that packages in that same aqua.yaml is outputted by aqua list --installed

Others

#​2779 #​2788 Update slsa-verifier to v2.5.1
#​2787 Update go directive to 1.22 and refactor codes with Go new features

v2.25.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.25.0...v2.25.1

Bug Fixes

#​1665 #​2757 Fix the verification error of Cosign
#​2764 #​2765 Fix SIGSEGV: segmentation violation of aqua update and aqua generate commands

Others

#​2756 Update the template of aqua.yaml generated by aqua init to follow a yamllint comment rule @​bhundven

v2.25.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.24.1...v2.25.0

Features

#​2749 #​2752 Support excluding some packages from the target of aqua update

e.g. aqua.yaml

packages:
  - name: golang/vuln/govulncheck@v1.0.3
    update:

##### If enabled is false, aqua up command ignores the package.
##### If the package name is passed to aqua up command explicitly, enabled is ignored.

##### By default, enabled is true.
      enabled: false

Fixes

#​2747 #​2354 #​2750 #​2751 Improve the logic to get the latest version

We've changed the logic to get the latest version in some commands such as aqua update and aqua generate.
The original logic was to call GitHub API Get a latest release, but a latest release wan't necessarily a latest version.
So we changed the logic to list the recent releases and get a latest version by semver.

v2.24.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.24.0...v2.24.1

Bug Fixes

#​2742 #​2744 fix a bug that aqua g and aqua gr commands don't work for cargo package

This bug was due to crates.io crawler policy.

We are unable to process your request at this time.
This usually means that you are in violation of our crawler policy.

We could resolve the issue by setting the User-Agent header.

v2.24.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.23.2...v2.24.0

Features

#​2709 #​2733 Support listing installed packages

Command line options -installed and -all [-a] were added to aqua list command.

aqua list -installed [-a]

If -installed is set, installed packages are outputted.

e.g.

$ aqua list -installed   
rhysd/actionlint	v1.6.27	standard
suzuki-shunsuke/cmdx	v1.7.4	standard
sigstore/cosign	v1.13.2	standard
suzuki-shunsuke/ghalint	v0.2.9	standard
int128/ghcp	v1.13.2	standard
golangci/golangci-lint	v1.56.2	standard
goreleaser/goreleaser	v1.24.0	standard
reviewdog/reviewdog	v0.17.1	standard

By default, global configuration files are ignored.
To output packages in global configuration files too, please set the option -all [-a].

$ aqua list -a -installed

v2.23.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.23.1...v2.23.2

Fixes

#​2714 Fix a bug that it fails to download large files from GitHub repositories

Use the API RepositoriesService.DownloadContents instead of RepositoriesService.GetContents to download large files from GitHub.

https://pkg.go.dev/github.com/google/go-github/v60/github#RepositoriesService.DownloadContents

DownloadContents returns an io.ReadCloser that reads the contents of the specified file.
This function will work with files of any size, as opposed to GetContents which is limited to 1 Mb files. It is the caller's responsibility to close the ReadCloser.

If you use old aqua and face the following error, please update aqua to v2.23.2 or newer.

unsupported content encoding: none, this may occur when file size > 1 MB, if that is the case consider using DownloadContents

Others

Update Go 1.21.6 to 1.22.0

v2.23.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.23.0...v2.23.1

Bug Fixes

#​2661 #​2662 update-checksum: Fix a bug that update-checksum doesn't work well if packages use both cargo or go_install types and other types

For example, the package eza-community/eza uses cargo type for darwin and windows/arm64 and github_relaese type for other platforms. In this case, aqua update-checksum didn't work well.

https://github.com/aquaproj/aqua-registry/blob/15d67414625ea37e68ea8436dba9413d9bd9b540/pkgs/eza-community/eza/registry.yaml#L2
https://github.com/aquaproj/aqua-registry/blob/15d67414625ea37e68ea8436dba9413d9bd9b540/pkgs/eza-community/eza/registry.yaml#L54-L57

This release fixed the issue.

v2.23.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.22.0...v2.23.0

Features

#​2649 #​2652 cargo: Trim a prefix from cargo package's version

Bug Fixes

#​2642 info: Output AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA

https://aquaproj.github.io/docs/reference/security/cosign-slsa/#disable-the-verification-with-cosign-and-slsa-provenance

#​2654 generate-registry: Fix a bug that same version_overrides aren't merged properly

Others

#​2644 Update aqua-proxy to v1.2.5
#​2653 Update JSON Schema

v2.22.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.21.3...v2.22.0

Features

#​2631 #​2633 #​2634 Support disabling the verification with Cosign and SLSA Provenance

You can disable the verification with Cosign and SLSA Provenance if you can't use them.

Why is the feature needed?

[!CAUTION]
This feature is for users who can't use Cosign and slsa-verifier.
Most users can use them, so most users don't need this feature.
aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself.
If you can use Cosign and slsa-verifier, you should not disable them because they are important for security.

Cosign and sla-verifier access some endpoints such as oauth2.sigstore.dev and fulcio.sigstore.dev.
So to use them you need to allow the access to these endpoints.

But in some use cases you can't or don't want to do that.
For example, your company's network policy might not allow the access to these endpoints.

To resolve the issue, this issue proposes to support disabling the verification with Cosign and slsa-verifier.

How to use

You can use command line options -disable-cosign and -disable-slsa or environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA.

e.g.

aqua [-disable-cosign] [-disable-slsa] i

env AQUA_DISABLE_COSIGN=true AQUA_DISABLE_SLSA=true aqua i

Update dependencies

• Go 1.21.5 to 1.21.6
• goreleaser v1.22.1 to v1.23.0
• go.mod

---

Configuration

📅 Schedule: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.