Update dependency aquaproj/aqua to v1.38.0

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v1.36.0 -> v1.38.0

---

Release Notes

aquaproj/aqua

v1.38.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.37.2...v1.38.0

Features

#​1781 #​1783 Support configuring require_checksum by the environment variable

export AQUA_REQUIRE_CHECKSUM=true # false

If require_checksum is configured in a configuration file, the environment variable is ignored.
If checksum isn't enabled in a configuration file, the environment variable is ignored.

Why is the feature needed?

To combine security and convenience.
In CI we would like to enable require_checksum for security.
On the other hand, we don't want to enable require_checksum in your laptops for convenience.
If require_checksum is enabled, you have to run aqua update-checksum when you change the package version.
Otherwise, it fails to run the package. This is a bad experience.

v1.37.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.37.1...v1.37.2

Fixes

#​1777 init, init-policy: remove broken links

aqua.yaml and aqua-policy.yaml generated by aqua init and aqua init-policy commands contained broken links.
So we removed them.

v1.37.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.37.0...v1.37.1

Bug Fixes

#​1771 #​1772 Fixed a bug that update-checksum --deep command fails if go_install package is used

v1.37.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.36.1...v1.37.0

Features

#​1762 Support default checksum parser

aqua supported two checksum file format raw and regexp and the file format is mandatory.
This pull request supports a default file format and the file format becomes optional.

If a checksum file contains only one line and doesn't contain a space , a file content is treated as checksum.

e.g.

0549CBAA2DF451CF3A2011A9D73A9CB127784D26749D9CD14C9F4818AF104D44

Each line is split by a space .
The first element is treated as a checksum
The second element is treated as a file path, and the base name is treated as the asset name.

e.g.

944fdfebfdf1026d318609cc706bad454196f0b1d76e557b56c829b0e6165a9f  ./kapp-linux-arm64
9aaa735985efbe240af0ca1d80adf3b43be6cf4ec6620a053082e31bea25dae7  ./kapp-linux-amd64
dcbf6dd9b4cecfc6316391029a6e9a5f3863e6a1f7848eb5fb78bfdbdc06faf8  ./kapp-darwin-amd64
e802044c2676455464675e290ea5b5eed7da9741eae1260af8d8d15355495db3  ./kapp-windows-amd64.exe
f059d708fc550c516d1f04ee4c82efd8bc346c480156c03a3445825c73d827a6  ./kapp-darwin-arm64

Why this feature is needed

This feature works well flexibly and we don't have to fix checksum configuration when the checksum file format is changed.
We don't have to write complicated regular expressions.
This feature improves the maintainability of checksum configuration.

Others

#​1764 Update Go from v1.20.1 to v1.20.2

v1.36.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v1.36.0...v1.36.1

Bug Fixes

#​1742 #​1752 install: install command succeeded unexpectedly even if unknown packages are included

This bug was caused by aquaproj/aqua@40154d3 v1.19.5 (2022-10-01).

#​1746 #​1757 Clear unrelated fields if package type is changed by overrides or version_overrides

Others

#​1718 #​1721 #​1755 #​1756 Use slsa-verifier as CLI instead of Go library to separate slsa-verifier from aqua itself
#​1753 update google/go-github from v45 to v50

Use slsa-verifier as CLI instead of Go library to separate slsa-verifier from aqua itself

#​1718 #​1721

From aqua v1.26.0, aqua has supported verifing packages by slsa-verifier. aqua used slsa-verifier as a Go library, but then some issues occured because slsa-verifier is so large.

• aqua binary becomes so large 5 MB => 15 MB
• It takes a long time to build aqua
• #​1717 Renovate fails to run go mod tidy and go get

Especially, #​1717 was critical.

To solve these issues, we decided to use slsa-verifer as CLI instead of Go library.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.