Update dependency aquaproj/aqua to v2.36.0

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v2.29.2 -> v2.36.0

---

Release Notes

aquaproj/aqua (aquaproj/aqua)

v2.36.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.35.0...v2.36.0

Features

#​3130 #​3134 support changing $0 by symlink

Some tools change their behavior by $0.

For example, granted changes the behavior based on args[0].

https://github.com/common-fate/granted/blob/e8de3ec7d62d543062d8be802b27abb3d8fac429/cmd/granted/main.go#L37-L44

	// Use a single binary to keep keychain ACLs simple, swapping behavior via argv[0]
	var app *cli.App
	switch filepath.Base(os.Args[0]) {
	case "assumego", "assumego.exe", "dassumego", "dassumego.exe":
		app = assume.GetCliApp()
	default:
		app = granted.GetCliApp()
	}

This release supports changing $0 by symlink.

        files:
          - name: granted
          - name: assumego
            src: granted
            link: assumego # link is the relative path from src to the symlink

Bug Fixes

#​3136 #​3137 remove: Handle panic error when package is not found @​Shion1305
#​3138 remove: Ignore not found commands

v2.35.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.34.0...v2.35.0

Features

#​3119 #​3131 Verify packages' GitHub Artifact Attestations

When aqua installs packages, it verifies their GitHub Artifact Attestations if they are provided and registries have settings for GitHub Artifact Attestations.

#​3117 Create GitHub Artifact Attestations of aqua

We start providing aqua's GitHub Artifact Attestations!

https://github.com/aquaproj/aqua/attestations

If you download aqua from GitHub Releases, you can verify GitHub Artifact Attestations using GitHub CLI.

https://aquaproj.github.io/docs/install#verify-downloaded-binaries-from-github-releases

Reference:

• https://aquaproj.github.io/docs/reference/security/github-artifact-attestations
• https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds

Fixes

#​3129 Redirect stdout of some commands to stderr

aqua executes some os commands to install packages.

• go install
• go build
• cargo
• cosign
• slsa-verifier
• minisign
• gh attestation verify

aqua should redirect the stdout of these commands to stderr.

v2.34.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.33.0...v2.34.0

Features

#​3103 Enabling you to verify checksum files using Minisign

You can now verify checksum files using Minisign.

e.g.

        checksum:
          type: github_release
          asset: sha256.txt
          algorithm: sha256
          minisign:
            type: github_release
            asset: sha256.txt.minisig
            public_key: RWQ/i9xseZwBVE7pEniCNjlNOeeyp4BQgdZDLQcAohxEAH5Uj5DEKjv6

v2.33.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.32.0...v2.33.0

Features

#​3101 Enable you to remove go_install and http packages

You can now uninstall go_install and http packages!
Furthermore, the uninstall can now handles version_overrides properly.

v2.32.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.31.0...v2.32.0

Features

#​3075 #​3094 Support removing links from the bin directory

By default, aqua remove command removes only packages from the pkgs directory and doesn't remove links from the bin directory.
This release has added the command line option -mode to the remove command.
The value of -mode is a string containing characters l and p.
The order of the characters doesn't matter.

aqua rm -m l cli/cli # Remove only links
aqua rm -m pl cli/cli # Remove links and packages

You can also configure the mode by the environment variable AQUA_REMOVE_MODE, so you can change the default behaviour of aqua remove command by setting AQUA_REMOVE_MODE in your shell setting such as .bashrc.

export AQUA_REMOVE_MODE=pl

v2.31.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.30.0...v2.31.0

Overview

Featuers

#​2978 #​2994 Support verifying packages with minisign
#​3052 Support passing variables

Fixes

#​3012 Fix typo temporal. Replace them with temporary
#​3017 #​3024 Stop using replace directive

Others

Update Go 1.22.5 to 1.22.6

Feature - Support verifying packages with minisign

#​2978 #​2994

Support verifying packages with minisign.

Why is the feature needed?

To install some packages securely.
For example, zig is signed by minisign.

Example Code

This feature is similar to Cosign and slsa-verifier.

https://aquaproj.github.io/docs/reference/registry-config/cosign/

This feature depends on minisign.
So aqua should install minisign transparently same as Cosign and slsa-verifier.

registry.yaml

minisign:
  enabled: true
  public_key: "RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U"

##### public_key_url: https://example/signature.pub

Feature - Support passing variables

#​3052

Add the optional field vars in aqua.yaml and Registry.

vars in Registry

e.g.

packages:
  - type: github_release
    repo_owner: indygreg
    repo_name: python-build-standalone
    asset: cpython-{{.Vars.python_version}}+{{.Version}}-{{.Arch}}-{{.OS}}-install_only.{{.Format}} # .Vars.python_version
    vars:
      - name: python_version
        required: true

##### ...

vars is a list of variables.
Fields of a variable

• name: string (Required): A variable name
• required: boolean (Optional): If true, the variable is required. To use the package, users need to set the variable in aqua.yaml
• default: any (Optional): The default value of the variable

Variables are passed to template strings as .Vars.<template name>.

e.g.

asset: cpython-{{.Vars.python_version}}+{{.Version}}-{{.Arch}}-{{.OS}}-install_only.{{.Format}}

vars in aqua.yaml

e.g.

packages:
  - name: indygreg/python-build-standalone@20240726
    vars:
      python_version: 3.11.9

vars is a map of variables.
The key is a variable name and the value is a variable value.

v2.30.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.29.2...v2.30.0

Features

#​2918 #​3005 Use aqua-proxy and hard links instead of shell scripts and bat scripts on Windows

Document: https://github.com/aquaproj/aquaproj.github.io/pull/1049 https://aquaproj.github.io/docs/reference/lazy-install#on-windows

aqua doesn't use symbolic links on Windows because symbolic links have several issues on Windows.

1. Non-administrators can't create symbolic links by default on Windows
2. PowerShell doesn't use the final target of a symbolic link when starting a process or running a native command on Windows

aqua v2.29.2 or older used shell scripts and bat scripts instead of symbolic links and aqua-proxy.

#​885 #​892 #​893 aqua >= v1.12.0, aqua <= v2.29.2

But using shell scripts and bat scripts also had several issues.

1. Using both shell scripts and bat scripts is confusing
2. tools can't be executed on Nushell https://github.com/aquaproj/aqua/issues/2918#issuecomment-2223107022
3. bat scripts can't handle signals properly https://github.com/aquaproj/aqua/issues/2918#issuecomment-2228449541

So aqua v2.30.0 or later uses hard links and aqua-proxy instead of shell scripts and bat scripts. #​2918
aqua installs aqua-proxy and creates hard links to aqua-proxy on $(aqua root-dir)/bin directory.
When aqua updates aqua-proxy, aqua recreates hard links.
From aqua v2.30.0, aqua doesn't use bat scripts so you can remove $(aqua root-dir)/bat directory and remove $(aqua root-dir)/bat from PATH.

Others

#​3004 Update slsa-verifier to v2.6.0
#​3008 Update module github.com/goccy/go-yaml to v1.12.0

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.