updating lifecycle from 0.17.2 to 0.20.0

[k8sVoodoo]

Bumps github.com/buildpacks/lifecycle from 0.17.2 to 0.20.0.

lifecycle v0.20.0

Welcome to v0.20.0, a release of the Cloud Native Buildpacks Lifecycle.

Prerequisites
The lifecycle runs as a normal user in a series of unprivileged containers. To export images and cache image layers, it requires access to a Docker (compatible) daemon or an OCI registry.

Install
Extract the .tgz file and copy the lifecycle binaries into a build image. The build image can then be orchestrated by a platform implementation such as the pack CLI or tekton.

Lifecycle Image
An OCI image containing the lifecycle binaries is available at buildpacksio/lifecycle:0.20.0.

Features
The lifecycle, when encountering cache metadata for a layer that does not exist in the cache, will skip over the layer instead of failing the build (#1381 by @​joeybrown-sf)
When using Platform API 0.14 or greater, the restorer restores cached launch layers even if they are not found in the previous image (#1346 by @​pbusko)
When using Platform API 0.14 or greater, the restorer ensures read access to the run image selected by extensions (#1364 by @​pbusko)
The lifecycle surfaces the error from the registry (when it fails to verify image permissions) as an error instead of a debug message (#1376 by @​natalieparellano)
Bumps dependencies (#1375 and #1373)
Updates go to version 1.22.5
Bugfixes
The lifecycle, when populating target data for older platforms, populates OS & architecture as well as distro information (#1374 by @​natalieparellano)
Full Changelog: buildpacks/lifecycle@v0.19.7...release/0.20.0

[k8sVoodoo]

We would really like the lifecycle to be updated to fix vulnerabilities. Thanks!

[tomkennedy513]

@natalieparellano am I remembering correctly that there is a new release on the 17 line that we can move to instead of jumping to 20?

[k8sVoodoo]

@natalieparellano am I remembering correctly that there is a new release on the 17 line that we can move to instead of jumping to 20?

For us specifically for our use-case we need to have a go vulnerability fixed in version 1.22.4 which technically updating lifecycle to 0.19.7 would fix that but i think we might as well move to 0.20.0.

[tomkennedy513]

@natalieparellano am I remembering correctly that there is a new release on the 17 line that we can move to instead of jumping to 20?

For us specifically for our use-case we need to have a go vulnerability fixed in version 1.22.4 which technically updating lifecycle to 0.19.7 would fix that but i think we might as well move to 0.20.0.

I think we were worried about some edge case where someone was using an older platform api, but we should be fine to roll forward actually.

[k8sVoodoo]

How do I get around this error?

go: github.com/buildpacks/lifecycle@v0.20.0: module github.com/buildpacks/lifecycle@v0.20.0 found, but does not contain package github.com/buildpacks/lifecycle

[natalieparellano]

To fix vulnerabilities I think what is most needed is #1669, which will update the lifecycle binary version. Bumping the library version is only going to pick up some newer features for rebase, which we're not yet taking advantage of because we don't support the newer platform APIs in kpack.

[k8sVoodoo]

To fix vulnerabilities I think what is most needed is #1669, which will update the lifecycle binary version. Bumping the library version is only going to pick up some newer features for rebase, which we're not yet taking advantage of because we don't support the newer platform APIs in kpack.

Thanks for this and MR that was just merged.

[k8sVoodoo]

Closing due to above fix that was merged