Sync: dummy PR: SetRejectInsecure close me

.cirrus.yml

@@ -35,7 +35,7 @@ env:
     DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20250812t173301z-f42f41d13"
+    IMAGE_SUFFIX: "c20250910t092246z-f42f41d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
@@ -124,7 +124,7 @@ vendor_task:
 
     # Runs within Cirrus's "community cluster"
     container:
-        image: docker.io/library/golang:1.23.3
+        image: docker.io/library/golang:1.24.2
         cpu: 1
         memory: 1
 

buildah.go

@@ -132,8 +132,8 @@ type Builder struct {
 	ImageHistoryComment string `json:"history-comment,omitempty"`
 
 	// Image metadata and runtime settings, in multiple formats.
-	OCIv1  v1.Image       `json:"ociv1,omitempty"`
-	Docker docker.V2Image `json:"docker,omitempty"`
+	OCIv1  v1.Image       `json:"ociv1"`
+	Docker docker.V2Image `json:"docker"`
 	// DefaultMountsFilePath is the file path holding the mounts to be mounted in "host-path:container-path" format.
 	DefaultMountsFilePath string `json:"defaultMountsFilePath,omitempty"`
 

chroot/run_common.go

@@ -12,6 +12,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -743,6 +744,15 @@ func runUsingChrootExecMain() {
 		os.Exit(1)
 	}
 
+	// Set $PATH to the value for the container, so that when args[0] is not an absolute path,
+	// exec.Command() can find it using exec.LookPath().
+	for _, env := range slices.Backward(options.Spec.Process.Env) {
+		if val, ok := strings.CutPrefix(env, "PATH="); ok {
+			os.Setenv("PATH", val)
+			break
+		}
+	}
+
 	// Actually run the specified command.
 	cmd := exec.Command(args[0], args[1:]...)
 	setPdeathsig(cmd)

cmd/buildah/containers.go

@@ -277,8 +277,8 @@ func containerOutputHeader(truncate bool) {
 
 func parseCtrFilter(filter string) (*containerFilterParams, error) {
 	params := new(containerFilterParams)
-	filters := strings.Split(filter, ",")
-	for _, param := range filters {
+	filters := strings.SplitSeq(filter, ",")
+	for param := range filters {
 		pair := strings.SplitN(param, "=", 2)
 		if len(pair) != 2 {
 			return nil, fmt.Errorf("incorrect filter value %q, should be of form filter=value", param)

copier/copier.go

@@ -162,13 +162,13 @@ type request struct {
 	preservedDirectory       string
 	Globs                    []string `json:",omitempty"` // used by stat, get
 	preservedGlobs           []string
-	StatOptions              StatOptions              `json:",omitempty"`
-	GetOptions               GetOptions               `json:",omitempty"`
-	PutOptions               PutOptions               `json:",omitempty"`
-	MkdirOptions             MkdirOptions             `json:",omitempty"`
-	RemoveOptions            RemoveOptions            `json:",omitempty"`
-	EnsureOptions            EnsureOptions            `json:",omitempty"`
-	ConditionalRemoveOptions ConditionalRemoveOptions `json:",omitempty"`
+	StatOptions              StatOptions
+	GetOptions               GetOptions
+	PutOptions               PutOptions
+	MkdirOptions             MkdirOptions
+	RemoveOptions            RemoveOptions
+	EnsureOptions            EnsureOptions
+	ConditionalRemoveOptions ConditionalRemoveOptions
 }
 
 func (req *request) Excludes() []string {
@@ -248,15 +248,15 @@ func (req *request) GIDMap() []idtools.IDMap {
 
 // Response encodes a single response.
 type response struct {
-	Error             string                    `json:",omitempty"`
-	Stat              statResponse              `json:",omitempty"`
-	Eval              evalResponse              `json:",omitempty"`
-	Get               getResponse               `json:",omitempty"`
-	Put               putResponse               `json:",omitempty"`
-	Mkdir             mkdirResponse             `json:",omitempty"`
-	Remove            removeResponse            `json:",omitempty"`
-	Ensure            ensureResponse            `json:",omitempty"`
-	ConditionalRemove conditionalRemoveResponse `json:",omitempty"`
+	Error             string `json:",omitempty"`
+	Stat              statResponse
+	Eval              evalResponse
+	Get               getResponse
+	Put               putResponse
+	Mkdir             mkdirResponse
+	Remove            removeResponse
+	Ensure            ensureResponse
+	ConditionalRemove conditionalRemoveResponse
 }
 
 // statResponse encodes a response for a single Stat request.
@@ -801,7 +801,7 @@ func copierWithSubprocess(bulkReader io.Reader, bulkWriter io.Writer, req reques
 	}
 	loggedOutput := strings.TrimSuffix(errorBuffer.String(), "\n")
 	if len(loggedOutput) > 0 {
-		for _, output := range strings.Split(loggedOutput, "\n") {
+		for output := range strings.SplitSeq(loggedOutput, "\n") {
 			logrus.Debug(output)
 		}
 	}
@@ -1588,8 +1588,8 @@ func mapWithPrefixedKeysWithoutKeyPrefix[K any](m map[string]K, p string) map[st
 	}
 	cloned := make(map[string]K, len(m))
 	for k, v := range m {
-		if strings.HasPrefix(k, p) {
-			cloned[strings.TrimPrefix(k, p)] = v
+		if after, ok := strings.CutPrefix(k, p); ok {
+			cloned[after] = v
 		}
 	}
 	return cloned
@@ -1819,7 +1819,7 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
 			return fmt.Errorf("%q is not a subdirectory of %q: %w", directory, req.Root, err)
 		}
 		subdir := ""
-		for _, component := range strings.Split(rel, string(os.PathSeparator)) {
+		for component := range strings.SplitSeq(rel, string(os.PathSeparator)) {
 			subdir = filepath.Join(subdir, component)
 			path := filepath.Join(req.Root, subdir)
 			if err := os.Mkdir(path, 0o700); err == nil {
@@ -2187,7 +2187,7 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
 }
 
 func copierHandlerMkdir(req request, idMappings *idtools.IDMappings) (*response, func() error, error) {
-	errorResponse := func(fmtspec string, args ...any) (*response, func() error, error) {
+	errorResponse := func(fmtspec string, args ...any) (*response, func() error, error) { //nolint:unparam
 		return &response{Error: fmt.Sprintf(fmtspec, args...), Mkdir: mkdirResponse{}}, nil, nil
 	}
 	dirUID, dirGID := 0, 0
@@ -2219,7 +2219,7 @@ func copierHandlerMkdir(req request, idMappings *idtools.IDMappings) (*response,
 
 	subdir := ""
 	var created []string
-	for _, component := range strings.Split(rel, string(os.PathSeparator)) {
+	for component := range strings.SplitSeq(rel, string(os.PathSeparator)) {
 		subdir = filepath.Join(subdir, component)
 		path := filepath.Join(req.Root, subdir)
 		if err := os.Mkdir(path, 0o700); err == nil {

copier/xattrs.go

@@ -65,7 +65,7 @@ func Lgetxattrs(path string) (map[string]string, error) {
 		return nil, fmt.Errorf("unable to read list of attributes for %q: size would have been too big", path)
 	}
 	m := make(map[string]string)
-	for _, attribute := range strings.Split(string(list), string('\000')) {
+	for attribute := range strings.SplitSeq(string(list), string('\000')) {
 		if isRelevantXattr(attribute) {
 			attributeSize := initialXattrValueSize
 			var attributeValue []byte

docker/types.go

@@ -124,7 +124,7 @@ type V1Compatibility struct {
 	Created         time.Time `json:"created"`
 	ContainerConfig struct {
 		Cmd []string
-	} `json:"container_config,omitempty"`
+	} `json:"container_config"`
 	Author    string `json:"author,omitempty"`
 	ThrowAway bool   `json:"throwaway,omitempty"`
 }
@@ -143,7 +143,7 @@ type V1Image struct {
 	// Container is the id of the container used to commit
 	Container string `json:"container,omitempty"`
 	// ContainerConfig is the configuration of the container that is committed into the image
-	ContainerConfig Config `json:"container_config,omitempty"`
+	ContainerConfig Config `json:"container_config"`
 	// DockerVersion specifies the version of Docker that was used to build the image
 	DockerVersion string `json:"docker_version,omitempty"`
 	// Author is the name of the author that was specified when committing the image

go.mod

@@ -2,7 +2,7 @@ module github.com/containers/buildah
 
 // Warning: Ensure the "go" and "toolchain" versions match exactly to prevent unwanted auto-updates
 
-go 1.23.3
+go 1.24.2
 
 require (
 	github.com/containerd/platforms v1.0.0-rc.1
@@ -11,36 +11,36 @@ require (
 	github.com/containers/ocicrypt v1.2.1
 	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/docker/distribution v2.8.3+incompatible
-	github.com/docker/docker v28.3.3+incompatible
+	github.com/docker/docker v28.4.0+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0
-	github.com/fsouza/go-dockerclient v1.12.1
+	github.com/fsouza/go-dockerclient v1.12.2
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/mattn/go-shellwords v1.0.12
-	github.com/moby/buildkit v0.23.2
+	github.com/moby/buildkit v0.24.0
 	github.com/moby/sys/capability v0.4.0
 	github.com/moby/sys/userns v0.1.0
-	github.com/opencontainers/cgroups v0.0.4
+	github.com/opencontainers/cgroups v0.0.5
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
-	github.com/opencontainers/runc v1.3.0
+	github.com/opencontainers/runc v1.3.1
 	github.com/opencontainers/runtime-spec v1.2.1
 	github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2
 	github.com/opencontainers/selinux v1.12.0
 	github.com/openshift/imagebuilder v1.2.17
 	github.com/seccomp/libseccomp-golang v0.11.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.10.1
-	github.com/spf13/pflag v1.0.9
+	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	go.etcd.io/bbolt v1.4.3
-	go.podman.io/common v0.0.0-20250826054041-6e4bed3c9118
-	go.podman.io/image/v5 v5.36.1-0.20250820085751-a13b38f45723
-	go.podman.io/storage v1.59.1-0.20250820085751-a13b38f45723
-	golang.org/x/crypto v0.41.0
-	golang.org/x/sync v0.16.0
-	golang.org/x/sys v0.35.0
-	golang.org/x/term v0.34.0
+	go.podman.io/common v0.65.1-0.20250916163606-92222dcd3da4
+	go.podman.io/image/v5 v5.37.1-0.20250916163606-92222dcd3da4
+	go.podman.io/storage v1.60.1-0.20250916163606-92222dcd3da4
+	golang.org/x/crypto v0.42.0
+	golang.org/x/sync v0.17.0
+	golang.org/x/sys v0.36.0
+	golang.org/x/term v0.35.0
 	tags.cncf.io/container-device-interface v1.0.1
 )
 
@@ -58,7 +58,7 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.17.0 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/containernetworking/plugins v1.7.1 // indirect
+	github.com/containernetworking/plugins v1.8.0 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
@@ -74,7 +74,7 @@ require (
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/go-containerregistry v0.20.3 // indirect
+	github.com/google/go-containerregistry v0.20.6 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
@@ -106,35 +106,40 @@ require (
 	github.com/proglottis/gpgme v0.1.5 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect
-	github.com/sigstore/fulcio v1.6.6 // indirect
+	github.com/sigstore/fulcio v1.7.1 // indirect
 	github.com/sigstore/protobuf-specs v0.4.1 // indirect
 	github.com/sigstore/sigstore v1.9.5 // indirect
 	github.com/smallstep/pkcs7 v0.1.1 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
-	github.com/sylabs/sif/v2 v2.21.1 // indirect
+	github.com/sylabs/sif/v2 v2.22.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.3 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/vbauerster/mpb/v8 v8.10.2 // indirect
 	github.com/vishvananda/netlink v1.3.1 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
 	google.golang.org/grpc v1.72.2 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
 )
+
+replace go.podman.io/common => github.com/flouthoc/container-libs/common v0.0.0-20250925194119-a9e3e4c00d13
+
+replace go.podman.io/storage => github.com/flouthoc/container-libs/storage v0.0.0-20250925194119-a9e3e4c00d13
+
+replace go.podman.io/image/v5 => github.com/flouthoc/container-libs/image/v5 v5.0.0-20250925194119-a9e3e4c00d13