Merge pull request #88 from chainguard-dev/create-pull-request/patch

Export mono/sdk: refs/heads/main

Author: cmdpdx

go.mod

@@ -3,15 +3,15 @@ module chainguard.dev/sdk
 go 1.24.0
 
 require (
-	chainguard.dev/apko v0.25.3
-	chainguard.dev/go-grpc-kit v0.17.7
+	chainguard.dev/apko v0.25.4
+	chainguard.dev/go-grpc-kit v0.17.8
 	chainguard.dev/go-oidctest v0.4.0
 	cloud.google.com/go/compute/metadata v0.6.0
 	github.com/aws/aws-sdk-go-v2 v1.36.3
 	github.com/bits-and-blooms/bitset v1.22.0
 	github.com/chainguard-dev/clog v1.7.0
 	github.com/cloudevents/sdk-go/v2 v2.15.2
-	github.com/coreos/go-oidc/v3 v3.12.0
+	github.com/coreos/go-oidc/v3 v3.13.0
 	github.com/go-jose/go-jose/v4 v4.0.5
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-containerregistry v0.20.4-0.20250225234217-098045d5e61f
@@ -22,7 +22,7 @@ require (
 	github.com/sigstore/sigstore v1.9.1
 	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa
 	golang.org/x/oauth2 v0.28.0
-	google.golang.org/api v0.225.0
+	google.golang.org/api v0.226.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
 	google.golang.org/grpc v1.71.0
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
@@ -44,7 +44,7 @@ require (
 	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/docker/cli v28.0.1+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.9.2 // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect

go.sum

@@ -1,7 +1,7 @@
-chainguard.dev/apko v0.25.3 h1:wN8Ki/2s++XwK4E19x6MW1PIWq0I9j5gdZsVlp2NYBQ=
-chainguard.dev/apko v0.25.3/go.mod h1:4i/zhP74WpHcGV8t9bQCueokNY27M9QRtocELa3aG8Y=
-chainguard.dev/go-grpc-kit v0.17.7 h1:TqHua7er5k8m6WM96y0Tm7IoLLkuZ5vh3+5SR1gruKg=
-chainguard.dev/go-grpc-kit v0.17.7/go.mod h1:JroMzTY9mdhKe/bvtyChgfECaNh80+bMZH3HS+TGXHw=
+chainguard.dev/apko v0.25.4 h1:QFFCD7QR3q9AT5H+/ZCXQReCNN0CgRn1mkOq1T+FZfQ=
+chainguard.dev/apko v0.25.4/go.mod h1:1xdjg538oPqb7VCiDMc4IlNtS5gRfpJqv2VIveR6wIo=
+chainguard.dev/go-grpc-kit v0.17.8 h1:w8jqj6bO6nPqOcv+VCARfPJThsS+5c05a7yWaW4nbzY=
+chainguard.dev/go-grpc-kit v0.17.8/go.mod h1:8Z+6T39iFdTnkaO1zHdnN3e5gjA9W1HdCzwytDy4aPM=
 chainguard.dev/go-oidctest v0.4.0 h1:B9YTfoa1WtsrEg0wnFeSP7i9tth0LO+GICm2j8HOgWI=
 chainguard.dev/go-oidctest v0.4.0/go.mod h1:IIic4S3je1I7Acy3bqPtaSPefGEsQDzUp7NJF35MPV4=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
@@ -46,8 +46,8 @@ github.com/cloudevents/sdk-go/v2 v2.15.2/go.mod h1:lL7kSWAE/V8VI4Wh0jbL2v/jvqsm6
 github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
 github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
-github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
+github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
+github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
 github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -56,8 +56,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/cli v28.0.1+incompatible h1:g0h5NQNda3/CxIsaZfH4Tyf6vpxFth7PYl3hgCPOKzs=
 github.com/docker/cli v28.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker-credential-helpers v0.9.2 h1:50JF7ADQiHdAVBRtg/vy883Y4U5+5GmPOBNtUU+X+6A=
-github.com/docker/docker-credential-helpers v0.9.2/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
+github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
+github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
@@ -329,8 +329,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.225.0 h1:+4/IVqBQm0MV5S+JW3kdEGC1WtOmM2mXN1LKH1LdNlw=
-google.golang.org/api v0.225.0/go.mod h1:WP/0Xm4LVvMOCldfvOISnWquSRWbG2kArDZcg+W2DbY=
+google.golang.org/api v0.226.0 h1:9A29y1XUD+YRXfnHkO66KggxHBZWg9LsTGqm7TkUvtQ=
+google.golang.org/api v0.226.0/go.mod h1:WP/0Xm4LVvMOCldfvOISnWquSRWbG2kArDZcg+W2DbY=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=

proto/capabilities/capabilities.go

@@ -30,9 +30,16 @@ var (
 
 	// Map of Capability to result of Bitify(). Set in initBitifyMap().
 	bitifiedMap = make(map[Capability]uint32, len(Capability_value))
-	bitifyOnce  sync.Once
+	// Sorted list of {bit, cap} so we can skip sorting in UnmarshalJSON.
+	bitCaps    = make([]bitcap, 0, len(Capability_value))
+	bitifyOnce sync.Once
 )
 
+type bitcap struct {
+	bit uint32
+	cap Capability
+}
+
 // We can't do this in init() because init() ordering is hard.
 func initBitifyMap() {
 	for i := range Capability_name {
@@ -47,7 +54,12 @@ func initBitifyMap() {
 		}
 
 		bitifiedMap[capability] = bit
+		bitCaps = append(bitCaps, bitcap{bit, capability})
 	}
+
+	sort.Slice(bitCaps, func(i int, j int) bool {
+		return bitCaps[i].cap < bitCaps[j].cap
+	})
 }
 
 // Names returns a slice of all capabilities Stringify'd, sans UNKNOWN.
@@ -214,17 +226,18 @@ func (s *Set) UnmarshalJSON(b []byte) error {
 		if err := json.Unmarshal(b, &bs); err != nil {
 			return err
 		}
-		for capability, bit := range bitifiedMap {
-			if bs.Test(uint(bit)) {
-				*s = append(*s, capability)
+
+		*s = make([]Capability, 0, bs.Count())
+
+		for _, bitcap := range bitCaps {
+			if bs.Test(uint(bitcap.bit)) {
+				*s = append(*s, bitcap.cap)
 				// This ensures that our unit testing checks that no two
 				// enumeration values are assigned the same bit.
-				bs.Clear(uint(bit))
+				bs.Clear(uint(bitcap.bit))
 			}
 		}
-		sort.Slice(*s, func(i int, j int) bool {
-			return (*s)[i] < (*s)[j]
-		})
+
 		return nil
 	}
 }

proto/capabilities/capabilities_test.go

@@ -163,3 +163,44 @@ func TestEncoding(t *testing.T) {
 		})
 	}
 }
+
+func BenchmarkUnmarshal(b *testing.B) {
+	caps := Set{
+		Capability_CAP_IAM_GROUPS_LIST,
+
+		Capability_CAP_REPO_LIST,
+		Capability_CAP_MANIFEST_LIST,
+		Capability_CAP_TAG_LIST,
+		Capability_CAP_MANIFEST_METADATA_LIST,
+
+		Capability_CAP_TENANT_RECORD_SIGNATURES_LIST,
+		Capability_CAP_TENANT_SBOMS_LIST,
+		Capability_CAP_TENANT_VULN_REPORTS_LIST,
+
+		Capability_CAP_REPO_CREATE,
+		Capability_CAP_REPO_UPDATE,
+		Capability_CAP_REPO_DELETE,
+
+		Capability_CAP_MANIFEST_CREATE,
+		Capability_CAP_MANIFEST_UPDATE,
+		Capability_CAP_MANIFEST_DELETE,
+
+		Capability_CAP_TAG_CREATE,
+		Capability_CAP_TAG_UPDATE,
+		Capability_CAP_TAG_DELETE,
+
+		// To create nested groups as needed on push.
+		Capability_CAP_IAM_GROUPS_CREATE,
+	}
+	raw, err := json.Marshal(caps)
+	if err != nil {
+		b.Fatalf("json.Marshal() = %v", err)
+	}
+
+	for b.Loop() {
+		var got Set
+		if err := json.Unmarshal(raw, &got); err != nil {
+			b.Fatalf("json.Unmarshal() = %v", err)
+		}
+	}
+}

proto/platform/registry/v1/clients.go

@@ -21,6 +21,7 @@ type Clients interface {
 	Registry() RegistryClient
 	Vulnerabilities() VulnerabilitiesClient
 	Apko() ApkoClient
+	Entitlements() EntitlementsClient
 
 	Close() error
 }
@@ -49,6 +50,7 @@ func NewClients(ctx context.Context, addr string, token string) (Clients, error)
 		registry:        NewRegistryClient(conn),
 		vulnerabilities: NewVulnerabilitiesClient(conn),
 		apko:            NewApkoClient(conn),
+		entitlements:    NewEntitlementsClient(conn),
 
 		conn: conn,
 	}, nil
@@ -59,6 +61,7 @@ func NewClientsFromConnection(conn *grpc.ClientConn) Clients {
 		registry:        NewRegistryClient(conn),
 		vulnerabilities: NewVulnerabilitiesClient(conn),
 		apko:            NewApkoClient(conn),
+		entitlements:    NewEntitlementsClient(conn),
 		// conn is not set, this client struct does not own closing it.
 	}
 }
@@ -67,6 +70,7 @@ type clients struct {
 	registry        RegistryClient
 	vulnerabilities VulnerabilitiesClient
 	apko            ApkoClient
+	entitlements    EntitlementsClient
 
 	conn *grpc.ClientConn
 }
@@ -83,6 +87,10 @@ func (c *clients) Apko() ApkoClient {
 	return c.apko
 }
 
+func (c *clients) Entitlements() EntitlementsClient {
+	return c.entitlements
+}
+
 func (c *clients) Close() error {
 	if c.conn != nil {
 		return c.conn.Close()