chore(deps): update dependency aquaproj/aqua to v2.40.0 (main)

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua	minor	v2.25.2 -> v2.40.0

---

Release Notes

aquaproj/aqua (aquaproj/aqua)

v2.40.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.39.1...v2.40.0

Features

#​3363 Support getting package versions from external files

This release enables you to get package versions from external files.
This feature is useful when:

• Migrate any tool to aqua gradually
• Support aqua and other tools

This release adds some fields to aqua.yaml's packages.

• version_expr: An expr expression to read external files
• version_expr_prefix: A prefix of version

e.g.

packages:
- name: hashicorp/terraform
  version_expr: |
    "v" + readFile('.terraform-version')

  version_expr: |
    readJSON('version.json').version
  version_expr_prefix: cli-

  version_expr: |
    readYAML('version.yaml').version

version_expr is evaluated using expr.
The following custom functions are available.

• readFile("file path"): reads a file and returns a file content
• readJSON("file path"): read and unmarshal a JSON file and returns an object
• readYAML("file path"): read and unmarshal a YAML file and returns an object

⚠️ Constraint of version_expr

Allowing to read external files is potentially risky in terms of security.
Malicious users can try to read secret files and expose secrets via log using version_expr.
To prevent such a threat, we restrict the evaluation result of version_expr.
It must match with the regular expression ^v?\d+\.\d+(\.\d+)*[.-]?((alpha|beta|dev|rc)[.-]?)?\d*.

v2.39.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.39.0...v2.39.1

Fixes

#​3365 cargo: Normalize the install path of cargo packages

Others

#​3361 Refactor reading config

v2.39.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.38.4...v2.39.0

Features

#​3354 policy: add a code comment for YAML Language Servers to a generated file aqua-policy.yaml

### yaml-language-server: $schema=https://raw.githubusercontent.com/aquaproj/aqua/main/json-schema/policy.json

#​3352 init: Add a code comment for YAML Language Servers to a generated file aqua.yaml

### yaml-language-server: $schema=https://raw.githubusercontent.com/aquaproj/aqua/main/json-schema/aqua-yaml.json

These code comments are useful when you edit files with editors such as VSCode.

v2.38.4

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.38.3...v2.38.4

Bug Fixes

#​3337 generate-registry: Fix a bug that unused replacements are added

v2.38.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.38.2...v2.38.3

Bug Fixes

#​3325 #​3333 Fix a bug that aqua g -i removes comments from packages

v2.38.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.38.1...v2.38.2

🐛 Bug Fixes

#​3307 generate-registry: Fix a bug that description isn't formatted

v2.38.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.38.0...v2.38.1

Fixes

#​3297 completion: Improve the completion settings suggested in aqua completion --help @​akinomyoga

v2.38.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.37.2...v2.38.0

Features

#​3269 Get available versions from Go Module Proxy

https://aquaproj.github.io/docs/reference/registry-config/go-version-path

This release adds the new field go_version_path to registries.

e.g.

packages:
  - name: _go/sigsum.org/sigsum-go#cmd/sigsum-key
    type: go_install
    path: sigsum.org/sigsum-go/cmd/sigsum-key
    go_version_path: sigsum.org/sigsum-go

If this field is set, aqua g and aqua up commands gets available versions from Go Module Proxy.

v2.37.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.37.1...v2.37.2

Fixes

#​3233 which, exec: Search configuration files even if AQUA_CONFIG is set

v2.37.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.37.0...v2.37.1

Bug Fixes

#​3226 #​584 Fix a bug that newlines in aqua.yaml are removed when updating aqua.yaml by aqua g -i and aqua up

This issue came from the bug of goccy/go-yaml. https://github.com/goccy/go-yaml/issues/285
The issue was solved at goccy/go-yaml 1.13.3.
So we updated goccy/go-yaml to 1.13.3 and solve the issue.

v2.37.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.36.2...v2.37.0

Features

#​3224 Allow to set command aliases in aqua.yaml

You can now define command aliases in aqua.yaml.
This is useful to use multiple versions of the same package.

e.g.

registries:
- type: standard
  ref: v4.246.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: hashicorp/terraform@v1.9.8
- name: hashicorp/terraform
  version: v0.13.7
  command_aliases:
    - command: terraform
      alias: terraform-013

##### no_link: true

Then you can run terraform (v1.9.8) and terraform-013 (v0.13.7).

$ terraform version
Terraform v1.9.8
on darwin_arm64

$ terraform-013 version
Terraform v0.13.7

Your version of Terraform is out of date! The latest version
is 1.9.8. You can update by downloading from https://www.terraform.io/downloads.html

You can skip creating symbolic links for aliases by no_link: true

  command_aliases:
    - command: terraform
      alias: terraform-013
      no_link: true

You can still run aliases via aqua exec.

aqua exec -- terraform-013 version

v2.36.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.36.1...v2.36.2

Bug Fixes

#​3193 #​3194 Fix a bug that vars are not replaced in files[].src

v2.36.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.36.0...v2.36.1

Fixes

#​3146 generate-registry: Remove rosetta2 and windows_arm_emulation if {{.Arch}} isn't included in asset

Dependency updates

#​3148 Update aqua-proxy to 1.2.8
#​3149 Update Go to 1.23.2

v2.36.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.35.0...v2.36.0

Features

#​3130 #​3134 support changing $0 by symlink

Some tools change their behavior by $0.

For example, granted changes the behavior based on args[0].

https://github.com/common-fate/granted/blob/e8de3ec7d62d543062d8be802b27abb3d8fac429/cmd/granted/main.go#L37-L44

	// Use a single binary to keep keychain ACLs simple, swapping behavior via argv[0]
	var app *cli.App
	switch filepath.Base(os.Args[0]) {
	case "assumego", "assumego.exe", "dassumego", "dassumego.exe":
		app = assume.GetCliApp()
	default:
		app = granted.GetCliApp()
	}

This release supports changing $0 by symlink.

        files:
          - name: granted
          - name: assumego
            src: granted
            link: assumego # link is the relative path from src to the symlink

Bug Fixes

#​3136 #​3137 remove: Handle panic error when package is not found @​Shion1305
#​3138 remove: Ignore not found commands

v2.35.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.34.0...v2.35.0

Features

#​3119 #​3131 Verify packages' GitHub Artifact Attestations

When aqua installs packages, it verifies their GitHub Artifact Attestations if they are provided and registries have settings for GitHub Artifact Attestations.

#​3117 Create GitHub Artifact Attestations of aqua

We start providing aqua's GitHub Artifact Attestations!

https://github.com/aquaproj/aqua/attestations

If you download aqua from GitHub Releases, you can verify GitHub Artifact Attestations using GitHub CLI.

https://aquaproj.github.io/docs/install#verify-downloaded-binaries-from-github-releases

Reference:

• https://aquaproj.github.io/docs/reference/security/github-artifact-attestations
• https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds

Fixes

#​3129 Redirect stdout of some commands to stderr

aqua executes some os commands to install packages.

• go install
• go build
• cargo
• cosign
• slsa-verifier
• minisign
• gh attestation verify

aqua should redirect the stdout of these commands to stderr.

v2.34.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.33.0...v2.34.0

Features

#​3103 Enabling you to verify checksum files using Minisign

You can now verify checksum files using Minisign.

e.g.

        checksum:
          type: github_release
          asset: sha256.txt
          algorithm: sha256
          minisign:
            type: github_release
            asset: sha256.txt.minisig
            public_key: RWQ/i9xseZwBVE7pEniCNjlNOeeyp4BQgdZDLQcAohxEAH5Uj5DEKjv6

v2.33.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.32.0...v2.33.0

Features

#​3101 Enable you to remove go_install and http packages

You can now uninstall go_install and http packages!
Furthermore, the uninstall can now handles version_overrides properly.

v2.32.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.31.0...v2.32.0

Features

#​3075 #​3094 Support removing links from the bin directory

By default, aqua remove command removes only packages from the pkgs directory and doesn't remove links from the bin directory.
This release has added the command line option -mode to the remove command.
The value of -mode is a string containing characters l and p.
The order of the characters doesn't matter.

aqua rm -m l cli/cli # Remove only links
aqua rm -m pl cli/cli # Remove links and packages

You can also configure the mode by the environment variable AQUA_REMOVE_MODE, so you can change the default behaviour of aqua remove command by setting AQUA_REMOVE_MODE in your shell setting such as .bashrc.

export AQUA_REMOVE_MODE=pl

v2.31.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.30.0...v2.31.0

Overview

Featuers

#​2978 #​2994 Support verifying packages with minisign
#​3052 Support passing variables

Fixes

#​3012 Fix typo temporal. Replace them with temporary
#​3017 #​3024 Stop using replace directive

Others

Update Go 1.22.5 to 1.22.6

Feature - Support verifying packages with minisign

#​2978 #​2994

Support verifying packages with minisign.

Why is the feature needed?

To install some packages securely.
For example, zig is signed by minisign.

Example Code

This feature is similar to Cosign and slsa-verifier.

https://aquaproj.github.io/docs/reference/registry-config/cosign/

This feature depends on minisign.
So aqua should install minisign transparently same as Cosign and slsa-verifier.

registry.yaml

minisign:
  enabled: true
  public_key: "RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U"

##### public_key_url: https://example/signature.pub

Feature - Support passing variables

#​3052

Add the optional field vars in aqua.yaml and Registry.

vars in Registry

e.g.

packages:
  - type: github_release
    repo_owner: indygreg
    repo_name: python-build-standalone
    asset: cpython-{{.Vars.python_version}}+{{.Version}}-{{.Arch}}-{{.OS}}-install_only.{{.Format}} # .Vars.python_version
    vars:
      - name: python_version
        required: true

##### ...

vars is a list of variables.
Fields of a variable

• name: string (Required): A variable name
• required: boolean (Optional): If true, the variable is required. To use the package, users need to set the variable in aqua.yaml
• default: any (Optional): The default value of the variable

Variables are passed to template strings as .Vars.<template name>.

e.g.

asset: cpython-{{.Vars.python_version}}+{{.Version}}-{{.Arch}}-{{.OS}}-install_only.{{.Format}}

vars in aqua.yaml

e.g.

packages:
  - name: indygreg/python-build-standalone@20240726
    vars:
      python_version: 3.11.9

vars is a map of variables.
The key is a variable name and the value is a variable value.

v2.30.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.29.2...v2.30.0

Features

#​2918 #​3005 Use aqua-proxy and hard links instead of shell scripts and bat scripts on Windows

Document: https://github.com/aquaproj/aquaproj.github.io/pull/1049 https://aquaproj.github.io/docs/reference/lazy-install#on-windows

aqua doesn't use symbolic links on Windows because symbolic links have several issues on Windows.

1. Non-administrators can't create symbolic links by default on Windows
2. PowerShell doesn't use the final target of a symbolic link when starting a process or running a native command on Windows

aqua v2.29.2 or older used shell scripts and bat scripts instead of symbolic links and aqua-proxy.

#​885 #​892 #​893 aqua >= v1.12.0, aqua <= v2.29.2

But using shell scripts and bat scripts also had several issues.

1. Using both shell scripts and bat scripts is confusing
2. tools can't be executed on Nushell https://github.com/aquaproj/aqua/issues/2918#issuecomment-2223107022
3. bat scripts can't handle signals properly https://github.com/aquaproj/aqua/issues/2918#issuecomment-2228449541

So aqua v2.30.0 or later uses hard links and aqua-proxy instead of shell scripts and bat scripts. #​2918
aqua installs aqua-proxy and creates hard links to aqua-proxy on $(aqua root-dir)/bin directory.
When aqua updates aqua-proxy, aqua recreates hard links.
From aqua v2.30.0, aqua doesn't use bat scripts so you can remove $(aqua root-dir)/bat directory and remove $(aqua root-dir)/bat from PATH.

Others

#​3004 Update slsa-verifier to v2.6.0
#​3008 Update module github.com/goccy/go-yaml to v1.12.0

v2.29.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.29.1...v2.29.2

Bug Fixes

#​3001 Fix checksums of Cosign

Fixed a bug of aqua v2.29.1

v2.29.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.29.0...v2.29.1

Features

#​2965 list: Add an alias of command line option -installed

aqua list -i

Fixes

#​2981 Fix a bug that the shell completion of specific tools doesn't work

For detail, please see the following issues and pull request.

• https://github.com/lintnet/lintnet/issues/528#issuecomment-2192810380
• https://github.com/urfave/cli/issues/1932
• https://github.com/urfave/cli/pull/1938

Others

Update Go to 1.22.5

v2.29.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.28.1...v2.29.0

Features

#​2929 Support fish completion

Added a sub command aqua completion fish, which outputs scripts for fish completion

You can source the output to enable the completion.

aqua completion fish | source

Or you can write the output to a file.

https://fishshell.com/docs/current/completions.html#where-to-put-completions

aqua completion fish > ~/.config/fish/completions/aqua.fish

v2.28.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.28.0...v2.28.1

Bug Fixes

#​2904 generate: Fix a bug that aqua g -i fails if aqua.yaml doesn't have the field packages
#​2902 info: Fix a bug that user names aren't masked on Windows @​sapphi-red

v2.28.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.4...v2.28.0

Features

#​2609 #​2730 #​2632 Support getting a package version from go directive in go.mod or go.work

From Go 1.21, the version of Go is decided by go directive in go.mod or go.work.

https://go.dev/doc/toolchain

e.g.

module github.com/aquaproj/aqua/v2

go 1.22.3

This can cause an issue that the version of Go may be different from the version defined in aqua.yaml.
And we need to define go version in two places.

To solve the issue, this pull request enables aqua to get the version of go from go directive in go.mod or go.work.
You can specify the path to go.mod or go.work by a field go_version_file.

e.g.

packages:
- name: golang/go
  go_version_file: go.mod

Then you can define go version only in go.mod or go.work.

[!CAUTION]
The version of Go must be a semver x.y.z.
You can't omit a patch version.

#​2880 Ignore invalid packages and continue working

When reading aqua.yaml, aqua ignores invalid packages and continues working.
This improves the robustness.

v2.27.4

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.3...v2.27.4

Bug Fixes

#​2144 #​2510 #​2871 Fix a bug that update-aqua fails on Windows

Others

Update Go 1.22.2 to 1.22.3

v2.27.3

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.2...v2.27.3

Bug Fixes

#​2833 #​2834 Fix a bug that a checksum id of go_build type package is empty

aqua-checksums.json

    {
      "id": "",
      "checksum": "C4D72E482B85570A1A73776EEF47E993B5F8FA6C204E0B1CAA794E4DF4F13521",
      "algorithm": "sha256"
    }

v2.27.2

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.1...v2.27.2

Bug Fixes

#​2830 Improve handling of broken registry JSON files

When aqua reads Standard Registry and github_content Registries, aqua converts them to JSON once and saves them.
And aqua reads JSON files instead of YAML files from the next time.
This improves the performance a bit. #​2517

But if a JSON file got broken, aqua got not working.
In that case, you had to remove the file yourself.

This issue rarely occurs, but this release resolves it.
If a JSON file gets broken, aqua removes and recreates the file.
So aqua continues working and you don't have to remove the file yourself.

v2.27.1

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.27.0...v2.27.1

Others

#​2824 #​2825 Generate shell completion on brew install @​ryota2357

ref. https://github.com/aquaproj/homebrew-aqua/blob/c4731da7c66a797e93b5efbcc5340b39f86f559b/aqua.rb#L19

⚠️ To enable shell completion, you have to configure FPATH and so on.

#​2809 chore: update aqua-proy to v1.2.6

🎉 New Contributors

Thank you for your contribution!

@​ryota2357 #​2825

v2.27.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.26.0...v2.27.0

Features

#​2702 #​2806 checksum: Support enforcing checksum verification via environment variables

You can enforce checksum verification by environment variables AQUA_ENFORCE_CHECKSUM and AQUA_ENFORCE_REQUIRE_CHECKSUM.

export AQUA_ENFORCE_CHECKSUM=true
export AQUA_ENFORCE_REQUIRE_CHECKSUM=true

This is useful for both CI and local development.

Checksum verification is disabled by default, and you can disable checksum verification by setting.
If you manage a Monorepo and want to make checksum verification mandatory in CI, you can set these environment variables in CI. Then checksum verification is enabled regardless of the setting of aqua.yaml.

And if you want to enforce checksum verification on your laptop, you can set these environment variables in your shell configuration files such as .bashrc and .zshrc.

v2.26.0

Compare Source

Pull Requests | Issues | aquaproj/aqua@v2.25.2...v2.26.0

Features

#​2782 #​2804 generate: add -g option to add packages to a global configuration file

e.g.

$ aqua g -g cli/cli

You can add packages to a global configuration file with -g and -i option.

e.g.

$ aqua g -g -i cli/cli

If there are multiple global configuration files, a first global configuration file is used.

Others

#​2803 Update the help message of remove command

Note that this command remove files from AQUA_ROOT_DIR/pkgs, but doesn't remove packages from aqua.yaml and doesn't remove files from AQUA_ROOT_DIR/bin and AQUA_ROOT_DIR/bat.

---

Configuration

📅 Schedule: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.