Skip to content

packages: wolfi import batch 5 — 10 CLI tools (dive, restic, gitleaks, sccache, …)#371

Open
bryan-minimal wants to merge 3 commits into
mainfrom
add-wolfi-imports-batch5-cli
Open

packages: wolfi import batch 5 — 10 CLI tools (dive, restic, gitleaks, sccache, …)#371
bryan-minimal wants to merge 3 commits into
mainfrom
add-wolfi-imports-batch5-cli

Conversation

@bryan-minimal

@bryan-minimal bryan-minimal commented Jul 8, 2026

Copy link
Copy Markdown
Member

Fifth batch from pkgmgr import-wolfi — high-star single-binary CLI tools (go + rust). Chosen from a stars survey; all pure-go / pure-rust (deps bundled by the module/crate tree).

What's here (10 packages, all build + pass every minimal check at 0 TODOs)

pkg lang what
dive 54k go docker image layer explorer
lazydocker 51k go docker TUI
esbuild 39k go JS/TS bundler
croc 35k go secure file transfer
restic 34k go encrypted backups
gitleaks 28k go secret scanner
sops 22k go encrypted secrets
sccache 7.4k rust shared compiler cache (links openssl)
tealdeer 6.4k rust fast tldr client
dua 6k rust disk-usage analyzer

How they're produced

  • go: go build -trimpath (built straight into $OUTPUT_DIR/usr/bin — avoids a <name>/ package-dir clash), glibc runtime, needs = { dns, internet }, version stamped via MINIMAL_ARG_VERSION.
  • rust: cargo build --release with reproducible RUSTFLAGS; sccache's openssl-sys crate pulls openssl + pkgconf build-deps and openssl runtime (resolved from the ELF's libssl linkage).
  • Sources mirrored to gs://minimal-staging-archives/<owner>/<repo>/<tag>.tar.gz.

Reviewer notes

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features
    • Added packaging support for several developer tools, including croc, dive, dua, esbuild, gitleaks, lazydocker, restic, sccache, sops, and tealdeer.
    • Each package now includes a build recipe, binary output, runtime dependency setup, and basic smoke tests to verify the tool launches and reports its help/version information.

…70 merge

High-star single-binary CLIs from `pkgmgr import-wolfi`:
  go:   dive, lazydocker, esbuild, croc, restic, gitleaks, sops
  rust: sccache, tealdeer (→ tldr), dua

Each builds clean + passes every `minimal check` at 0 TODOs. Sources mirrored
to gs://minimal-staging-archives. NOT pushed / no PR yet — staged on this branch
to open once batches 1-4 (#367-#370) land.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 54 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 72e1f404-ce5c-4d65-af13-510ee3fdc2a6

📥 Commits

Reviewing files that changed from the base of the PR and between a62e046 and ee01a93.

📒 Files selected for processing (3)
  • packages/gitleaks/build.sh
  • packages/lazydocker/build.sh
  • packages/tealdeer/build.ncl
📝 Walkthrough

Walkthrough

Adds ten new package build specifications (croc, dive, dua, esbuild, gitleaks, lazydocker, restic, sccache, sops, tealdeer), each with a build.ncl defining dependencies, build commands, outputs, runtime deps, metadata, and smoke tests, plus corresponding build.sh scripts compiling Go or Rust binaries into fixed output paths.

Changes

Go-based package builds

Layer / File(s) Summary
croc
packages/croc/build.ncl, packages/croc/build.sh
Fetches croc 10.4.11 tarball, builds via go build with trimpath/stripped flags, outputs usr/bin/croc, MIT license, smoke tests for version/help.
dive
packages/dive/build.ncl, packages/dive/build.sh
Fetches dive 0.13.1 tarball, builds Go binary with version injection, outputs usr/bin/dive, smoke tests for version/help.
esbuild
packages/esbuild/build.ncl, packages/esbuild/build.sh
Fetches esbuild 0.28.1 tarball, builds Go binary, outputs usr/bin/esbuild, smoke tests include minification and TypeScript stripping.
gitleaks
packages/gitleaks/build.ncl, packages/gitleaks/build.sh
Fetches gitleaks 8.30.1 tarball, builds Go binary with version linker flag, outputs usr/bin/gitleaks, extensive smoke tests covering secret detection, allow-comments, ignore files, and baseline scanning.
lazydocker
packages/lazydocker/build.ncl, packages/lazydocker/build.sh
Fetches lazydocker 0.25.2 tarball, builds Go binary with version/build-source flags, outputs usr/bin/lazydocker, smoke tests for help/version.
restic
packages/restic/build.ncl, packages/restic/build.sh
Fetches restic 0.19.1 tarball, builds from ./cmd/restic with version injection, outputs usr/bin/restic, smoke tests for version/help.
sops
packages/sops/build.ncl, packages/sops/build.sh
Fetches sops 3.13.2 tarball, builds from ./cmd/sops, outputs usr/bin/sops, smoke tests for version/help.

Rust-based package builds

Layer / File(s) Summary
dua
packages/dua/build.ncl, packages/dua/build.sh
Fetches dua-cli 2.37.1 tarball, cargo release build with GCC linker and reproducibility flags, outputs usr/bin/dua, runtime deps glibc+libgcc, smoke tests for version/help.
sccache
packages/sccache/build.ncl, packages/sccache/build.sh
Fetches sccache 0.16.0 tarball, cargo release build with GCC/openssl deps, outputs usr/bin/sccache, smoke tests cover server start/stop and stats output.
tealdeer
packages/tealdeer/build.ncl, packages/tealdeer/build.sh
Fetches tealdeer 1.8.1 tarball, cargo release build with reproducibility flags, outputs usr/bin/tldr, Apache-2.0 license, smoke tests for version/help.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately summarizes the batch import of 10 CLI tools in the packages tree.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-wolfi-imports-batch5-cli

Comment @coderabbitai help to get the list of available commands.

Buildbot: `restic --version` → "unknown flag: --version". restic exposes its
version via the `restic version` subcommand, not a `--version` flag. Regenerated
with the fixed importer, which now probes both forms
(`restic --version 2>/dev/null || restic version`). Passes every check.

Co-Authored-By: Claude Opus 4.8 <[email protected]>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/gitleaks/build.sh`:
- Line 6: The version stamp in the gitleaks build command is pointing at the
wrong module path, so the linker never sets the intended version value. Update
the go build ldflags in build.sh to use the correct
github.com/zricethezav/gitleaks/v8/cmd.Version symbol so the binary gets the
expected version string.

In `@packages/lazydocker/build.sh`:
- Line 6: The build metadata in the lazydocker build script is incorrectly
hardcoded to wolfiRelease, which can misrepresent the binary’s provenance.
Update the ldflags in the build command to set main.buildSource to a value that
reflects this local/package build instead, and keep the existing main.version
wiring intact. Use the build command in build.sh and the BuildSource field
referenced by lazydocker --version as the places to align the provenance label.

In `@packages/tealdeer/build.ncl`:
- Line 40: The license metadata for tealdeer is incomplete because only
Apache-2.0 is recorded, while the package is dual-licensed upstream. Update the
license declaration in the build spec to reflect both MIT and Apache-2.0,
keeping the existing licensing metadata block consistent with the upstream
Cargo.toml so the package is not misrepresented.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a9e47ad9-04fc-418e-adb0-53f29fead8a9

📥 Commits

Reviewing files that changed from the base of the PR and between 99f1af9 and a62e046.

📒 Files selected for processing (20)
  • packages/croc/build.ncl
  • packages/croc/build.sh
  • packages/dive/build.ncl
  • packages/dive/build.sh
  • packages/dua/build.ncl
  • packages/dua/build.sh
  • packages/esbuild/build.ncl
  • packages/esbuild/build.sh
  • packages/gitleaks/build.ncl
  • packages/gitleaks/build.sh
  • packages/lazydocker/build.ncl
  • packages/lazydocker/build.sh
  • packages/restic/build.ncl
  • packages/restic/build.sh
  • packages/sccache/build.ncl
  • packages/sccache/build.sh
  • packages/sops/build.ncl
  • packages/sops/build.sh
  • packages/tealdeer/build.ncl
  • packages/tealdeer/build.sh

Comment thread packages/gitleaks/build.sh Outdated
Comment thread packages/lazydocker/build.sh Outdated
set -eu
export GOROOT=/usr/go
mkdir -p "$OUTPUT_DIR/usr/bin"
go build -trimpath -ldflags "-buildid= -w -s -X main.version=${MINIMAL_ARG_VERSION} -X main.buildSource=wolfiRelease" -o "$OUTPUT_DIR/usr/bin/lazydocker" .

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

buildSource=wolfiRelease is inaccurate provenance metadata.

This is a leftover from the Wolfi recipe; the binary is actually built here, not via Wolfi. Since lazydocker --version prints BuildSource (confirmed against upstream's main.go/.goreleaser.yml usage of this ldflag), this label could mislead anyone debugging the origin of the binary.

🩹 Proposed fix
-go build -trimpath -ldflags "-buildid= -w -s -X main.version=${MINIMAL_ARG_VERSION} -X main.buildSource=wolfiRelease" -o "$OUTPUT_DIR/usr/bin/lazydocker" .
+go build -trimpath -ldflags "-buildid= -w -s -X main.version=${MINIMAL_ARG_VERSION} -X main.buildSource=minimal" -o "$OUTPUT_DIR/usr/bin/lazydocker" .
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
go build -trimpath -ldflags "-buildid= -w -s -X main.version=${MINIMAL_ARG_VERSION} -X main.buildSource=wolfiRelease" -o "$OUTPUT_DIR/usr/bin/lazydocker" .
go build -trimpath -ldflags "-buildid= -w -s -X main.version=${MINIMAL_ARG_VERSION} -X main.buildSource=minimal" -o "$OUTPUT_DIR/usr/bin/lazydocker" .
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/lazydocker/build.sh` at line 6, The build metadata in the lazydocker
build script is incorrectly hardcoded to wolfiRelease, which can misrepresent
the binary’s provenance. Update the ldflags in the build command to set
main.buildSource to a value that reflects this local/package build instead, and
keep the existing main.version wiring intact. Use the build command in build.sh
and the BuildSource field referenced by lazydocker --version as the places to
align the provenance label.

Comment thread packages/tealdeer/build.ncl Outdated
- gitleaks: fix the version ldflag target. Upstream .goreleaser.yml stamps
  `github.com/zricethezav/gitleaks/v8/version.Version` — the module path kept the
  original zricethezav org (despite the GitHub org rename) and the var lives in
  the `version` package, not `cmd`. The old wrong path was silently ignored by
  the linker, leaving the version unstamped. Verified 8.30.1 embeds now.
- lazydocker: drop `-X main.buildSource=wolfiRelease` — we build from source, so
  that origin label (printed by --version) was inaccurate.
- tealdeer: license_spdx Apache-2.0 → "MIT OR Apache-2.0" (v1.8.1 Cargo.toml
  declares the dual license and ships both LICENSE-MIT and LICENSE-APACHE).

Co-Authored-By: Claude Opus 4.8 <[email protected]>
@bryan-minimal

Copy link
Copy Markdown
Member Author

Addressed CodeRabbit review (pushed)

  • gitleaks: fixed the version ldflag target to github.com/zricethezav/gitleaks/v8/version.Version. CR had the org right (zricethezav — the module path kept the original org despite the GitHub rename to gitleaks/gitleaks), but the variable lives in the version package, not cmd — confirmed against upstream's own .goreleaser.yml. The old wrong path was silently ignored by the linker, leaving the version unstamped. Verified 8.30.1 now embeds in the binary.
  • lazydocker: dropped -X main.buildSource=wolfiRelease — we build from source, so that origin label (printed by --version) was inaccurate. Also fixed at the importer's ldflag sanitizer (pkgmgr-rs #471).
  • tealdeer: license_spdx Apache-2.0MIT OR Apache-2.0 (v1.8.1 Cargo.toml declares the dual license and ships both LICENSE-MIT and LICENSE-APACHE).

gitleaks + lazydocker rebuilt clean with versions correctly embedded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant