go.mod: update osbuild/images to v0.156.0

tag v0.155.0
Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com>

Changes with 0.155.0

----------------
  * Fedora 43: add shadow-utils when LockRoot is enabled, update cloud-init service name (osbuild/images#1618)
    * Author: Achilleas Koutsou, Reviewers: Gianluca Zuccarelli, Michael Vogt
  * Update osbuild dependency commit ID to latest (osbuild/images#1609)
    * Author: SchutzBot, Reviewers: Achilleas Koutsou, Simon de Vlieger, Tomáš Hozza
  * Update snapshots to 20250626 (osbuild/images#1623)
    * Author: SchutzBot, Reviewers: Achilleas Koutsou, Simon de Vlieger
  * distro/rhel9: xz compress azure-cvm image type [HMS-8587] (osbuild/images#1620)
    * Author: Achilleas Koutsou, Reviewers: Simon de Vlieger, Tomáš Hozza
  * distro/rhel: introduce new image type: Azure SAP Apps [HMS-8738] (osbuild/images#1612)
    * Author: Achilleas Koutsou, Reviewers: Simon de Vlieger, Tomáš Hozza
  * distro/rhel: move ansible-core to sap_extras_pkgset (osbuild/images#1624)
    * Author: Achilleas Koutsou, Reviewers: Brian C. Lane, Tomáš Hozza
  * github/create-tag: allow passing the version when run manually (osbuild/images#1621)
    * Author: Achilleas Koutsou, Reviewers: Lukáš Zapletal, Tomáš Hozza
  * rhel9: move image-config into pure YAML (HMS-8593) (osbuild/images#1616)
    * Author: Michael Vogt, Reviewers: Achilleas Koutsou, Simon de Vlieger
  * test: split manifest checksums into separate files (osbuild/images#1625)
    * Author: Achilleas Koutsou, Reviewers: Simon de Vlieger, Tomáš Hozza

— Somewhere on the Internet, 2025-06-30

---

tag v0.156.0
Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com>

Changes with 0.156.0

----------------
  * Many: delete repositories for EOL distributions (HMS-7044) (osbuild/images#1607)
    * Author: Tomáš Hozza, Reviewers: Michael Vogt, Simon de Vlieger
  * RHSM/facts: add 'image-builder CLI' API type (osbuild/images#1640)
    * Author: Tomáš Hozza, Reviewers: Brian C. Lane, Simon de Vlieger
  * Update dependencies 2025-06-29 (osbuild/images#1628)
    * Author: SchutzBot, Reviewers: Simon de Vlieger, Tomáš Hozza
  * Update osbuild dependency commit ID to latest (osbuild/images#1627)
    * Author: SchutzBot, Reviewers: Simon de Vlieger, Tomáš Hozza
  * [RFC] image: drop `InstallWeakDeps` from image.DiskImage (osbuild/images#1642)
    * Author: Michael Vogt, Reviewers: Brian C. Lane, Simon de Vlieger, Tomáš Hozza
  * build(deps): bump the go-deps group across 1 directory with 3 updates (osbuild/images#1632)
    * Author: dependabot[bot], Reviewers: SchutzBot, Tomáš Hozza
  * distro/rhel10: xz compress azure-cvm image type (osbuild/images#1638)
    * Author: Achilleas Koutsou, Reviewers: Brian C. Lane, Simon de Vlieger
  * distro: cleanup/refactor distro/{defs,generic} (HMS-8744) (osbuild/images#1570)
    * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza
  * distro: remove some hardcoded values from generic/images.go (osbuild/images#1636)
    * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza
  * distro: small tweaks for the YAML based imagetypes (osbuild/images#1622)
    * Author: Michael Vogt, Reviewers: Brian C. Lane, Simon de Vlieger
  * fedora/wsl: packages and locale (osbuild/images#1635)
    * Author: Simon de Vlieger, Reviewers: Michael Vogt, Tomáš Hozza
  * image/many: make compression more generic (osbuild/images#1634)
    * Author: Simon de Vlieger, Reviewers: Brian C. Lane, Michael Vogt
  * manifest: handle content template name with spaces (osbuild/images#1641)
    * Author: Bryttanie, Reviewers: Brian C. Lane, Michael Vogt, Tomáš Hozza
  * many: implement gzip (osbuild/images#1633)
    * Author: Simon de Vlieger, Reviewers: Michael Vogt, Tomáš Hozza
  * rhel/azure: set GRUB_TERMINAL based on architecture [RHEL-91383] (osbuild/images#1626)
    * Author: Achilleas Koutsou, Reviewers: Simon de Vlieger, Tomáš Hozza

— Somewhere on the Internet, 2025-07-07

---

vendor/github.com/containers/image/v5/docker/archive/transport.go

@@ -101,6 +101,9 @@ func NewReference(path string, ref reference.NamedTagged) (types.ImageReference,
 
 // NewIndexReference returns a Docker archive reference for a path and a zero-based source manifest index.
 func NewIndexReference(path string, sourceIndex int) (types.ImageReference, error) {
+	if sourceIndex < 0 {
+		return nil, fmt.Errorf("invalid call to NewIndexReference with negative index %d", sourceIndex)
+	}
 	return newReference(path, nil, sourceIndex, nil, nil)
 }
 

vendor/github.com/containers/image/v5/docker/body_reader.go

@@ -35,9 +35,9 @@ type bodyReader struct {
 
 	body            io.ReadCloser // The currently open connection we use to read data, or nil if there is nothing to read from / close.
 	lastRetryOffset int64         // -1 if N/A
-	lastRetryTime   time.Time     // time.Time{} if N/A
+	lastRetryTime   time.Time     // IsZero() if N/A
 	offset          int64         // Current offset within the blob
-	lastSuccessTime time.Time     // time.Time{} if N/A
+	lastSuccessTime time.Time     // IsZero() if N/A
 }
 
 // newBodyReader creates a bodyReader for request path in c.
@@ -207,9 +207,9 @@ func (br *bodyReader) Read(p []byte) (int, error) {
 }
 
 // millisecondsSinceOptional is like currentTime.Sub(tm).Milliseconds, but it returns a floating-point value.
-// If tm is time.Time{}, it returns math.NaN()
+// If tm.IsZero(), it returns math.NaN()
 func millisecondsSinceOptional(currentTime time.Time, tm time.Time) float64 {
-	if tm == (time.Time{}) {
+	if tm.IsZero() {
 		return math.NaN()
 	}
 	return float64(currentTime.Sub(tm).Nanoseconds()) / 1_000_000.0
@@ -229,7 +229,7 @@ func (br *bodyReader) errorIfNotReconnecting(originalErr error, redactedURL stri
 		logrus.Infof("Reading blob body from %s failed (%v), reconnecting after %d bytes…", redactedURL, originalErr, progress)
 		return nil
 	}
-	if br.lastRetryTime == (time.Time{}) {
+	if br.lastRetryTime.IsZero() {
 		logrus.Infof("Reading blob body from %s failed (%v), reconnecting (first reconnection)…", redactedURL, originalErr)
 		return nil
 	}

vendor/github.com/containers/image/v5/docker/daemon/daemon_dest.go

@@ -92,7 +92,7 @@ func imageLoadGoroutine(ctx context.Context, c *client.Client, reader *io.PipeRe
 
 // imageLoad accepts tar stream on reader and sends it to c
 func imageLoad(ctx context.Context, c *client.Client, reader *io.PipeReader) error {
-	resp, err := c.ImageLoad(ctx, reader, true)
+	resp, err := c.ImageLoad(ctx, reader, client.ImageLoadWithQuiet(true))
 	if err != nil {
 		return fmt.Errorf("starting a load operation in docker engine: %w", err)
 	}

vendor/github.com/containers/image/v5/docker/daemon/daemon_transport.go

@@ -87,10 +87,13 @@ func ParseReference(refString string) (types.ImageReference, error) {
 
 // NewReference returns a docker-daemon reference for either the supplied image ID (config digest) or the supplied reference (which must satisfy !reference.IsNameOnly)
 func NewReference(id digest.Digest, ref reference.Named) (types.ImageReference, error) {
-	if id != "" && ref != nil {
+	switch {
+	case id != "" && ref != nil:
 		return nil, errors.New("docker-daemon: reference must not have an image ID and a reference string specified at the same time")
-	}
-	if ref != nil {
+	case id == "" && ref == nil:
+		return nil, errors.New("docker-daemon: reference must have at least one of an image ID and a reference string")
+
+	case ref != nil:
 		if reference.IsNameOnly(ref) {
 			return nil, fmt.Errorf("docker-daemon: reference %s has neither a tag nor a digest", reference.FamiliarString(ref))
 		}

vendor/github.com/containers/image/v5/docker/distribution_error.go

@@ -30,14 +30,25 @@ import (
 // errcode.Errors slice.
 var errNoErrorsInBody = errors.New("no error details found in HTTP response body")
 
-// unexpectedHTTPStatusError is returned when an unexpected HTTP status is
+// UnexpectedHTTPStatusError is returned when an unexpected HTTP status is
 // returned when making a registry api call.
-type unexpectedHTTPStatusError struct {
-	Status string
+type UnexpectedHTTPStatusError struct {
+	// StatusCode code as returned from the server, so callers can
+	// match the exact code to make certain decisions if needed.
+	StatusCode int
+	// status text as displayed in the error message, not exposed as callers should match the number.
+	status string
 }
 
-func (e *unexpectedHTTPStatusError) Error() string {
-	return fmt.Sprintf("received unexpected HTTP status: %s", e.Status)
+func (e UnexpectedHTTPStatusError) Error() string {
+	return fmt.Sprintf("received unexpected HTTP status: %s", e.status)
+}
+
+func newUnexpectedHTTPStatusError(resp *http.Response) UnexpectedHTTPStatusError {
+	return UnexpectedHTTPStatusError{
+		StatusCode: resp.StatusCode,
+		status:     resp.Status,
+	}
 }
 
 // unexpectedHTTPResponseError is returned when an expected HTTP status code
@@ -117,7 +128,7 @@ func handleErrorResponse(resp *http.Response) error {
 	case resp.StatusCode == http.StatusUnauthorized:
 		// Check for OAuth errors within the `WWW-Authenticate` header first
 		// See https://tools.ietf.org/html/rfc6750#section-3
-		for _, c := range parseAuthHeader(resp.Header) {
+		for c := range iterateAuthHeader(resp.Header) {
 			if c.Scheme == "bearer" {
 				var err errcode.Error
 				// codes defined at https://tools.ietf.org/html/rfc6750#section-3.1
@@ -146,5 +157,5 @@ func handleErrorResponse(resp *http.Response) error {
 		}
 		return err
 	}
-	return &unexpectedHTTPStatusError{Status: resp.Status}
+	return newUnexpectedHTTPStatusError(resp)
 }

vendor/github.com/containers/image/v5/docker/docker_client.go

@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -475,12 +476,11 @@ func (c *dockerClient) resolveRequestURL(path string) (*url.URL, error) {
 }
 
 // Checks if the auth headers in the response contain an indication of a failed
-// authorizdation because of an "insufficient_scope" error. If that's the case,
+// authorization because of an "insufficient_scope" error. If that's the case,
 // returns the required scope to be used for fetching a new token.
 func needsRetryWithUpdatedScope(res *http.Response) (bool, *authScope) {
 	if res.StatusCode == http.StatusUnauthorized {
-		challenges := parseAuthHeader(res.Header)
-		for _, challenge := range challenges {
+		for challenge := range iterateAuthHeader(res.Header) {
 			if challenge.Scheme == "bearer" {
 				if errmsg, ok := challenge.Parameters["error"]; ok && errmsg == "insufficient_scope" {
 					if scope, ok := challenge.Parameters["scope"]; ok && scope != "" {
@@ -907,6 +907,10 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
 	}
 	tr := tlsclientconfig.NewTransport()
 	tr.TLSClientConfig = c.tlsClientConfig
+	// if set DockerProxyURL explicitly, use the DockerProxyURL instead of system proxy
+	if c.sys != nil && c.sys.DockerProxyURL != nil {
+		tr.Proxy = http.ProxyURL(c.sys.DockerProxyURL)
+	}
 	c.client = &http.Client{Transport: tr}
 
 	ping := func(scheme string) error {
@@ -924,7 +928,7 @@ func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
 		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
 			return registryHTTPResponseToError(resp)
 		}
-		c.challenges = parseAuthHeader(resp.Header)
+		c.challenges = slices.Collect(iterateAuthHeader(resp.Header))
 		c.scheme = scheme
 		c.supportsSignatures = resp.Header.Get("X-Registry-Supports-Signatures") == "1"
 		return nil
@@ -992,13 +996,18 @@ func (c *dockerClient) getExternalBlob(ctx context.Context, urls []string) (io.R
 			continue
 		}
 		if resp.StatusCode != http.StatusOK {
-			err := fmt.Errorf("error fetching external blob from %q: %d (%s)", u, resp.StatusCode, http.StatusText(resp.StatusCode))
+			err := fmt.Errorf("error fetching external blob from %q: %w", u, newUnexpectedHTTPStatusError(resp))
 			remoteErrors = append(remoteErrors, err)
 			logrus.Debug(err)
 			resp.Body.Close()
 			continue
 		}
-		return resp.Body, getBlobSize(resp), nil
+
+		size, err := getBlobSize(resp)
+		if err != nil {
+			size = -1
+		}
+		return resp.Body, size, nil
 	}
 	if remoteErrors == nil {
 		return nil, 0, nil // fallback to non-external blob
@@ -1006,12 +1015,20 @@ func (c *dockerClient) getExternalBlob(ctx context.Context, urls []string) (io.R
 	return nil, 0, fmt.Errorf("failed fetching external blob from all urls: %w", multierr.Format("", ", ", "", remoteErrors))
 }
 
-func getBlobSize(resp *http.Response) int64 {
-	size, err := strconv.ParseInt(resp.Header.Get("Content-Length"), 10, 64)
-	if err != nil {
-		size = -1
+func getBlobSize(resp *http.Response) (int64, error) {
+	hdrs := resp.Header.Values("Content-Length")
+	if len(hdrs) == 0 {
+		return -1, errors.New(`Missing "Content-Length" header in response`)
 	}
-	return size
+	hdr := hdrs[0] // Equivalent to resp.Header.Get(…)
+	size, err := strconv.ParseInt(hdr, 10, 64)
+	if err != nil { // Go’s response reader should already reject such values.
+		return -1, err
+	}
+	if size < 0 { // '-' is not a valid character in Content-Length, so negative values are invalid. Go’s response reader should already reject such values.
+		return -1, fmt.Errorf(`Invalid negative "Content-Length" %q`, hdr)
+	}
+	return size, nil
 }
 
 // getBlob returns a stream for the specified blob in ref, and the blob’s size (or -1 if unknown).
@@ -1042,7 +1059,10 @@ func (c *dockerClient) getBlob(ctx context.Context, ref dockerReference, info ty
 		return nil, 0, fmt.Errorf("fetching blob: %w", err)
 	}
 	cache.RecordKnownLocation(ref.Transport(), bicTransportScope(ref), info.Digest, newBICLocationReference(ref))
-	blobSize := getBlobSize(res)
+	blobSize, err := getBlobSize(res)
+	if err != nil {
+		blobSize = -1
+	}
 
 	reconnectingReader, err := newBodyReader(ctx, c, path, res.Body)
 	if err != nil {

vendor/github.com/containers/image/v5/docker/docker_image_dest.go

@@ -243,8 +243,12 @@ func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.
 	defer res.Body.Close()
 	switch res.StatusCode {
 	case http.StatusOK:
+		size, err := getBlobSize(res)
+		if err != nil {
+			return false, -1, fmt.Errorf("determining size of blob %s in %s: %w", digest, repo.Name(), err)
+		}
 		logrus.Debugf("... already exists")
-		return true, getBlobSize(res), nil
+		return true, size, nil
 	case http.StatusUnauthorized:
 		logrus.Debugf("... not authorized")
 		return false, -1, fmt.Errorf("checking whether a blob %s exists in %s: %w", digest, repo.Name(), registryHTTPResponseToError(res))

vendor/github.com/containers/image/v5/docker/docker_image_src.go

@@ -569,7 +569,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, sigURL *url.URL
 			logrus.Debugf("... got status 404, as expected = end of signatures")
 			return nil, true, nil
 		} else if res.StatusCode != http.StatusOK {
-			return nil, false, fmt.Errorf("reading signature from %s: status %d (%s)", sigURL.Redacted(), res.StatusCode, http.StatusText(res.StatusCode))
+			return nil, false, fmt.Errorf("reading signature from %s: %w", sigURL.Redacted(), newUnexpectedHTTPStatusError(res))
 		}
 
 		contentType := res.Header.Get("Content-Type")

vendor/github.com/containers/image/v5/docker/errors.go

@@ -40,10 +40,10 @@ func httpResponseToError(res *http.Response, context string) error {
 		err := registryHTTPResponseToError(res)
 		return ErrUnauthorizedForCredentials{Err: err}
 	default:
-		if context != "" {
-			context += ": "
+		if context == "" {
+			return newUnexpectedHTTPStatusError(res)
 		}
-		return fmt.Errorf("%sinvalid status code from registry %d (%s)", context, res.StatusCode, http.StatusText(res.StatusCode))
+		return fmt.Errorf("%s: %w", context, newUnexpectedHTTPStatusError(res))
 	}
 }
 

vendor/github.com/containers/image/v5/docker/internal/tarfile/writer.go

@@ -242,9 +242,7 @@ func (w *Writer) ensureManifestItemLocked(layerDescriptors []manifest.Schema2Des
 	}
 
 	knownRepoTags := set.New[string]()
-	for _, repoTag := range item.RepoTags {
-		knownRepoTags.Add(repoTag)
-	}
+	knownRepoTags.AddSeq(slices.Values(item.RepoTags))
 	for _, tag := range repoTags {
 		// For github.com/docker/docker consumers, this works just as well as
 		//   refString := ref.String()

vendor/github.com/containers/image/v5/docker/paths_common.go

@@ -1,5 +1,4 @@
 //go:build !freebsd
-// +build !freebsd
 
 package docker
 

vendor/github.com/containers/image/v5/docker/paths_freebsd.go

@@ -1,5 +1,4 @@
 //go:build freebsd
-// +build freebsd
 
 package docker
 

vendor/github.com/containers/image/v5/docker/wwwauthenticate.go

@@ -4,6 +4,7 @@ package docker
 
 import (
 	"fmt"
+	"iter"
 	"net/http"
 	"strings"
 )
@@ -60,15 +61,17 @@ func init() {
 	}
 }
 
-func parseAuthHeader(header http.Header) []challenge {
-	challenges := []challenge{}
-	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
-		v, p := parseValueAndParams(h)
-		if v != "" {
-			challenges = append(challenges, challenge{Scheme: v, Parameters: p})
+func iterateAuthHeader(header http.Header) iter.Seq[challenge] {
+	return func(yield func(challenge) bool) {
+		for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
+			v, p := parseValueAndParams(h)
+			if v != "" {
+				if !yield(challenge{Scheme: v, Parameters: p}) {
+					return
+				}
+			}
 		}
 	}
-	return challenges
 }
 
 // parseAuthScope parses an authentication scope string of the form `$resource:$remote:$actions`