bump github.com/theupdateframework/go-tuf/v2 (#517 )

bumps the go_modules group with 1 update in the / directory: [github.com/theupdateframework/go-tuf/v2](https://github.com/theupdateframework/go-tuf). updates `github.com/theupdateframework/go-tuf/v2` from 2.3.1 to 2.4.1 - [Release notes](https://github.com/theupdateframework/go-tuf/releases) - [Commits](https://github.com/theupdateframework/go-tuf/compare/v2.3.1...v2.4.1) --- updated-dependencies: - dependency-name: github.com/theupdateframework/go-tuf/v2 dependency-version: 2.4.1 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
keep registry on image rewrite if not specified (#501 )
2026-02-28 08:43:50 +00:00 · 2026-02-23 17:19:37 -05:00 · 2026-02-23 17:18:50 -05:00
5 changed files with 13 additions and 151 deletions
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -207,6 +207,10 @@ jobs:
          hauler store add image ghcr.io/hauler-dev/library/busybox:stable --rewrite /custom-path/busybox
          # confirm tag
          hauler store info | grep ':stable'
+          # confirm old registry used if not specified
+          hauler store add image ghcr.io/hauler-dev/library/nginx:1.25-alpine --rewrite custom-path/nginx
+          # verify existing registry associated with rewritten image in store
+          hauler store info | grep 'ghcr.io/custom-path/nginx'

      - name: Verify - hauler store copy
        run: |
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -1,144 +0,0 @@
-# Development Guide
-
-This document covers how to build Hauler locally and how the project's branching strategy works. It's intended for contributors making code changes or maintainers managing releases.
-
---
-
-## Local Build
-
-### Prerequisites
-
- **Go** — check `go.mod` for the minimum required version
- **Make**
- **Docker** (optional, for container image builds)
- **Git**
-
-### Clone the Repository
-
-```bash
-git clone https://github.com/hauler-dev/hauler.git
-cd hauler
-```
-
-### Build the Binary
-
-Using Make:
-
-```bash
-make build
-```
-
-Or directly with Go:
-
-```bash
-go build -o hauler ./cmd/hauler
-```
-
-The compiled binary will be output to the project root. You can run it directly:
-
-```bash
-./hauler version
-```
-
-### Run Tests
-
-```bash
-make test
-```
-
-Or with Go:
-
-```bash
-go test ./...
-```
-
-### Useful Tips
-
- The `--store` flag defaults to `./store` in the current working directory during local testing, so running `./hauler store add ...` from the project root is safe and self-contained. Use `rm -rf store` in the working directory to clear.
- Set `--log-level debug` when developing to get verbose output.
-
---
-
-## Branching Strategy
-
-Hauler uses a **main-first, release branch** model. All development flows through `main`, and release branches are maintained for each minor version to support patching older release lines in parallel.
-
-### Branch Structure
-
-```
-main              ← source of truth, all development targets here
-release/1.3       ← 1.3.x patch line
-release/1.4       ← 1.4.x patch line
-```
-
-Release tags (`v1.4.1`, `v1.3.2`, etc.) are always cut from the corresponding `release/X.Y` branch, never directly from `main`.
-
-### Where to Target Your Changes
-
-All pull requests should target `main` by default. Maintainers are responsible for cherry-picking fixes onto release branches as part of the patch release process.
-
-| Change type | Target branch |
-|---|---|
-| New features | `main` |
-| Bug fixes | `main` |
-| Security patches | `main` (expedited backport to affected branches) |
-| Release-specific fix (see below) | `release/X.Y` directly |
-
-### Creating a New Release Branch
-
-When `main` is ready to ship a new minor version, a release branch is cut:
-
-```bash
-git checkout main
-git pull origin main
-git checkout -b release/1.4
-git push origin release/1.4
-```
-
-The first release is then tagged from that branch:
-
-```bash
-git tag v1.4.0
-git push origin v1.4.0
-```
-
-Development on `main` immediately continues toward the next minor.
-
-### Backporting a Fix to a Release Branch
-
-When a bug fix merged to `main` also needs to apply to an active release line, cherry-pick the commit onto the release branch and open a PR targeting it:
-
-```bash
-git checkout release/1.3
-git pull origin release/1.3
-git checkout -b backport/fix-description-to-1.3
-git cherry-pick <commit-sha>
-git push origin backport/fix-description-to-1.3
-```
-
-Open a PR targeting `release/1.3` and reference the original PR in the description. If the cherry-pick doesn't apply cleanly, resolve conflicts and note them in the PR.
-
-### Fixes That Only Apply to an Older Release Line
-
-Sometimes a bug exists in an older release but the relevant code has been removed or significantly changed in `main` — making a forward-port unnecessary or nonsensical. In these cases, it's acceptable to open a PR directly against the affected `release/X.Y` branch.
-
-When doing this, the PR description must explain:
-
- Which versions are affected
- Why the fix does not apply to `main` or newer release lines (e.g., "this code path was removed in 1.4 when X was refactored")
-
-This keeps the history auditable and prevents future contributors from wondering why the fix never made it forward.
-
-### Summary
-
-```
-            ┌─────────────────────────────────────────► main (next minor)
-            │
-            │  cherry-pick / backport PRs
-            │  ─────────────────────────►  release/1.4  (v1.4.0, v1.4.1 ...)
-            │
-            │  ─────────────────────────►  release/1.3  (v1.3.0, v1.3.1 ...)
-            │
-            │  direct fix (older-only bug)
-            │  ─────────────────────────►  release/1.2  (critical fixes only)
-```
--- a/cmd/hauler/cli/store/add.go
+++ b/cmd/hauler/cli/store/add.go
@@ -146,26 +146,28 @@ func storeImage(ctx context.Context, s *store.Layout, i v1.Image, platform strin
 func rewriteReference(ctx context.Context, s *store.Layout, oldRef name.Reference, newRef name.Reference) error {
 	l := log.FromContext(ctx)

-	l.Infof("rewriting [%s] to [%s]", oldRef.Name(), newRef.Name())
-
 	s.OCI.LoadIndex()

 	//TODO: improve string manipulation
 	oldRefContext := oldRef.Context()
 	newRefContext := newRef.Context()
-
 	oldRepo := oldRefContext.RepositoryStr()
 	newRepo := newRefContext.RepositoryStr()
 	oldTag := oldRef.(name.Tag).TagStr()
 	newTag := newRef.(name.Tag).TagStr()
 	oldRegistry := strings.TrimPrefix(oldRefContext.RegistryStr(), "index.")
 	newRegistry := strings.TrimPrefix(newRefContext.RegistryStr(), "index.")
-
+	// If new registry not set in rewrite, keep old registry instead of defaulting to docker.io
+	if newRegistry == "docker.io" && oldRegistry != "docker.io" {
+		newRegistry = oldRegistry
+	}
 	oldTotal := oldRepo + ":" + oldTag
 	newTotal := newRepo + ":" + newTag
 	oldTotalReg := oldRegistry + "/" + oldTotal
 	newTotalReg := newRegistry + "/" + newTotal

+	l.Infof("rewriting [%s] to [%s]", oldTotalReg, newTotalReg)
+
 	//find and update reference
 	found := false
 	if err := s.OCI.Walk(func(k string, d ocispec.Descriptor) error {
--- a/go.mod
+++ b/go.mod
@@ -294,7 +294,7 @@ require (
 	github.com/tchap/go-patricia/v2 v2.3.3 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.3.1 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.4.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect
--- a/go.sum
+++ b/go.sum
@@ -947,8 +947,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.3.1 h1:fReZUTLvPdqIL8Rd9xEKPmaxig8GIXe0kS4RSEaRfaM=
-github.com/theupdateframework/go-tuf/v2 v2.3.1/go.mod h1:9S0Srkf3c13FelsOyt5OyG3ZZDq9OJDA4IILavrt72Y=
+github.com/theupdateframework/go-tuf/v2 v2.4.1 h1:K6ewW064rKZCPkRo1W/CTbTtm/+IB4+coG1iNURAGCw=
+github.com/theupdateframework/go-tuf/v2 v2.4.1/go.mod h1:Nex2enPVYDFCklrnbTzl3OVwD7fgIAj0J5++z/rvCj8=
 github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI=
 github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis=
 github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0=