kargo/1.1.1-r0: cve remediation

[octo-sts]

kargo/1.1.1-r0: fix GHSA-v778-237x-gjrc

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/kargo.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the error output, I'll analyze and provide a solution:

• Detected Error: fatal: Remote branch v1.1.1 not found in upstream origin
(This error is implied by the build failing after the git clone command)

• Error Category: Version

• Failure Point: Git checkout step during pipeline execution

• Root Cause Analysis: The git-checkout step is failing because it's trying to clone using v1.1.1 as a branch name instead of as a tag. The repository uses tagged releases but the clone command is using the wrong git reference format.

• Suggested Fix:

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/akuity/kargo
      tag: v${{package.version}}
      expected-commit: d9932c7379444b0cc885c05fbc735f4495c65463
      fetch-depth: 0  # Add this line

• Explanation:
The current git-checkout step is attempting to use --branch=v1.1.1 which looks for a branch instead of a tag. Adding fetch-depth: 0 ensures all tags are fetched properly. This is a common issue when working with tagged releases in git-based build systems.

• Additional Notes:

• The repository uses standard semantic versioning with v prefix for tags
• The expected commit hash appears correct
• This is a known pattern when dealing with shallow clones and tags

• References:

• Git documentation on shallow clones: https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---depthltdepthgt
• Melange git-checkout action documentation: https://github.com/chainguard-dev/melange/blob/main/pkg/build/pipelines/git.go

The fix ensures proper tag fetching while maintaining the expected version constraint and commit verification.