build(deps): bump oras.land/oras-go/v2 from 2.0.1 to 2.0.2

[dependabot]

Bumps oras.land/oras-go/v2 from 2.0.1 to 2.0.2.

Release notes

Sourced from oras.land/oras-go/v2's releases.

v2.0.2

Bug Fixes

• Fix #461: Untagged manifests might be accidentally removed from the index.json file in OCI layouts

Other Changes

• Improve repository governance

Detailed Commits

• chore: update owners by @​shizhMSFT in oras-project/oras-go#459
• fix: refactor tagging implementation for OCI Store by @​Wwwsylvia in oras-project/oras-go#462

Full Changelog: oras-project/oras-go@v2.0.1...v2.0.2

Commits

• 336b9fb fix: refactor tagging implementation for OCI Store (#462)
• 0c6633b chore: update owners (#459)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @srenatus.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[srenatus]

@dependabot squash and merge

[yuseferi]

I see an error in oras.land/oras-go/v2, MediaTypeArtifactManifest has been used without defined, I'm just wondering there is no quality checker on this Repo?
after I updated the opa version to the lastest, my golangci-lint is failing

[anderseknert]

Hi @yuseferi 👋 I'm not sure I follow :) Is there a linter warning emitted from their repo?

The golangci-lint linters are run via make check in the OPA repo and are included in any builds.

[cosmotek]

I'm also experiencing this issue. I've just upgraded from v0.49.0 to v.0.52.0 to resolve some vulns related to the previous docker dependency.

$ go install -mod vendor ./vendor/github.com/open-policy-agent/opa
# oras.land/oras-go/v2/internal/descriptor
vendor/oras.land/oras-go/v2/internal/descriptor/descriptor.go:73:11: undefined: ocispec.MediaTypeArtifactManifest

[anderseknert]

Thanks! @ashutosh-narkar / @johanfylling could one of you PTAL?

[ARolek]

Looks like this issue has been addressed upstream: oras-project/oras-go#495. Do we need to wait for a point release from that project before OPA will re-vendor it?

[ashutosh-narkar]

Yes once a new release is created, OPA will re-vendor it.

[ARolek]

@ashutosh-narkar it looks like v2.1.0 has been released: https://github.com/oras-project/oras-go/releases

[ARolek]

Disregard. Looks like it has already landed in OPA: #5904 🎉

[yuseferi]

Nice. now we just need a release in OPA :). Thank you guys

[yuseferi]

Hey guys, just due to update blocked on this, what the release plan for this?

[yuseferi]

https://github.com/open-policy-agent/opa/releases/tag/v0.53.0 🎉