Migrate from ghodss/yaml to gopkg.in/yaml.v3

[mtrmac]

This attempts to remove a dependency on yaml.v2 which we, sort of, control. This parallels containers/skopeo#1885 .

At the very least this will allow removing ghodss/yaml from Skopeo (but not from Podman, because Podman uses this package directly). That’s at least a bit of code.

Note that the whole of c/image will continue to depend on yaml.v2 , via a Swagger-generated Rekor client, depending on go-openapi/runtime#245 .

Tested, so far, only using unit tests; that suggests that the migration from ghodss/yaml might be fairly tricky. The openshift case is one where we would be quite unlikely to notice breakage in practice, but it has fairly good unit tests. The registries.d case has worse unit tests, but simpler data types and probably better integration test coverage.

[vrothberg]

LGTM

[rhatdan]

Nice LGTM.
Hopefully a slightly thinner skopeo.

[rhatdan]

Looks like vendoring is still pulling in gopkg.in/yaml.v2 v2.4.0 // indirect
for some non obvious reason.

$ grep -r gopkg.in/yaml.v2 .
./go.mod:	gopkg.in/yaml.v2 v2.4.0 // indirect
./go.sum:gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
./go.sum:gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
./go.sum:gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
./go.sum:gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
grep: ./.cache/go-build/00/00f8742d18523f7a327bcbec607f0eb65a8b27339688b1555c5326aa93f32ee0-d: binary file matches
grep: ./.cache/go-build/21/210fae595129b75d889fb05bcc4fd108e355969d41602dd2f642664b98c75235-d: binary file matches
grep: ./.cache/go-build/63/6340e4be7517480df890a58dd24b55bfc4549feb735e1b49f9878c78cde52642-d: binary file matches
grep: ./.cache/go-build/64/64766ad4065614680724cb2a1ddb2ab0205217a5801d8d2b42b0f62aa83f33f0-d: binary file matches
grep: ./.cache/go-build/65/65b1a27c5860ebc2fa88279e7fc294c1d34ced0aa8c711ae70439af25b9609e8-d: binary file matches
grep: ./.cache/go-build/6a/6a248e0643d37190cd6feb1e9e6e1dcfc3efd5046ead10994766d47c7ab04b27-d: binary file matches
grep: ./.cache/go-build/b3/b3c98467661720e3696116774f88a900a1410732d054af53074b6431f2129768-d: binary file matches
grep: ./.cache/go-build/d0/d0ef2314bf24945b79939d6efd8e9cabb4e5c8913eb7d5abd51a21d2ea2fb7af-d: binary file matches

[vrothberg]

@rhatdan, it's gone. The go.sum file is more a DB for "known/used" dependencies until now; that includes those who aren't used anymore.

[rhatdan]

It is listed in go.mod above?

[vrothberg]

How could I have missed that, apologies. go mod why can help:

image (main) $ go mod why gopkg.in/yaml.v2
# gopkg.in/yaml.v2
github.com/containers/image/v5/signature/internal
github.com/sigstore/rekor/pkg/generated/models
github.com/go-openapi/validate
github.com/go-openapi/validate.test
gopkg.in/yaml.v2

[vrothberg]

image (main) $ grep -r "yaml\.v2" vendor/
vendor/github.com/go-openapi/runtime/yamlpc/yaml.go:    "gopkg.in/yaml.v2"

[mtrmac]

Yes; the PR description mentions this dependency. We are getting rid of ghodss/yaml, not of gopkg.in/yaml.v2.