Fixes: #38788

Related:

Pre-review Checklist

For new package PRs only

• This PR is marked as fixing a pre-existing package request bug
  • Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
• REQUIRED - The package is available under an OSI-approved or FSF-approved license
• REQUIRED - The version of the package is still receiving security updates
• This PR links to the upstream project's support policy (e.g. endoflife.date)

For new version streams

• The upstream project actually supports multiple concurrent versions.
• Any subpackages include the version string in their package name (e.g. name: ${{package.name}}-compat)
• The package (and subpackages) provides: logical unversioned forms of the package (e.g. nodejs, nodejs-lts)
• If non-streamed package names no longer built, open PR to withdraw them (see WITHDRAWING PACKAGES)

For package updates (renames) in the base images

When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk)

• REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build
• REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages
• Upon launch, does apk upgrade --latest successfully upgrades packages or performs no actions

For security-related PRs

• The security fix is recorded in the advisories repo

For version bump PRs

• The epoch field is reset to 0

For PRs that add patches

• Patch source is documented