Exercise containers_image_sequoia in CI

This build tag replaces the backend for _verification_ of GPG signatures, to use Sequoia-PGP instead of GNUPG. Do Rawhide builds with Sequoia; the podman-sequoia package exists in F43 and later, so we can't do it in earlier versions. This way we cover both variants (+ containers_image_openpgp in the podman-remote client, at least that it builds). Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-11-28 17:18:58 +08:00 · 2025-07-15 18:54:33 +02:00
parent 998c9d8f6a
commit 2f005b67f4
4 changed files with 29 additions and 4 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -95,6 +95,7 @@ validate-source_task:
        image_name: "${FEDORA_CACHE_IMAGE_NAME}"  # from stdenvars
    env:
        TEST_FLAVOR: validate-source
+        TEST_BUILD_TAGS: ""
    # NOTE: The default way Cirrus-CI clones is *NOT* compatible with
    #       environment expectations in contrib/cirrus/lib.sh.  Specifically
    #       the 'origin' remote must be defined, and all remote branches/tags
@@ -151,11 +152,13 @@ build_task:
        # Ref: https://cirrus-ci.org/guide/writing-tasks/#matrix-modification
        - env: &stdenvars
              DISTRO_NV: ${FEDORA_NAME}
+              TEST_BUILD_TAGS: ""
              # Not used here, is used in other tasks
              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
        - env:
              DISTRO_NV: ${PRIOR_FEDORA_NAME}
+              TEST_BUILD_TAGS: ""
              VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
              CI_DESIRED_DATABASE: boltdb
@@ -163,11 +166,13 @@ build_task:
        - env:
              <<: *stdenvars
              DISTRO_NV: ${RAWHIDE_NAME}
+              TEST_BUILD_TAGS: "containers_image_sequoia"
              VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
              CI_DESIRED_STORAGE: composefs
              CTR_FQIN: ""
        - env:
              DISTRO_NV: ${DEBIAN_NAME}
+              TEST_BUILD_TAGS: ""
              VM_IMAGE_NAME: ${DEBIAN_CACHE_IMAGE_NAME}
    env:
        TEST_FLAVOR: build
@@ -209,6 +214,7 @@ build_aarch64_task:
        VM_IMAGE_NAME: ${FEDORA_AARCH64_AMI}
        CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
        TEST_FLAVOR: build
+        TEST_BUILD_TAGS: ""
    clone_script: *full_clone
    # TODO: Rename to "ci-sanity" and move into task that runs in parallel to build
    prebuild_script: *prebuild
@@ -236,6 +242,7 @@ alt_build_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: "altbuild"
+        TEST_BUILD_TAGS: ""
    gce_instance: *fastvm
    matrix:
      - env:
@@ -402,6 +409,7 @@ bindings_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: bindings
+        TEST_BUILD_TAGS: ""
    # N/B: This script depends on ${DISTRO_NV} being defined for the task.
    clone_script: &get_gosrc |
        cd /tmp
@@ -443,6 +451,7 @@ swagger_task:
        GCPJSON: ENCRYPTED[927dc01e755eaddb4242b0845cf86c9098d1e3dffac38c70aefb1487fd8b4fe6dd6ae627b3bffafaba70e2c63172664e]
        GCPNAME: ENCRYPTED[c145e9c16b6fb88d476944a454bf4c1ccc84bb4ecaca73bdd28bdacef0dfa7959ebc8171a27b2e4064d66093b2cdba49]
        GCPPROJECT: 'libpod-218412'
+        TEST_BUILD_TAGS: ""
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
@@ -536,6 +545,7 @@ docker-py_test_task:
        <<: *stdenvars
        TEST_FLAVOR: docker-py
        TEST_ENVIRON: container
+        TEST_BUILD_TAGS: ""
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
@@ -568,6 +578,7 @@ unit_test_task:
    gce_instance: *standardvm
    env:
        TEST_FLAVOR: unit
+        TEST_BUILD_TAGS: ""
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
@@ -630,6 +641,7 @@ apiv2_test_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: apiv2
+        TEST_BUILD_TAGS: ""
    matrix:
      - env:
          PRIV_NAME: root
@@ -664,6 +676,7 @@ compose_test_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: compose_v2
+        TEST_BUILD_TAGS: ""
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
@@ -736,6 +749,7 @@ container_integration_test_task:
    env:
        TEST_FLAVOR: int
        TEST_ENVIRON: container
+        TEST_BUILD_TAGS: ""
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
@@ -780,6 +794,7 @@ podman_machine_task:
    env:
      EC2_INST_TYPE: "m5zn.metal"  # Bare-metal instance is required
      TEST_FLAVOR: "machine-linux"
+      TEST_BUILD_TAGS: ""
      PRIV_NAME: "rootless"  # intended use-case
      DISTRO_NV: "${FEDORA_NAME}"
      VM_IMAGE_NAME: "${FEDORA_AMI}"
@@ -799,6 +814,7 @@ podman_machine_aarch64_task:
    timeout_in: 30m
    env:
        TEST_FLAVOR: "machine-linux"
+        TEST_BUILD_TAGS: ""
        EC2_INST_TYPE: c6g.metal
        PRIV_NAME: "rootless"  # intended use-case
        DISTRO_NV: "${FEDORA_AARCH64_NAME}"
@@ -954,6 +970,7 @@ local_system_test_aarch64_task: &local_system_test_task_aarch64
    env:
        <<: *stdenvars_aarch64
        TEST_FLAVOR: sys
+        TEST_BUILD_TAGS: ""
        DISTRO_NV: ${FEDORA_AARCH64_NAME}
    clone_script: *get_gosrc_aarch64
    setup_script: *setup
@@ -1031,6 +1048,7 @@ farm_test_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: farm
+        TEST_BUILD_TAGS: ""
        PRIV_NAME: rootless
    clone_script: *get_gosrc
    setup_script: *setup
@@ -1053,6 +1071,7 @@ buildah_bud_test_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: bud
+        TEST_BUILD_TAGS: ""
    matrix:
        - env:
            PODBIN_NAME: podman
@@ -1090,6 +1109,7 @@ upgrade_test_task:
    gce_instance: *standardvm
    env:
        TEST_FLAVOR: upgrade_test
+        TEST_BUILD_TAGS: ""
        DISTRO_NV: ${FEDORA_NAME}
        VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
        # Never force a DB, let the old version decide its default
@@ -1238,6 +1258,7 @@ release_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: release
+        TEST_BUILD_TAGS: ""
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
@@ -1265,6 +1286,7 @@ release_test_task:
    env:
        <<: *stdenvars
        TEST_FLAVOR: release
+        TEST_BUILD_TAGS: ""
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
--- a/2
+++ b/2
@@ -56,6 +56,7 @@ SYSTEMDDIR ?= ${LIBDIR}/systemd/system
 USERSYSTEMDDIR ?= ${LIBDIR}/systemd/user
 SYSTEMDGENERATORSDIR ?= ${LIBDIR}/systemd/system-generators
 USERSYSTEMDGENERATORSDIR ?= ${LIBDIR}/systemd/user-generators
+SEQUOIA_SONAME_DIR =
 REMOTETAGS ?= remote exclude_graphdriver_btrfs containers_image_openpgp
 BUILDTAGS ?= \
 	grpcnotrace \
@@ -131,6 +132,7 @@ LDFLAGS_PODMAN ?= \
 	-X $(LIBPOD)/config._installPrefix=$(PREFIX) \
 	-X $(LIBPOD)/config._etcDir=$(ETCDIR) \
 	-X $(PROJECT)/v5/pkg/systemd/quadlet._binDir=$(BINDIR) \
+	-X go.podman.io/image/v5/signature/internal/sequoia.sequoiaLibraryDir='"$(SEQUOIA_SONAME_DIR)"' \
 	-X go.podman.io/common/pkg/config.additionalHelperBinariesDir=$(HELPER_BINARIES_DIR)\
 	$(EXTRA_LDFLAGS)
 LDFLAGS_PODMAN_STATIC ?= \
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -213,7 +213,8 @@ function _run_build() {
    # Ensure always start from clean-slate with all vendor modules downloaded
    showrun make clean
    showrun make vendor
-    showrun make -j $(nproc) --output-sync=target podman-release  # includes podman, podman-remote, and docs
+    # shellcheck disable=SC2154
+    showrun make -j $(nproc) --output-sync=target podman-release EXTRA_BUILDTAGS="$TEST_BUILD_TAGS" # includes podman, podman-remote, and docs

    # There's no reason to validate-binaries across multiple linux platforms
    # shellcheck disable=SC2154
@@ -416,7 +417,7 @@ dotest() {
        die "The CI test TMPDIR is not on a tmpfs mount, we need tmpfs to make the tests faster"
    fi

-    showrun make ${localremote}${testsuite} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG \
+    showrun make ${localremote}${testsuite} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG EXTRA_BUILDTAGS="$TEST_BUILD_TAGS" \
        |& logformatter

    # FIXME: https://github.com/containers/podman/issues/22642
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -422,11 +422,11 @@ case "$TEST_FLAVOR" in
                die "Refusing to config. host-test in container";
            fi
            remove_packaged_podman_files
-            make install PREFIX=/usr ETCDIR=/etc
+            make install PREFIX=/usr ETCDIR=/etc EXTRA_BUILDTAGS="$TEST_BUILD_TAGS"
        elif [[ "$TEST_ENVIRON" == "container" ]]; then
            if ((CONTAINER)); then
                remove_packaged_podman_files
-                make install PREFIX=/usr ETCDIR=/etc
+                make install PREFIX=/usr ETCDIR=/etc EXTRA_BUILDTAGS="$TEST_BUILD_TAGS"
            fi
        else
            die "Invalid value for \$TEST_ENVIRON=$TEST_ENVIRON"