opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-03-13 08:01:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21351 from cevich/no_mo_48

Browse Source 
[v4.8] Disable CI
This commit is contained in:
openshift-merge-bot[bot]
2024-01-24 21:10:07 +00:00
committed by GitHub
parent 0c9a007f8f dd99e444ed
commit fb7ee33b50
15 changed files with 0 additions and 2313 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1216
.cirrus.yml
View File

File diff suppressed because it is too large Load Diff

92
.github/workflows/check_cirrus_cron.yml vendored
View File

@@ -1,92 +0,0 @@
---
# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
# Required to un-FUBAR default ${{github.workflow}} value
name: check_cirrus_cron
on:
# Note: This only applies to the main branch.
schedule:
# N/B: This should correspond to a period slightly after
# the last job finishes running. See job defs. at:
# https://cirrus-ci.com/settings/repository/6707778565701632
- cron: '03 03 * * 1-5'
# Debug: Allow triggering job manually in github-actions WebUI
workflow_dispatch: {}
# Allow re-use of this workflow by other repositories
# Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
workflow_call:
secrets:
SECRET_CIRRUS_API_KEY:
required : true
ACTION_MAIL_SERVER:
required: true
ACTION_MAIL_USERNAME:
required: true
ACTION_MAIL_PASSWORD:
required: true
ACTION_MAIL_SENDER:
required: true
env:
# CSV listing of e-mail addresses for delivery failure or error notices
RCPTCSV: podman-monitor@lists.podman.io
# Filename for table of build-id to cron-name data
# (must be in $GITHUB_WORKSPACE/artifacts/)
ID_NAME_FILEPATH: './artifacts/id_name.txt'
permissions:
contents: read
jobs:
cron_failures:
runs-on: ubuntu-latest
steps:
# This is where the scripts live
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
repository: containers/podman
ref: 'main'
persist-credentials: false
- name: Get failed cron names and Build IDs
id: cron
run: './.github/actions/check_cirrus_cron/cron_failures.sh'
- if: steps.cron.outputs.failures > 0
shell: bash
run: './.github/actions/check_cirrus_cron/make_email_body.sh'
- if: steps.cron.outputs.failures > 0
name: Send failure notification e-mail
# Ref: https://github.com/dawidd6/action-send-mail
uses: dawidd6/action-send-mail@v3.9.0
with:
server_address: ${{secrets.ACTION_MAIL_SERVER}}
server_port: 465
username: ${{secrets.ACTION_MAIL_USERNAME}}
password: ${{secrets.ACTION_MAIL_PASSWORD}}
subject: Cirrus-CI cron build failures on ${{github.repository}}
to: ${{env.RCPTCSV}}
from: ${{secrets.ACTION_MAIL_SENDER}}
body: file://./artifacts/email_body.txt
- if: always()
uses: actions/upload-artifact@v3
with:
name: ${{ github.job }}_artifacts
path: artifacts/*
- if: failure()
name: Send error notification e-mail
uses: dawidd6/action-send-mail@v3.9.0
with:
server_address: ${{secrets.ACTION_MAIL_SERVER}}
server_port: 465
username: ${{secrets.ACTION_MAIL_USERNAME}}
password: ${{secrets.ACTION_MAIL_PASSWORD}}
subject: Github workflow error on ${{github.repository}}
to: ${{env.RCPTCSV}}
from: ${{secrets.ACTION_MAIL_SENDER}}
body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"

68
.github/workflows/discussion_lock.yml vendored
View File

@@ -1,68 +0,0 @@
---
# Format ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
name: "Lock closed Issue/PR discussions"
on:
schedule:
- cron: '0 0 * * *'
# Allow re-use of this workflow by other repositories
# Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
workflow_call:
secrets:
ACTION_MAIL_SERVER:
required: true
ACTION_MAIL_USERNAME:
required: true
ACTION_MAIL_PASSWORD:
required: true
ACTION_MAIL_SENDER:
required: true
# Debug: Allow triggering job manually in github-actions WebUI
workflow_dispatch: {}
permissions:
contents: read
concurrency:
group: lock
env:
# Number of days before a closed issue/PR is be comment-locked.
# Note: dessant/lock-threads will only process a max. of
# 50 issues/PRs at a time.
CLOSED_DAYS: 90
# Pre-created issue/PR label to add (preferably a bright color).
# This is intended to direct a would-be commenter's actions.
LOCKED_LABEL: 'locked - please file new issue/PR'
jobs:
closed_issue_discussion_lock:
name: "Lock closed Issue/PR discussions"
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
# Ref: https://github.com/dessant/lock-threads#usage
- uses: dessant/lock-threads@v5
with:
issue-inactive-days: '${{env.CLOSED_DAYS}}'
pr-inactive-days: '${{env.CLOSED_DAYS}}'
add-issue-labels: '${{env.LOCKED_LABEL}}'
add-pr-labels: '${{env.LOCKED_LABEL}}'
pr-lock-reason: 'resolved'
log-output: true
- if: failure()
name: Send job failure notification e-mail
uses: dawidd6/action-send-mail@v3.9.0
with:
server_address: ${{secrets.ACTION_MAIL_SERVER}}
server_port: 465
username: ${{secrets.ACTION_MAIL_USERNAME}}
password: ${{secrets.ACTION_MAIL_PASSWORD}}
subject: Github workflow error on ${{github.repository}}
to: podman-monitor@lists.podman.io
from: ${{secrets.ACTION_MAIL_SENDER}}
body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"

31
.github/workflows/fcos-podman-next-build-prepush-test.yml vendored
View File

@@ -1,31 +0,0 @@
# This workflow only runs a build test to check for buildability issues before
# PR merge. No registry push occurs here.
name: Build FCOS image with podman-next
on:
pull_request:
branches:
- main
env:
IMAGE_NAME: fcos
IMAGE_REGISTRY: quay.io/podman
COPR_OWNER: rhcontainerbot
COPR_PROJECT: podman-next
jobs:
fcos-podman-next-image-build-prepush-test:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Build FCOS Image
id: build_image_test
# Ref: https://github.com/redhat-actions/buildah-build
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
tags: ${{ github.sha }}
containerfiles: ./contrib/podman-next/fcos-podmanimage/Containerfile

97
.github/workflows/fcos-podman-next-build.yml vendored
View File

@@ -1,97 +0,0 @@
name: Build FCOS image with packages from rhcontainerbot/podman-next
on:
push:
branches:
- main
# Run everyday at midnight and pull the latest packages from the copr
schedule:
- cron: '0 0 * * *'
env:
IMAGE_NAME: fcos
# IMAGE_ARCHS has to be comma separated
IMAGE_ARCHS: amd64, arm64
IMAGE_REGISTRY: quay.io/podman
COPR_OWNER: rhcontainerbot
COPR_PROJECT: podman-next
jobs:
fcos-podman-next-image-build:
runs-on: ubuntu-latest
steps:
- name: Install qemu dependency
run: |
sudo apt update
sudo apt -y install qemu-user-static
- name: Set up wait-for-copr
# Do not run on scheduled nightly builds
if: ${{ github.event_name != 'schedule' }}
run: |
pip3 install git+https://github.com/packit/wait-for-copr.git@main
- name: Check out code
uses: actions/checkout@v4
- name: Get short SHA from HEAD
run: echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
id: short_sha
- name: Wait for successful podman-next build with the latest commit
# Do not run on scheduled nightly builds
if: ${{ github.event_name != 'schedule' }}
run: |
# TODO: add this in the Containerfile itself or as a --build-arg
wait-for-copr --owner ${{ env.COPR_OWNER }} --project ${{ env.COPR_PROJECT }} podman ${{ env.SHORT_SHA }}
echo "podman-next build successful."
- name: Build FCOS Image
id: build_image_multiarch
# Ref: https://github.com/redhat-actions/buildah-build
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: ${{ env.COPR_PROJECT }} podman-${{ env.SHORT_SHA }}
archs: ${{ env.IMAGE_ARCHS }}
containerfiles: ./contrib/podman-next/fcos-podmanimage/Containerfile
labels: |
org.opencontainers.image.title=fcos-podman-next image
org.opencontainers.image.source=https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/contrib/podman-next/fcos-podmanimage/Containerfile
org.opencontainers.image.url=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
org.opencontainers.image.description=FCOS image with rpms from rhcontainerbot/podman-next copr
org.opencontainers.image.revision=${{ github.sha }}
- name: Echo Outputs
run: |
echo "Image: ${{ steps.build_image_multiarch.outputs.image }}"
echo "Tags: ${{ steps.build_image_multiarch.outputs.tags }}"
echo "Tagged Image: ${{ steps.build_image_multiarch.outputs.image-with-tag }}"
- name: Check images created
run: buildah images | grep '${{ env.IMAGE_NAME }}'
- name: Check image metadata
run: |
set -x
# COPR_PROJECT envvar is used for the `podman-next` floating tag
buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:${{ env.COPR_PROJECT }} | jq ".OCIv1.architecture"
buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:${{ env.COPR_PROJECT }} | jq ".Docker.architecture"
buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:podman-${{ env.SHORT_SHA }} | jq ".OCIv1.architecture"
buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:podman-${{ env.SHORT_SHA }} | jq ".Docker.architecture"
- name: Run image
run: podman run --privileged --rm ${{ steps.build_image_multiarch.outputs.image-with-tag }} podman system info
- name: Push to Quay
id: push-to-quay
# Ref: https://github.com/redhat-actions/push-to-registry
uses: redhat-actions/push-to-registry@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: ${{ steps.build_image_multiarch.outputs.tags }}
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ secrets.QUAY_PODMAN_USERNAME }}
password: ${{ secrets.QUAY_PODMAN_PASSWORD }}

21
.github/workflows/issue-labeler.yml vendored
View File

@@ -1,21 +0,0 @@
name: "Issue Labeler"
on:
issues:
types: [opened, edited]
permissions:
contents: read
jobs:
triage:
permissions:
contents: read # for github/issue-labeler to get repo contents
issues: write # for github/issue-labeler to create or remove labels
runs-on: ubuntu-latest
steps:
- uses: github/issue-labeler@v3.3
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: .github/issue-labeler.yml
not-before: 2022-01-27T00:00:00Z
enable-versioned-regex: 0

15
.github/workflows/labeler.yml vendored
View File

@@ -1,15 +0,0 @@
# https://github.com/actions/labeler
name: "Pull Request Labeler"
on:
- pull_request_target
jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"

154
.github/workflows/mac-pkg.yml vendored
View File

@@ -1,154 +0,0 @@
name: Sign and Upload Mac Installer
on:
release:
types: [created, published]
workflow_dispatch:
inputs:
version:
description: 'Release version to build and upload (e.g. "v9.8.7")'
required: true
dryrun:
description: 'Perform all the steps except uploading to the release page'
required: true
default: "true" # 'choice' type requires string value
type: choice
options:
- "true" # Must be quoted string, boolean value not supported.
- "false"
permissions:
contents: write
jobs:
build:
runs-on: macos-latest
env:
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${{ inputs.dryrun }}" ]]
then
echo "dryrun=false" >> $GITHUB_OUTPUT
else
echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
fi
- name: Dry Run Status
run: |
echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
- name: Determine Version
id: getversion
run: |
if [[ -z "${{ inputs.version }}" ]]
then
VERSION=${{ github.event.release.tag_name }}
else
VERSION=${{ inputs.version }}
fi
echo
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Check uploads
id: check
run: |
URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
ARM_FILE="podman-installer-macos-arm64.pkg"
AMD_FILE="podman-installer-macos-amd64.pkg"
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
if [[ "$status" == "404" ]] ; then
echo "buildarm=true" >> $GITHUB_OUTPUT
else
echo "::warning::ARM installer already exists, skipping"
echo "buildarm=false" >> $GITHUB_OUTPUT
fi
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}")
if [[ "$status" == "404" ]] ; then
echo "buildamd=true" >> $GITHUB_OUTPUT
else
echo "::warning::AMD installer already exists, skipping"
echo "buildamd=false" >> $GITHUB_OUTPUT
fi
- name: Checkout Version
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
ref: ${{steps.getversion.outputs.version}}
- name: Set up Go
# Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/setup-go@v4
with:
go-version: stable
- name: Create Keychain
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
- name: Build and Sign ARM
if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
working-directory: contrib/pkginstaller
run: |
make ARCH=aarch64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
- name: Build and Sign AMD
if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
working-directory: contrib/pkginstaller
run: |
make ARCH=amd64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
- name: Artifact
if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/upload-artifact@v3
with:
name: installers
path: |
contrib/pkginstaller/out/podman-installer-macos-*.pkg
contrib/pkginstaller/out/shasums
- name: Upload to Release
if: >-
steps.actual_dryrun.outputs.dryrun == 'false' &&
(steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
(gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
cat contrib/pkginstaller/out/shasums >> shasums
gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg
gh release upload ${{steps.getversion.outputs.version}} --clobber shasums

24
.github/workflows/pr-title.yml vendored
View File

@@ -1,24 +0,0 @@
# Upstream: github.com/tzkhan/pr-update-action
name: "PR title check"
on:
pull_request_target:
branches:
- "!master" # causes errors; reason unknown
permissions:
contents: read
jobs:
update_pr:
permissions:
pull-requests: write # for tzkhan/pr-update-action to update PRs
runs-on: ubuntu-latest
steps:
- uses: tzkhan/pr-update-action@bbd4c9395df8a9c4ef075b8b7fe29f2ca76cdca9 # v2
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
base-branch-regex: '^(?!master).*$'
title-template: '[%basebranch%]'
title-prefix-space: true

78
.github/workflows/rerun_cirrus_cron.yml vendored
View File

@@ -1,78 +0,0 @@
---
# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
# Required to un-FUBAR default ${{github.workflow}} value
name: rerun_cirrus_cron
on:
# Note: This only applies to the main branch.
schedule:
# N/B: This should fire about an hour prior to check_cirrus_cron
# so the re-runs have a chance to complete.
- cron: '01 01 * * 1-5'
# Debug: Allow triggering job manually in github-actions WebUI
workflow_dispatch: {}
# Allow re-use of this workflow by other repositories
# Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
workflow_call:
secrets:
SECRET_CIRRUS_API_KEY:
required : true
ACTION_MAIL_SERVER:
required: true
ACTION_MAIL_USERNAME:
required: true
ACTION_MAIL_PASSWORD:
required: true
ACTION_MAIL_SENDER:
required: true
env:
# CSV listing of e-mail addresses for delivery failure or error notices
RCPTCSV: podman-monitor@lists.podman.io
# Filename for table of build-id to cron-name data
# (must be in $GITHUB_WORKSPACE/artifacts/)
ID_NAME_FILEPATH: './artifacts/id_name.txt'
permissions:
contents: read
jobs:
cron_rerun:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
# All scripts used by this workflow live in podman repo.
repository: "containers/podman"
ref: "main"
persist-credentials: false
- name: Get failed cron names and Build IDs
id: cron
run: './.github/actions/check_cirrus_cron/cron_failures.sh'
- if: steps.cron.outputs.failures > 0
shell: bash
env:
SECRET_CIRRUS_API_KEY: ${{ secrets.SECRET_CIRRUS_API_KEY }}
run: './.github/actions/check_cirrus_cron/rerun_failed_tasks.sh'
- uses: actions/upload-artifact@v3
with:
name: ${{ github.job }}_artifacts
path: artifacts/*
- if: failure()
name: Send error notification e-mail
uses: dawidd6/action-send-mail@v3.9.0
with:
server_address: ${{secrets.ACTION_MAIL_SERVER}}
server_port: 465
username: ${{secrets.ACTION_MAIL_USERNAME}}
password: ${{secrets.ACTION_MAIL_PASSWORD}}
subject: Github workflow error on ${{github.repository}}
to: ${{env.RCPTCSV}}
from: ${{secrets.ACTION_MAIL_SENDER}}
body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"

207
.github/workflows/scan-secrets.yml vendored
View File

@@ -1,207 +0,0 @@
---
name: Scan for secret leaks and changes
on:
# Block PR modification of workflow
pull_request_target:
push:
workflow_dispatch:
# N/B: Default write-all permission for pull_request_target
permissions: read-all
env:
# How far back in history to go when scanning a branch/tag
# This is most significant when scanning vs new release-branches
# with commit IDs that may differ from those encoded in the
# .gitleaks/baseline.json data (which always comes from
# the default branch).
# TODO: Is there any way to not hard-code this?
# N/B: This value is reused by Cirrus-CI, see contrib/cirrus/prebuild.sh
brdepth: 50
# GitLeaks container image to use.
# N/B: Updating this is hard to test, esp. care must be exercised re: new leak-ignore behaviors
# (example ref: 'Check for inline scan overrides' step below). Also b/c this workflow is not
# intended to be used with the 'pull_request' trigger - as doing so defeats gitleaks scan
# result trustworthiness.
# N/B: This value is reused by Cirrus-CI, see contrib/cirrus/prebuild.sh
glfqin: ghcr.io/gitleaks/gitleaks@sha256:e5f6d1a62786affd1abd882ecc73e9353ce78adea1650711f6e351767723712d # v8.18.0
# General arguments to pass for all execution contexts
# Ref: https://github.com/gitleaks/gitleaks#usage
# N/B: This value is reused by Cirrus-CI, see contrib/cirrus/prebuild.sh
glargs: >-
--exit-code=1
--no-banner
--verbose
--log-level=debug
--source=/subject
--config=/default/.gitleaks.toml
--report-path=/report/gitleaks-report.json
--baseline-path=/default/.gitleaks/baseline.json
# Where to send notification e-mail
RCPTCSV: podman-monitor@lists.podman.io
jobs:
scan-secrets:
runs-on: ubuntu-latest
env:
# Reduce duplication & command-line length
gitlogcmd: "git -C ${{ github.workspace }}/_subject log -p -U0"
steps:
- name: Define git log command and options for re-use
id: gitlog
shell: bash
run: |
set -exuo pipefail
if [[ "${{ github.base_ref }}" == "" ]]; then # It's a branch/tag
echo "range=-${{ env.brdepth }}" >> $GITHUB_OUTPUT
else # It's a PR
echo "range=${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }}..HEAD" >> $GITHUB_OUTPUT
fi
# On a large repo, there's no need to check out the entire thing. For PRs
# the depth can be limited to one-greater than the number of PR commits.
# Unfortunately, GHA is incapable of performing simple math in-line.
- name: Do some simple math for PR clone depth
if: github.base_ref != ''
id: one_more_commit
shell: bash
run: |
echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT
- name: Show important context details
shell: bash
run: |
set -euo pipefail
echo "The workspace path is '${{ github.workspace }}'"
echo "The github.base_ref value is '${{ github.base_ref }}'"
echo "The branch scan depth value is '${{ env.brdepth }}'"
echo "The PR clone depth value is '${{ steps.one_more_commit.outputs.depth }}'"
echo "The gitlogcmd value is '${{ env.gitlogcmd }}'"
echo "The gitlog range value is '${{ steps.gitlog.outputs.range }}'"
echo "The GitLeaks container FQIN is '${{ env.glfqin }}'"
echo "::group::The trigger event JSON"
jq --color-output --indent 2 --sort-keys . $GITHUB_EVENT_PATH
echo "::endgroup::"
# N/B: Use "_" prefixed paths to (somewhat) guard against clashes. GHA has some
# non-POLA behaviors WRT `${{ github.workspace }}` + checkout action.
- name: Checkout PR
if: github.base_ref != ''
uses: actions/checkout@v4
with:
persist-credentials: false
path: _subject
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: ${{ steps.one_more_commit.outputs.depth }}
- name: Checkout Branch/Tag
if: github.base_ref == ''
uses: actions/checkout@v4
with:
persist-credentials: false
path: _subject
fetch-depth: ${{ env.brdepth }}
# Trusted source of gitleaks config.
- name: Checkout default branch
uses: actions/checkout@v4
with:
persist-credentials: false
ref: ${{ github.event.repository.default_branch }}
path: _default
fetch-depth: 1
- name: Create report directory
shell: bash
run: |
set -exuo pipefail
mkdir ${{ github.workspace }}/_report
touch ${{ github.workspace }}/_report/gitleaks-report.json
# A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs
- name: Show content being scanned
shell: bash
run: |
set -exuo pipefail
${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }}
# Unfortunately gitleaks provides several in-built ways to
# completely bypass an alert within PR-level commits. Assume
# it's not possible to detect these with gitleaks-config rules.
- name: Check for inline scan overrides
if: github.base_ref != '' # A PR
shell: bash
env:
# Workaround erronously detecting the string in this file
_rx1: "gitleaks"
_rx2: ":"
_rx3: "allow"
run: |
set -euo pipefail
verboten_rx="${_rx1}${_rx2}${_rx3}"
verboten=$(set -x ; ${{ env.gitlogcmd }} "-G$verboten_rx" ${{ steps.gitlog.outputs.range }})
if [[ -n "$verboten" ]]; then
printf '::error::%s' 'Found comment(s) utilizing detection override(s) (see job log for details)'
# Hack: Grep will never colorize an end of a line match
echo "$verboten" | grep --color=always -E "($verboten_rx)|$"
exit 1
fi
if [[ -r "${{ github.workspace }}/_subject/.gitleaksignore" ]]; then
printf '::error::%s' 'Detected a .gitleaksignore file from untrusted source.'
exit 1
fi
- name: Scan for secrets
shell: bash
# gitleaks entrypoint runs as gitleaks user (UID/GID 1000)
run: |
set -exuo pipefail
# TODO: Workaround podman < v4.3.0 support for `--userns=keep-id:uid=1000,gid=1000`.
declare -a workaround_args
workaround_args=(\
--user 1000:1000
--uidmap 0:1:1000
--uidmap 1000:0:1
--uidmap 1001:1001:64536
--gidmap 0:1:1000
--gidmap 1000:0:1
--gidmap 1001:1001:64536
)
# Careful: Changes need coordination with contrib/cirrus/prebuild.sh
podman run --rm \
--security-opt=label=disable \
"${workaround_args[@]}" \
-v ${{ github.workspace }}/_default:/default:ro \
-v ${{ github.workspace }}/_subject:/subject:ro \
-v ${{ github.workspace }}/_report:/report:rw \
$glfqin \
detect $glargs --log-opts=${{ steps.gitlog.outputs.range }}
- name: Collect scan report artifact
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v3
with:
name: gitleaks-report
path: ${{ github.workspace }}/_report/gitleaks-report.json
# Nobody monitors the actions-tab for failures, and may not see this
# fail on push to a nefarious PR. Send an e-mail alert to unmask
# this activity or some other general job failure.
- if: failure() && !contains(github.event.pull_request.labels.*.name,'BypassLeakNotification')
name: Send leak detection notification e-mail
uses: dawidd6/action-send-mail@v3.9.0
with:
server_address: ${{secrets.ACTION_MAIL_SERVER}}
server_port: 465
username: ${{secrets.ACTION_MAIL_USERNAME}}
password: ${{secrets.ACTION_MAIL_PASSWORD}}
subject: Addition|Change|Use of sensitive ${{github.repository}}-CI value
to: ${{env.RCPTCSV}}
from: ${{secrets.ACTION_MAIL_SENDER}}
body: "Please investigate: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"

31
.github/workflows/stale.yml vendored
View File

@@ -1,31 +0,0 @@
name: Mark stale issues and pull requests
# Please refer to https://github.com/actions/stale/blob/master/action.yml
# to see all config knobs of the stale action.
on:
schedule:
- cron: "0 0 * * *"
permissions:
contents: read
jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v8
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.'
stale-pr-message: 'A friendly reminder that this PR had no activity for 30 days.'
stale-issue-label: 'stale-issue'
stale-pr-label: 'stale-pr'
days-before-stale: 30
days-before-close: 365
remove-stale-when-updated: true

151
.github/workflows/upload-win-installer.yml vendored
View File

@@ -1,151 +0,0 @@
name: Upload Windows Installer
on:
release:
types: [created, published, edited]
workflow_dispatch:
inputs:
version:
description: 'Release version to build and upload (e.g. "v9.8.7")'
required: true
dryrun:
description: 'Perform all the steps except uploading to the release page'
required: true
default: "true" # 'choice' type requires string value
type: choice
options:
- "true" # Must be quoted string, boolean value not supported.
- "false"
permissions:
contents: write
jobs:
build:
runs-on: windows-latest
env:
FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }}
steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
$inputs_dryrun = "${{ inputs.dryrun }}"
if ($inputs_dryrun.Length -lt 1) {
Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
} else {
Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
}
- name: Dry Run Status
run: |
Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
- name: Determine version
id: getversion
run: |
$version = "${{ inputs.version }}"
if ($version.Length -lt 1) {
$version = "${{ github.event.release.tag_name }}"
if ($version.Length -lt 1) {
Write-Host "::error::Could not determine version!"
Exit 1
}
}
Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
ref: ${{steps.getversion.outputs.version}}
# This step is super-duper critical for the built/signed windows installer .exe file.
# It ensures the referenced $version github release page does NOT already contain
# this file. Windows assigns a UUID to the installer at build time, it's assumed
# by windows that one release version == one UUID (always). Breaking this assumption
# has some rather nasty side-effects in windows, such as possibly breaking 'uninstall'
# functionality. For dry-runs, the .exe is saved in the workflow artifacts for a human
# to judge w/n (i.e. in some extreme case) it should be uploaded to the release page.
- name: Check
id: check
run: |
Push-Location contrib\win-installer
.\check.ps1 ${{steps.getversion.outputs.version}}
$code = $LASTEXITCODE
if ($code -eq 2) {
Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location
Exit 0
}
Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location
Exit $code
# The podman release process requires a cross-compile of the windows binaries be uploaded to
# the release page as a hard-coded filename. If non-existent, this workflow will fail in
# non-obvious ways with a non-obvious error message. Address that here.
- name: Confirm upload_asset_name is non-empty
if: ${{ steps.check.outputs.upload_asset_name == '' }}
run: |
Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_md64.zip github release asset for version ${{steps.getversion.outputs.version}}."
Exit 1
- name: Set up Go
uses: actions/setup-go@v4
# N/B: already-exists may be an empty-string or "false", handle both cases.
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
with:
go-version: stable
- name: Setup Signature Tooling
if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
run: |
dotnet tool install --global AzureSignTool --version 3.0.0
echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append
- name: Build
id: build
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
run: |
Push-Location contrib\win-installer
.\build.ps1 ${{steps.getversion.outputs.version}} prod
$code = $LASTEXITCODE
if ($code -eq 2) {
Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location
Exit 0
}
Pop-Location
Exit $code
- name: Artifact
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/upload-artifact@v3
with:
name: installer
path: |
${{ steps.check.outputs.upload_asset_name }}
.\contrib\win-installer\shasums
- name: Upload
if: >-
steps.actual_dryrun.outputs.dryrun == 'false' &&
steps.check.outputs.already-exists != 'true' &&
steps.build.outputs.artifact-missing != 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
Push-Location contrib\win-installer
$version = "${{ steps.getversion.outputs.version }}"
if ($version[0] -ne "v") {
$version = "v$version"
}
gh release upload $version ${{ steps.check.outputs.upload_asset_name }}
if ($LASTEXITCODE -ne 0) {
.\check.ps1 $version
if ($LASTEXITCODE -eq 2) {
Write-Host "Another job uploaded before us, skipping"
Pop-Location
Exit 0
}
Pop-Location
Exit 1
}
if (Test-Path -Path shasums) {
gh release upload --clobber $version shasums
}
Pop-Location

48
.packit.sh
View File

@@ -1,48 +0,0 @@
#!/usr/bin/env bash
# This script handles any custom processing of the spec file using the `fix-spec-file`
# action in .packit.yaml. These steps only work on copr builds, not on official
# Fedora builds.
set -eox pipefail
PACKAGE=podman
# Set path to rpm spec file
SPEC_FILE=rpm/$PACKAGE.spec
# Get short sha
SHORT_SHA=$(git rev-parse --short HEAD)
# Get Version from HEAD
VERSION=$(grep '^const RawVersion' version/rawversion/version.go | cut -d\" -f2)
# RPM Version can't take "-"
RPM_VERSION=$(echo $VERSION | sed -e 's/-/~/')
# Generate source tarball from HEAD
git-archive-all -C $(git rev-parse --show-toplevel) --prefix=$PACKAGE-$VERSION/ rpm/$PACKAGE-$VERSION.tar.gz
# RPM Spec modifications
# Use the Version from HEAD in rpm spec
sed -i "s/^Version:.*/Version: $RPM_VERSION/" $SPEC_FILE
# Use Packit's supplied variable in the Release field in rpm spec.
sed -i "s/^Release:.*/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/" $SPEC_FILE
# Ensure last part of the release string is the git shortcommit without a
# prepended "g"
sed -i "/^Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/ s/\(.*\)g/\1/" $SPEC_FILE
# Use above generated tarball as Source in rpm spec
sed -i "s/^Source0:.*.tar.gz/Source0: $PACKAGE-$VERSION.tar.gz/" $SPEC_FILE
# Update setup macro to use the correct build dir
sed -i "s/^%autosetup.*/%autosetup -Sgit -n %{name}-$VERSION/" $SPEC_FILE
# Update relevant sed entries in spec file with the actual VERSION and SHORT_SHA
# This allows podman --version to also show the SHORT_SHA along with the
# VERSION
sed -i "s/##VERSION##/$VERSION/" $SPEC_FILE
sed -i "s/##SHORT_SHA##/$SHORT_SHA/" $SPEC_FILE

80
.packit.yaml
View File

@@ -1,80 +0,0 @@
---
# See the documentation for more information:
# https://packit.dev/docs/configuration/
specfile_path: rpm/podman.spec
upstream_tag_template: v{version}
srpm_build_deps:
- git-archive-all
- make
actions:
fix-spec-file:
- "bash .packit.sh"
jobs:
- job: copr_build
trigger: pull_request
notifications:
failure_comment:
message: "Ephemeral COPR build failed. @containers/packit-build please check."
enable_net: true
targets:
- fedora-all-x86_64
- fedora-all-aarch64
- fedora-eln-x86_64
- fedora-eln-aarch64
- centos-stream+epel-next-8-x86_64
- centos-stream+epel-next-8-aarch64
- centos-stream+epel-next-9-x86_64
- centos-stream+epel-next-9-aarch64
additional_repos:
- "copr://rhcontainerbot/podman-next"
# Run on commit to main branch
- job: copr_build
trigger: commit
notifications:
failure_comment:
message: "podman-next COPR build failed. @containers/packit-build please check."
branch: main
owner: rhcontainerbot
project: podman-next
enable_net: true
- job: tests
identifier: cockpit-revdeps
trigger: pull_request
notifications:
failure_comment:
message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check."
targets:
- fedora-latest-stable
- fedora-development
tf_extra_params:
environments:
- artifacts:
- type: repository-file
id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo
- type: repository-file
id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
tmt:
context:
revdeps: "yes"
- job: propose_downstream
trigger: release
update_release: false
dist_git_branches:
- fedora-all
- job: koji_build
trigger: commit
dist_git_branches:
- fedora-all
- job: bodhi_update
trigger: commit
dist_git_branches:
- fedora-branched # rawhide updates are created automatically