Lack of proper testing possibility for github actions and lack of
script-testing by me, allowed several flaws through into 'main'. Fix
the problems and manually test the scripts to make sure they're working.
Note: Also revert the stupid SHA-based action-pinning back to normal,
human-readable version numbers. The value of using SHAs in the name of
improved "security" is real, but the value of human-readability and
ease of maintenance is greater.
Signed-off-by: Chris Evich <cevich@redhat.com>
With a seemingly ever growing list of cirrus-cron jobs running on
release branches, there are bound to be some hiccups. Sometimes a lot
of them. Normally any failures require a human to eyeball the logs
and/or manually re-run the job to see if it was simply a flake. This
doesn't take long, but can be distracting and compounds over time.
Attempt to alleviate some maintainer burden by using a new github action
workflow to perform **one** automatic re-run on any failed builds. This
task is scheduled an hour prior to a second failure check, and generation
of notification e-mail for review.
Note: If there are no failures, due to the auto. re-run or luck, no
e-mail is generated. If this proves useful in this repo, I intend to
re-use this workflow for other repo's cirrus-cron jobs.
Signed-off-by: Chris Evich <cevich@redhat.com>
Inline scripts make github-action workflow YAML harder to read/maintain.
Relocate the e-mail formation script to a dedicated file. This also
permits better input-validation and re-use of a common `err()` function.
Signed-off-by: Chris Evich <cevich@redhat.com>
This workflow was originally crafted to be (somehow) reused with
different scripts. That never happened and the extra indirection is
confusing and hard to maintain. Remove it.
Signed-off-by: Chris Evich <cevich@redhat.com>
Just a quick little addition to provide the command to get the package
info from brew for those who might not know.
Signed-off-by: Kirk Bater <kirk.bater@gmail.com>
Belated followup to #11829: use github labeler workflow[1] to
auto-add 'kind/api-change' label to PRs in which files are
touched under pkg/api
[1] https://github.com/actions/labeler
Signed-off-by: Ed Santiago <santiago@redhat.com>
Previously the reply JSON was examined for the literal presence of the
string 'error'. This was intended to catch server or query errors and
the like. However it's not a sound design as valid/legitimate contents
could potentially contain the string. Fix this by using the `-e` option
to `jq`, with a filter that should always result in a non-empty/null
match. If this fails or returns null for some reason, then it's safe to
throw a real error code & message.
Signed-off-by: Chris Evich <cevich@redhat.com>
@cevich recently renamed all the files named Dockerfile to Containerfile
in this directory. Touching up the README.md to reflect that.
Also, as I was doing the submit, I noticed a couple of nits in the PR
request template and cleaned those up.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Followup to https://github.com/openshift/release/pull/28686
in which we ask openshift-ci-bot to enforce a release-note
label on new PRs.
Dependabot PRs do not need release notes. Add a config setting
(copied from cri-o) that tells dependabot to set release-note-none
on new PRs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Initial step toward automating the collection & generation
of release notes: add a markdown release-note block to our
PR template. This will be reaped by an existing Kubernetes
tool and gathered into a document that can be used as a
starting point for future releases.
Many more followup steps to come.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Github-actions for large/complex tasks is hard to read and maintain.
Reimplement the multi-arch image build workflow into a set of bash
scripts that use all native contrainer-org tooling. This requires
a special VM image setup with emulation to build foreign architectures.
It also requires renaming the `helloimage` directory, because the build
script uses the directory name in the image FQIN.
Signed-off-by: Chris Evich <cevich@redhat.com>
- Updated dependabot to get updates for GitHub actions.
GitHub sends Dependabot alerts when we detect vulnerabilities affecting your repository
as well as when there are new updates to the dependency.
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack.
When your code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems for your project or the people who use it.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Good news the github action works, however I noticed that we cannot use
a multiline regex so we have to use serviceIsRemote to detect if this is
a remote client. Also change the os regex so that it matches both the
output of podman version and podman info.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
We get a lot of issues for podman-remote on macos. Since the fact that
this is a remote client is often overlooked by us lets add windows, macos
and remote label automatically based on a regex which should match the
output of podman version.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
While #12998 fixed the query string, it neglected to address
presence of the old `githubRepository` field name in the reply. This
resulted in the job throwing an error:
`jq: error (at ./artifacts/reply.json:0): Cannot iterate over null`
However, the job did preserve an artifacts archive containing the new
response data. As a test for the fix in this commit, I ran the
raw response data through the corrected jq command-line. This
confirmed the change by properly parsing the data as expected by
the workflow.
Signed-off-by: Chris Evich <cevich@redhat.com>
The `body` string value must be quoted because it contains a colon.
Also fix an incorrect URL substitution reference in error-notice e-mail
body text.
(In my defense...testing this workflow is basically impractical without
merging it)
Signed-off-by: Chris Evich <cevich@redhat.com>
This job is designed to be silent when Cirrus-cron executions pass.
Unless specifically instructed, the workflow itself will also remain
silent if there's an error. Fix this by catching workflow errors and
sending a notification e-mail containing a link to the failed run. This
also requires listing the recipient addresses directly in the workflow.
Otherwise (as previouslly implemented) the value would not be retrieved
if/when any previous step raised an error.
**Note**: Due to the way this workflow is implemented, there is no way
easy way to test it other than directly on the `main` repo. branch.
Signed-off-by: Chris Evich <cevich@redhat.com>
Sometime on Jan. 14th the GraphQL schema for Cirrus-CI changed, leading
to the following error:
`Validation error of type FieldUndefined: Field 'githubRepository' in
type 'Root' is undefined @ 'githubRepository'`
After some exploration, it was determined the field had been replaced
with a new root-level field `ownerRepository`. Manual experimentation
revealed the scalar value `LINUX` was appropriate to use for the new
`platform` parameter. The query reply appears to remain compatible.
Update the script which performs this query to use the new field name
and parameter. ***NOTE*** This script is shared across multiple
containers-org repos. All of which are/were affected by the schema
change.
Signed-off-by: Chris Evich <cevich@redhat.com>
we are not using any of the metadata in the new format, so we have
only the downside that is more annoying to fill.
[CI:DOCS] no need to run the CI
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This duplicates the template used for buildah. The intention
is to make it immediately clear to reviewers:
* The intended/basic purpose of the PR (also machine readable)
* Why are changes being proposed
* If there are any specific items need additional checking or scrutiny
* What should go into the release-notes (if anything).
Signed-off-by: Chris Evich <cevich@redhat.com>
This duplicates the change from
https://github.com/containers/skopeo/pull/1379
Since this workflow is duplicated across three repositories, maintaining
changes becomes onerous if the item contents vary between
implementations in any way. Improve this situation by encoding the
repository-specific details into env. vars. then referencing those vars
throughout. This way, a meaningful diff can be worked with to compare
the contents across repositories.
Also included are abstractions for the specific command used to obtain
the project version, and needed details for filtering the output. Both
of these vary across the Buildah, Skopeo, and Podman repos.
NOTE: This change requires the names of two github action secrets
to be updated: PODMAN_QUAY_USERNAME -> REPONAME_QUAY_USERNAME
(and *PASSWORD).
Signed-off-by: Chris Evich <cevich@redhat.com>
The master->main rename broke this. Also update the runtime along with
a comment w/ link to the actual job definitions.
Signed-off-by: Chris Evich <cevich@redhat.com>
A suspected recent change in docker (in github-actions Ubuntu
environment) results in a error:
```
cannot clone: Operation not permitted
Error: cannot re-exec process
```
Fix this by using podman to execute the container instead of docker.
Signed-off-by: Chris Evich <cevich@redhat.com>
Besides adding ***BIG FAT WARNING*** this commit updates the
containers-repo. logic to only (and properly) handle the `stable` image
(both version and `latest` tags). This change was already discussed at
length with @TomSweeneyRedHat.
Signed-off-by: Chris Evich <cevich@redhat.com>
… as currently with `v1`, `remove-stale-when-updated` is set but isn't causing labels to be updated when comments are added.
Signed-off-by: Stuart Shelton <stuart@shelton.me>
Bug introduced by #10150
Also, in case of failure of one matrix-leg, do not terminate execution
of all others. There are many reasons why an item could fail (i.e.
temporary networking problem). Since the job runs periodically,
we can simply allow the subsequent run to cover for any missed images
pushes due to sporadic job failures.
Signed-off-by: Chris Evich <cevich@redhat.com>
Update the order of image documentation to be from most to least stable.
Similarly, avoid depending on execution of upstream podman, when
building/pushing. It's easily possible for this build to function but
execution to fail due to some partially implemented feature.
Also, ensure images tagged `latest` are pushed for every matrix
item. For 'upstream' and 'testing', this replaces use of the
'master' tag.
Lastly, update workflow comments and split the 'podman' and 'containers'
FQIN steps and outputs to improve readability.
Signed-off-by: Chris Evich <cevich@redhat.com>
Also a link to the troubleshooting guide into the issue template.
Replaces: https://github.com/containers/podman/pull/9770
Signed-off-by: Josh Berkus <josh@agliodbs.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The intention is to only push an image if there is ***NOT*** an existing
tag. The original logic for this condition was inverted.
Also, improve radability of the `{container,podman}_push=true`
statements.
Signed-off-by: Chris Evich <cevich@redhat.com>
This borrows very heavily from the work done for buildah by @barthy1 -
Yulia Gaponenko <yulia.gaponenko1@de.ibm.com>. Some changes to code and
comments made for clarity and specificity.
Signed-off-by: Chris Evich <cevich@redhat.com>
While dependabot has turned out great to automate updating dependencies,
a major painpoint was that we had to manually run `make vendor` for each
and every commit. It was causing noise.
Adding the config file to `.github/dependabot.yml` will take of also
updating the `./vendor` tree. `containers/common` is using this config
for a while successfully.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This mailing-list was established to allow people to sub/unsub from
automated notifications. Add it to the list of destinations picked up
by the Github Actions workflow
`.github/workflows/check_cirrus_cron.yml`.
Signed-off-by: Chris Evich <cevich@redhat.com>
