diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5202844283..d62b38f96a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,6 +46,8 @@ jobs: validate-source: name: Validate source code changes runs-on: cncf-ubuntu-8-32-x86 + permissions: + pull-requests: read # For hack/ci/pr-should-include-tests to query PR labels. env: # Base commit of this PR; used by the Makefile and the helper scripts to # compute the commit range (git merge-base $DEST_BRANCH HEAD). @@ -126,8 +128,9 @@ jobs: run: make swagger - name: Check that the PR includes tests - # The 'No New Tests' label lets maintainers override this check. - if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'No New Tests') }} + env: + # For hack/ci/pr-should-include-tests to query PR labels. + GITHUB_TOKEN: ${{ github.token }} run: make tests-included - name: Validate renovate config @@ -154,9 +157,8 @@ jobs: # limit enforced by hack/ci/make-and-check-size.sh. if: ${{ github.event_name == 'pull_request' }} env: - # The 'bloat_approved' label lets a repo admin override the binary - # size growth check in hack/ci/make-and-check-size.sh. - BLOAT_APPROVED: ${{ contains(github.event.pull_request.labels.*.name, 'bloat_approved') }} + # For hack/ci/make-and-check-size.sh to query PR labels. + GITHUB_TOKEN: ${{ github.token }} run: | # git rebase rewrites commits, so it needs a committer identity. git config user.name "CI" diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml index 4f5af732b1..28930f0263 100644 --- a/.github/workflows/dev-bump.yml +++ b/.github/workflows/dev-bump.yml @@ -15,8 +15,7 @@ jobs: - name: Bump id: bump run: | - ref=${{ github.ref_name }} - version=${ref#v} + version=${GITHUB_REF_NAME#v} if [[ $version == *-rc* ]]; then devbump="${version%-*}-dev" echo "::notice:: is a rc - bumping z down to $devbump" @@ -27,53 +26,56 @@ jobs: echo "::notice:: bumping z up to $devbump" fi - sed -i "s/const RawVersion = ".*"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go + sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-${{ steps.bump.outputs.devbump }}" + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-${DEVBUMP}" git checkout -b $bumpbranch git add version/rawversion/version.go - git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}" + git commit --signoff -m "Bump Podman to v${DEVBUMP}" git remote add podmanbot https://github.com/podmanbot/podman git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo ${{ github.repository }} \ - --head bump-${{ steps.bump.outputs.devbump }} \ + --repo "${GITHUB_REPOSITORY}" \ + --head "bump-${DEVBUMP}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}." + echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - name: Open PR if: steps.checkpr.outputs.prexists == 'false' id: pr + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | - bumpbranch="bump-${{ steps.bump.outputs.devbump }}" - ref=${{ github.ref_name }} - base=${ref%.*} + bumpbranch="bump-${DEVBUMP}" + base=${GITHUB_REF_NAME%.*} body=$(printf '```release-note\nNone\n```\n') gh pr create \ - --title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \ + --title "Bump Podman to v${DEVBUMP}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ --base "$base" \ - --repo ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + --repo "${GITHUB_REPOSITORY}" mainbump: name: Bump on main runs-on: ubuntu-latest @@ -88,8 +90,7 @@ jobs: id: check run: | mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go` - ref=${{ github.ref_name }} - releasevers=${ref#v} + releasevers=${GITHUB_REF_NAME#v} if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C then echo "bump=true" >> $GITHUB_OUTPUT @@ -101,8 +102,7 @@ jobs: id: bump if: steps.check.outputs.bump == 'true' run: | - ref=${{ github.ref_name }} - releasevers=${ref#v} + releasevers=${GITHUB_REF_NAME#v} arr=($(echo "$releasevers" | tr . '\n')) arr[1]=$((${arr[1]}+1)) @@ -110,49 +110,53 @@ jobs: devbump="$(IFS=. ; echo "${arr[*]}")-dev" echo "::notice:: Bumping main to: $devbump" - sed -i "s/const RawVersion = \".*\"/const RawVersion = \"$devbump\"/g" version/rawversion/version.go + sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push if: steps.check.outputs.bump == 'true' + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger - # GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}" + # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-main-${DEVBUMP}" git checkout -b $bumpbranch git add version/rawversion/version.go - git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}" + git commit --signoff -m "Bump main to v${DEVBUMP}" git remote add podmanbot https://github.com/podmanbot/podman git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr if: steps.check.outputs.bump == 'true' env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo ${{ github.repository }} \ - --head bump-main-${{ steps.bump.outputs.devbump }} \ + --repo "${GITHUB_REPOSITORY}" \ + --head "bump-main-${DEVBUMP}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}." + echo "SKIPPING: PR already exists to update to ${DEVBUMP}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - name: Open PR if: steps.check.outputs.bump == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | - bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}" + bumpbranch="bump-main-${DEVBUMP}" body=$(printf '```release-note\nNone\n```\n') gh pr create \ - --title "Bump main to v${{ steps.bump.outputs.devbump }}" \ + --title "Bump main to v${DEVBUMP}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ --base "main" \ - --repo ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + --repo "${GITHUB_REPOSITORY}" diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml index 411d987b6e..4220f03400 100644 --- a/.github/workflows/first_contrib_cert_generator.yml +++ b/.github/workflows/first_contrib_cert_generator.yml @@ -64,15 +64,16 @@ jobs: # Step 3: Update the HTML file locally - name: Update HTML file if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} + env: + CONTRIBUTOR_NAME: ${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.pull_request.number }} run: | HTML_FILE="automation-repo/certificate-generator/certificate_generator.html" - CONTRIBUTOR_NAME="${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}" - PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}" MERGE_DATE=$(date -u +"%B %d, %Y") - sed -i "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; } - sed -i "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; } - sed -i "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; } + sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; } + sed --sandbox -i -e "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; } + sed --sandbox -i -e "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; } # Step 4: Setup Node.js environment - name: Setup Node.js @@ -119,6 +120,10 @@ jobs: - name: Upload certificate to separate repository if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} uses: actions/github-script@v8 + env: + CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }} + USER_LOGIN: ${{ github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number }} with: github-token: ${{ secrets.CERTIFICATES_REPO_TOKEN }} script: | @@ -156,10 +161,10 @@ jobs: // Create a unique filename with timestamp const timestamp = new Date().toISOString().replace(/[:.]/g, '-'); const contributorName = context.eventName === 'workflow_dispatch' - ? '${{ github.event.inputs.contributor_username }}' - : '${{ github.event.pull_request.user.login }}'; + ? process.env.CONTRIBUTOR_USERNAME + : process.env.USER_LOGIN; const prNumber = context.eventName === 'workflow_dispatch' - ? '${{ github.event.inputs.pr_number }}' + ? process.env.PR_NUMBER : context.issue.number; const filename = `certificates/${contributorName}-${prNumber}-${timestamp}.png`; @@ -218,6 +223,10 @@ jobs: - name: Comment with embedded certificate image if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} uses: actions/github-script@v8 + env: + CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }} + USER_LOGIN: ${{ github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number }} with: script: | try { @@ -239,17 +248,17 @@ jobs: if (context.eventName === 'workflow_dispatch') { // Manual trigger case - const contributorName = '${{ github.event.inputs.contributor_username }}'; - const prNumber = '${{ github.event.inputs.pr_number }}'; + const contributorName = process.env.CONTRIBUTOR_USERNAME; + const prNumber = process.env.PR_NUMBER; body = `📜 Certificate preview generated for @${contributorName} (PR #${prNumber}):\n\n${body}`; } else { // Auto trigger case for first-time contributors - const username = '${{ github.event.pull_request.user.login }}'; + const username = process.env.USER_LOGIN; body = `🎉 Congratulations on your first merged pull request, @${username}! Thank you for your contribution.\n\nHere's a preview of your certificate:\n\n${body}`; } const issueNumber = context.eventName === 'workflow_dispatch' ? - parseInt('${{ github.event.inputs.pr_number }}') : + parseInt(process.env.PR_NUMBER) : context.issue.number; await github.rest.issues.createComment({ diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml index f8e88db2bc..5f91fada25 100644 --- a/.github/workflows/mac-pkg.yml +++ b/.github/workflows/mac-pkg.yml @@ -36,33 +36,42 @@ jobs: steps: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.dryrun }}" ]] + if [[ -z "${INPUT_DRYRUN}" ]] then echo "dryrun=false" >> $GITHUB_OUTPUT else - echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT + echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT fi - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}" - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi echo echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Check uploads id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" + URI="https://github.com/containers/podman/releases/download/${VERSION}" ARM_FILE="podman-installer-macos-arm64.pkg" AMD_FILE="podman-installer-macos-amd64.pkg" UNIVERSAL_FILE="podman-installer-macos-universal.pkg" @@ -165,8 +174,9 @@ jobs: steps.check.outputs.builduniversal == 'true' ) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) + (gh release download "${VERSION}" -p "shasums" || exit 0) cat contrib/pkginstaller/out/shasums >> shasums - gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg - gh release upload ${{steps.getversion.outputs.version}} --clobber shasums + gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg + gh release upload "${VERSION}" --clobber shasums diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml index b6d065d2a9..5728d49592 100644 --- a/.github/workflows/machine-os-pr.yml +++ b/.github/workflows/machine-os-pr.yml @@ -20,8 +20,8 @@ jobs: pull-requests: write env: SHA: ${{github.event.pull_request.head.sha}} - UPSTREAM_MACHINE_OS: "containers/podman-machine-os" - PODMAN_REPO: "containers/podman" + UPSTREAM_MACHINE_OS: "podman-container-tools/podman-machine-os" + PODMAN_REPO: "podman-container-tools/podman" steps: - name: Get version @@ -34,9 +34,9 @@ jobs: exit 1 elif [[ $VERSION == *-dev ]] ; then echo "::warning:: SKIPPING: dev bump" - elif [[ ${{github.base_ref}} == "main" ]] ; then + elif [[ "${GITHUB_BASE_REF}" == "main" ]] ; then echo "::warning:: SKIPPING: main branch" - elif [[ ${{github.base_ref}} == *-rhel ]] ; then + elif [[ "${GITHUB_BASE_REF}" == *-rhel ]] ; then echo "::warning:: SKIPPING: rhel branch" else echo "update=true" >> "$GITHUB_OUTPUT" @@ -46,7 +46,7 @@ jobs: - name: Check machine-os-branch if: steps.getversion.outputs.update == 'true' run: | - if ! (curl -s https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches| jq -e --arg branch "${{github.base_ref}}" '.[] | select(.name==$branch)') ; then + if ! curl -s "https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches" | jq -e --arg branch "${GITHUB_BASE_REF}" '.[] | select(.name==$branch)'; then echo "::error:: Release branch does not exist." echo "::error:: Please push $branch to $UPSTREAM_MACHINE_OS, then re-run this task." exit 1 @@ -57,8 +57,9 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} + EVENT_NUMBER: ${{ github.event.number }} run: | - gh pr edit --add-label do-not-merge/wait-machine-os-build ${{github.event.number}} + gh pr edit --add-label do-not-merge/wait-machine-os-build "${EVENT_NUMBER}" - name: Install wait-for-copr if: steps.getversion.outputs.update == 'true' @@ -69,51 +70,60 @@ jobs: if: steps.getversion.outputs.update == 'true' id: checkout with: - repository: containers/podman-machine-os + repository: podman-container-tools/podman-machine-os ref: ${{github.base_ref}} token: ${{secrets.PODMANBOT_TOKEN}} - name: Bump version if: steps.getversion.outputs.update == 'true' env: + EVENT_NUMBER: ${{ github.event.number }} VERS: ${{steps.getversion.outputs.version}} run: | update=$(printf 's/export PODMAN_VERSION=".*"/export PODMAN_VERSION="%s"/g\n' "$VERS") - sed -i "$update" podman-rpm-info-vars.sh - sed -i 's/export PODMAN_PR_NUM=".*"/export PODMAN_PR_NUM="${{github.event.number}}"/g' podman-rpm-info-vars.sh + sed --sandbox -i -e "$update" podman-rpm-info-vars.sh + sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${EVENT_NUMBER}\"/g" podman-rpm-info-vars.sh echo "Updated file:" cat podman-rpm-info-vars.sh - name: Wait for COPR build if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} run: | wait-for-copr \ --owner packit \ - --project containers-podman-${{github.event.number}} \ + --project "podman-container-tools-podman-${EVENT_NUMBER}" \ podman \ ${SHA::9} - name: Push if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} + VERSION: ${{ steps.getversion.outputs.version }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="pr${{github.event.number}}" - git checkout -b $bumpbranch + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="pr${EVENT_NUMBER}" + git checkout -b "$bumpbranch" git add podman-rpm-info-vars.sh - git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}" + git commit --signoff -m "Bump Podman to v${VERSION}" git remote add podmanbot https://github.com/podmanbot/podman-machine-os git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo $UPSTREAM_MACHINE_OS \ - --head "pr${{github.event.number}}" \ + --repo "$UPSTREAM_MACHINE_OS" \ + --head "pr${EVENT_NUMBER}" \ --state open \ --json title \ --jq 'length') @@ -122,25 +132,25 @@ jobs: else echo "openpr=true" >> "$GITHUB_OUTPUT" fi - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - name: Open PR if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true' id: pr + env: + EVENT_NUMBER: ${{ github.event.number }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - bumpbranch="pr${{github.event.number}}" + bumpbranch="pr${EVENT_NUMBER}" body=$(printf 'Triggered by https://github.com/%s/pull/%s\n\n```release-note\nRelease v%s\n```\n' \ - "$PODMAN_REPO" "${{github.event.number}}" "${{ steps.getversion.outputs.version }}") + "$PODMAN_REPO" "${EVENT_NUMBER}" "${VERSION}") uri=`gh pr create \ - --title "Bump Podman to v${{ steps.getversion.outputs.version }}" \ + --title "Bump Podman to v${VERSION}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ - --base "${{github.base_ref}}" \ - --repo $UPSTREAM_MACHINE_OS` + --base "${GITHUB_BASE_REF}" \ + --repo "$UPSTREAM_MACHINE_OS"` echo "uri=$uri" >> "$GITHUB_OUTPUT" - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - name: Comment PR link if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true' diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index fb74d132e0..a80cec0b44 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -27,17 +27,20 @@ jobs: - name: Provide github event JSON for examination run: | echo "::group::Event JSON" - jq --color-output "." "${{ github.event_path }}" + jq --color-output "." "${GITHUB_EVENT_PATH}" echo "::endgroup::" - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION" @@ -57,24 +60,30 @@ jobs: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.dryrun }}" ]] + if [[ -z "${INPUT_DRYRUN}" ]] then echo "dryrun=false" >> $GITHUB_OUTPUT else - echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT + echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT fi - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}" - name: Check uploads id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" + URI="https://github.com/containers/podman/releases/download/${VERSION}" for artifact in "podman-remote-release-darwin_amd64.zip darwin_amd" \ 'podman-remote-release-darwin_arm64.zip darwin_arm' \ 'podman-remote-release-windows_amd64.zip windows_amd' \ @@ -186,11 +195,12 @@ jobs: steps.actual_dryrun.outputs.dryrun == 'false' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) + (gh release download "${VERSION}" -p "shasums" || exit 0) cat release/shasums >> shasums - gh release upload ${{steps.getversion.outputs.version}} release/*.zip release/*.tar.gz - gh release upload ${{steps.getversion.outputs.version}} --clobber shasums + gh release upload "${VERSION}" release/*.zip release/*.tar.gz + gh release upload "${VERSION}" --clobber shasums # WARNING: This should only be set when 'notification' job should be triggered echo "complete=true" >> $GITHUB_OUTPUT @@ -206,6 +216,7 @@ jobs: - name: Format release email id: format env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ needs.build.outputs.version }} run: | if grep -Eq '.+-rc' <<<"$VERSION" @@ -215,19 +226,19 @@ jobs: echo "mail_subj=Podman ${RC_PREFIX}${VERSION} Released" >> $GITHUB_OUTPUT - cat <email_body.txt + cat < email_body.txt Hi all, Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at - https://github.com/${{ github.repository }}/releases/tag/$VERSION + https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION Release ${RC_PREFIX}Notes: -------------- EOF - echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token - gh release view $VERSION \ - --repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt + echo "${GITHUB_TOKEN}" | gh auth login --with-token + gh release view "$VERSION" \ + --repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt # If job fails, permit operator to observe contents in case helpful. - name: Provide release e-mail contents for examination diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3ff7291251..151626a1d2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,12 +23,14 @@ jobs: steps: - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.ref_name }} + VERSION=${GITHUB_REF_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION" then @@ -45,14 +47,16 @@ jobs: echo "::notice::Building $VERSION" - name: Determine release id: buildonly + env: + INPUT_BUILDONLY: ${{ inputs.buildonly }} run: | # The 'tag' trigger will not have a 'buildonly' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.buildonly }}" ]] + if [[ -z "${INPUT_BUILDONLY}" ]] then BUILDONLY=false else - BUILDONLY=${{ inputs.buildonly }} + BUILDONLY=${INPUT_BUILDONLY} fi echo "buildonly=$BUILDONLY" >> $GITHUB_OUTPUT echo "::notice::This will be build-only: $BUILDONLY" @@ -154,8 +158,10 @@ jobs: steps: - name: Determine version id: getversion + env: + VERSION: ${{needs.check.outputs.version}} run: | - $version = "${{ needs.check.outputs.version }}" + $version = "${env:VERSION}" if ($version[0] -eq "v") { $version = $version.Substring(1) } @@ -174,13 +180,19 @@ jobs: - name: Set up WiX run: dotnet tool install --global wix --version 5.0.2 - name: Setup Signature Tooling + env: + AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }} + AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }} + AZ_APP_ID: ${{ secrets.AZ_APP_ID }} + AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} + AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }} run: | dotnet tool install --global AzureSignTool --version 3.0.0 - echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Pandoc Setup uses: r-lib/actions/setup-pandoc@v2 with: @@ -193,17 +205,23 @@ jobs: # to judge. - name: Build the MSI id: build + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | contrib\win-installer\build.ps1 ` - -Version ${{steps.getversion.outputs.version}} ` - -LocalReleaseDirPath ${{ github.workspace }}\release-artifacts ` - -Architecture ${{ matrix.arch }} + -Version "${env:VERSION}" ` + -LocalReleaseDirPath "${env:GITHUB_WORKSPACE}\release-artifacts" ` + -Architecture "${env:PODMAN_ARCH}" Exit $LASTEXITCODE - name: Build the bundle (legacy) id: build-legacy + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\build.ps1 ${{steps.getversion.outputs.version}} prod ${{ github.workspace }}\release-artifacts + .\build.ps1 "${env:VERSION}" prod "${env:GITHUB_WORKSPACE}\release-artifacts" $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append @@ -212,8 +230,6 @@ jobs: } Pop-Location Exit $code - env: - PODMAN_ARCH: ${{ matrix.arch }} - name: Display structure of built files run: | Push-Location contrib\win-installer @@ -223,14 +239,20 @@ jobs: Get-ChildItem Pop-Location - name: Rename the MSI + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer - Copy-Item -Path podman-${{steps.getversion.outputs.version}}.msi -Destination podman-installer-windows-${{ matrix.arch }}.msi + Copy-Item -Path "podman-${env:VERSION}.msi" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.msi" Pop-Location - name: Rename the bundle (legacy) + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - Copy-Item -Path podman-${{steps.getversion.outputs.version}}-setup.exe -Destination podman-installer-windows-${{ matrix.arch }}.exe + Copy-Item -Path "podman-${env:VERSION}-setup.exe" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.exe" Pop-Location - name: Upload the MSI uses: actions/upload-artifact@v4 @@ -306,7 +328,7 @@ jobs: title="${title/rc/"RC"}" else # check if this version should not be marked latest - prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${{ github.repository }}/releases/latest") + prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest") prevvers=$(echo "$prevrelease" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed -e "s/^v//") vers=${VERSION#"v"} echo "${prevvers},${vers}" @@ -334,6 +356,7 @@ jobs: - name: Format release email id: format env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ needs.check.outputs.version }} run: | if grep -Eq '.+-rc' <<<"$VERSION" @@ -347,15 +370,15 @@ jobs: Hi all, Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at - https://github.com/${{ github.repository }}/releases/tag/$VERSION + https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION Release ${RC_PREFIX}Notes: -------------- EOF - echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token - gh release view $VERSION \ - --repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt + echo "${GITHUB_TOKEN}" | gh auth login --with-token + gh release view "$VERSION" \ + --repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt # If job fails, permit operator to observe contents in case helpful. - name: Provide release e-mail contents for examination diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml index 5dcbf57874..5c6acf7264 100644 --- a/.github/workflows/update-podmanio.yml +++ b/.github/workflows/update-podmanio.yml @@ -25,13 +25,15 @@ jobs: steps: - name: Get version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi # strip out the prefix v if it's there @@ -50,20 +52,21 @@ jobs: - name: Check open PRs if: steps.getversion.outputs.notRC == 'true' id: checkpr + env: + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | prs=$(gh pr list \ --repo containers/podman.io \ - --head bump-podmanv${{ steps.getversion.outputs.version }} \ + --head "bump-podmanv${VERSION}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update to v${{ steps.getversion.outputs.version }}." + echo "SKIPPING: PR already exists to update to v${VERSION}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - uses: actions/checkout@v5 if: >- @@ -79,13 +82,15 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkpr.outputs.prexists == 'false' id: checkversion + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | # Check if version is actually higher than one on podman.io prevversion=`grep -P "(?<=export const LATEST_VERSION = ')(\d.\d.\d)" -o static/data/global.ts` echo "Version currently on site: ${prevversion}" - echo "Version to update to: ${{ steps.getversion.outputs.version }}" + echo "Version to update to: ${VERSION}" # sort -V -C returns 0 if args are ascending version order - if echo "${prevversion},${{ steps.getversion.outputs.version }}" | tr ',' '\n' | sort -V -C && [[ ${prevversion} != ${{ steps.getversion.outputs.version }} ]] + if echo "${prevversion},${VERSION}" | tr ',' '\n' | sort -V -C && [[ "${prevversion}" != "${version}" ]] then echo "needsUpdate=true" >> $GITHUB_OUTPUT echo "This release is a higher version, so we need to update podman.io" @@ -98,9 +103,11 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkversion.outputs.needsUpdate == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | # Replace the version in static/data/global.ts file - sed -i "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts + sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${VERSION}';/g" static/data/global.ts echo "Updated file:" cat static/data/global.ts @@ -109,22 +116,23 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkversion.outputs.needsUpdate == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-podmanv${{ steps.getversion.outputs.version }}" + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-podmanv${VERSION}" git checkout -b $bumpbranch git add static/data/global.ts - git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}" + git commit --signoff -m "Bump Podman to v${VERSION}" git remote -v git remote add podmanbot https://github.com/podmanbot/podman.io git push podmanbot "+$bumpbranch" gh pr create \ - --title "Bump Podman to v${{ steps.getversion.outputs.version }}" \ - --body "Bump Podman to v${{ steps.getversion.outputs.version }}" \ + --title "Bump Podman to v${VERSION}" \ + --body "Bump Podman to v${VERSION}" \ --head "podmanbot:$bumpbranch" \ --base "main" -R "containers/podman.io" - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml index 6e310bd075..3050a900ac 100644 --- a/.github/workflows/upload-win-installer.yml +++ b/.github/workflows/upload-win-installer.yml @@ -26,24 +26,31 @@ jobs: steps: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - $inputs_dryrun = "${{ inputs.dryrun }}" + $inputs_dryrun = "${env:INPUT_DRYRUN}" if ($inputs_dryrun.Length -lt 1) { Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append } else { - Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Write-Output "dryrun=${env:INPUT_DRYRUN}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append } - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + Write-Output "::notice::This workflow execution will be a dry-run: ${env:DRYRUN}" - name: Determine version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - $version = "${{ inputs.version }}" + $version = "${env:INPUT_VERSION}" if ($version.Length -lt 1) { - $version = "${{ github.event.release.tag_name }}" + $version = "${env:TAG_NAME}" if ($version.Length -lt 1) { Write-Host "::error::Could not determine version!" Exit 1 @@ -63,16 +70,18 @@ jobs: # to judge w/n (i.e. in some extreme case) it should be uploaded to the release page. - name: Check id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\check.ps1 ${{steps.getversion.outputs.version}} + .\check.ps1 "${env:VERSION}" $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append Pop-Location Exit 0 } - Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Write-Output "upload_asset_name=${env:UPLOAD_ASSET_NAME}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append Pop-Location Exit $code # The podman release process requires a cross-compile of the windows binaries be uploaded to @@ -80,8 +89,10 @@ jobs: # non-obvious ways with a non-obvious error message. Address that here. - name: Confirm upload_asset_name is non-empty if: steps.check.outputs.upload_asset_name == '' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${{steps.getversion.outputs.version}}." + Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${env:VERSION}." Exit 1 - name: Set up Go uses: actions/setup-go@v6 @@ -93,13 +104,19 @@ jobs: run: dotnet tool install --global wix - name: Setup Signature Tooling if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + env: + AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }} + AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }} + AZ_APP_ID: ${{ secrets.AZ_APP_ID }} + AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} + AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }} run: | dotnet tool install --global AzureSignTool --version 3.0.0 - echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Pandoc Setup uses: r-lib/actions/setup-pandoc@v2 with: @@ -107,9 +124,11 @@ jobs: - name: Build id: build if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\build.ps1 ${{steps.getversion.outputs.version}} prod + .\build.ps1 "${env:VERSION}" prod $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append @@ -132,14 +151,16 @@ jobs: steps.check.outputs.already-exists != 'true' && steps.build.outputs.artifact-missing != 'true' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + UPLOAD_ASSET_NAME: ${{ steps.check.outputs.upload_asset_name }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - $version = "${{ steps.getversion.outputs.version }}" + $version = "${env:VERSION}" if ($version[0] -ne "v") { $version = "v$version" } - gh release upload $version ${{ steps.check.outputs.upload_asset_name }} + gh release upload $version "${env:UPLOAD_ASSET_NAME}" if ($LASTEXITCODE -ne 0) { .\check.ps1 $version if ($LASTEXITCODE -eq 2) { diff --git a/contrib/win-installer/utils.ps1 b/contrib/win-installer/utils.ps1 index 417b2a376a..f3717ca480 100644 --- a/contrib/win-installer/utils.ps1 +++ b/contrib/win-installer/utils.ps1 @@ -16,7 +16,7 @@ function Get-Podman-Setup-From-GitHub { ) Write-Host "Downloading the $arch $version Podman windows setup from GitHub..." - $apiUrl = "https://api.github.com/repos/containers/podman/releases/$version" + $apiUrl = "https://api.github.com/repos/podman-container-tools/podman/releases/$version" $headers = @{"User-Agent"="PowerShell"} if ($env:GITHUB_TOKEN) { $headers["Authorization"] = "Bearer $env:GITHUB_TOKEN" diff --git a/hack/ci/make-and-check-size.sh b/hack/ci/make-and-check-size.sh index 1c31bf4762..8dde0ae969 100755 --- a/hack/ci/make-and-check-size.sh +++ b/hack/ci/make-and-check-size.sh @@ -53,9 +53,21 @@ function bloat_approved() { # requiring a MAX_BIN_GROWTH=nnn statement in github comments. local actual_growth="$1" - # The validate-source GitHub Actions workflow sets BLOAT_APPROVED=true when - # the PR carries the '$OVERRIDE_LABEL' label. - [[ "$BLOAT_APPROVED" == "true" ]] + local var + for var in PR_NUMBER GITHUB_TOKEN GITHUB_REPOSITORY; do + if [[ -z "${!var}" ]]; then + echo "$ME: cannot query github: \$$var is undefined" >&2 + return 1 + fi + done + + labels=$(curl --fail -s \ + -H "Authorization: bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/$PR_NUMBER" | + jq -r '.labels[].name') + + grep -F -x -q "$OVERRIDE_LABEL" <<< "$labels" } # ACTUAL CODE BEGINS HERE diff --git a/hack/ci/pr-should-include-tests b/hack/ci/pr-should-include-tests index 75f55b1475..ad9568098e 100755 --- a/hack/ci/pr-should-include-tests +++ b/hack/ci/pr-should-include-tests @@ -46,9 +46,30 @@ if [[ -z "$filtered_changes" ]]; then exit 0 fi -# This PR touches non-test files but adds no tests. Fail loudly. -# The '$OVERRIDE_LABEL' label can be used to override this check; that is -# handled by the CI workflow, not here. +# This PR touches non-test files but adds no tests. Only allow it if the +# '$OVERRIDE_LABEL' github label is set. +if [[ -n "$PR_NUMBER" ]]; then + for var in GITHUB_TOKEN GITHUB_REPOSITORY; do + if [[ -z "${!var}" ]]; then + echo "$ME: cannot query github: \$$var is undefined" >&2 + return 1 + fi + done + + labels=$(curl --fail -s \ + -H "Authorization: bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/$PR_NUMBER" | + jq -r '.labels[].name') + + if grep -F -x -q "$OVERRIDE_LABEL" <<< "$labels"; then + echo "$ME: \"$OVERRIDE_LABEL\" label found, ignoring test requirements" + exit 0 + fi +fi + +# This PR touches non-test files but adds no tests, and +# the '$OVERRIDE_LABEL' is not set. Fail loudly. cat <