From 7179dc6d14404be1b2233d39956b8416551bb4f4 Mon Sep 17 00:00:00 2001 From: Mario Loriedo Date: Fri, 5 Jun 2026 18:35:17 +0200 Subject: [PATCH 1/5] Update gh org from which releases are pulled in pswh scripts Use https://api.github.com/repos/podman-container-tools/podman/releases. That may eventually fix https://github.com/podman-container-tools/podman/issues/28850 based on https://docs.github.com/en/actions/concepts/security/github_token: > The token's permissions are limited to the repository that contains your > workflow. Signed-off-by: Mario Loriedo (cherry picked from commit ff9f192f4d49a6e856cad289dda900ece415fd00) Signed-off-by: Paul Holzinger --- contrib/win-installer/utils.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/win-installer/utils.ps1 b/contrib/win-installer/utils.ps1 index 417b2a376a..f3717ca480 100644 --- a/contrib/win-installer/utils.ps1 +++ b/contrib/win-installer/utils.ps1 @@ -16,7 +16,7 @@ function Get-Podman-Setup-From-GitHub { ) Write-Host "Downloading the $arch $version Podman windows setup from GitHub..." - $apiUrl = "https://api.github.com/repos/containers/podman/releases/$version" + $apiUrl = "https://api.github.com/repos/podman-container-tools/podman/releases/$version" $headers = @{"User-Agent"="PowerShell"} if ($env:GITHUB_TOKEN) { $headers["Authorization"] = "Bearer $env:GITHUB_TOKEN" From d97883bcc56af59c8670fef5ff44b6c29a014b8d Mon Sep 17 00:00:00 2001 From: Daniel Hast Date: Mon, 1 Dec 2025 08:05:02 -0500 Subject: [PATCH 2/5] ci: use --sandbox for dynamically generated sed scripts sed scripts are capable of doing file I/O and executing arbitrary commands. The `--sandbox` option prevents this by rejecting sed commands with such capabilities; it's good practice to use this whenever the sed script is dynamically generated (e.g. if it involves a variable expansion). Also fixed an error in one sed script where `.*` had been placed outside of the quoted string (and would therefore be subject to shell globbing), presumably due to single-quotes having been changed to double-quotes at some point in the past. Signed-off-by: Daniel Hast (cherry picked from commit 3f4af378f4372e7188d1092d348501e870f75f88) Signed-off-by: Paul Holzinger --- .github/workflows/dev-bump.yml | 4 ++-- .github/workflows/first_contrib_cert_generator.yml | 6 +++--- .github/workflows/machine-os-pr.yml | 4 ++-- .github/workflows/update-podmanio.yml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml index 4f5af732b1..70c217fbee 100644 --- a/.github/workflows/dev-bump.yml +++ b/.github/workflows/dev-bump.yml @@ -27,7 +27,7 @@ jobs: echo "::notice:: bumping z up to $devbump" fi - sed -i "s/const RawVersion = ".*"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go + sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push @@ -110,7 +110,7 @@ jobs: devbump="$(IFS=. ; echo "${arr[*]}")-dev" echo "::notice:: Bumping main to: $devbump" - sed -i "s/const RawVersion = \".*\"/const RawVersion = \"$devbump\"/g" version/rawversion/version.go + sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml index 411d987b6e..4164797687 100644 --- a/.github/workflows/first_contrib_cert_generator.yml +++ b/.github/workflows/first_contrib_cert_generator.yml @@ -70,9 +70,9 @@ jobs: PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}" MERGE_DATE=$(date -u +"%B %d, %Y") - sed -i "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; } - sed -i "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; } - sed -i "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; } + sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; } + sed --sandbox -i -e "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; } + sed --sandbox -i -e "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; } # Step 4: Setup Node.js environment - name: Setup Node.js diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml index b6d065d2a9..6e03a27eeb 100644 --- a/.github/workflows/machine-os-pr.yml +++ b/.github/workflows/machine-os-pr.yml @@ -79,8 +79,8 @@ jobs: VERS: ${{steps.getversion.outputs.version}} run: | update=$(printf 's/export PODMAN_VERSION=".*"/export PODMAN_VERSION="%s"/g\n' "$VERS") - sed -i "$update" podman-rpm-info-vars.sh - sed -i 's/export PODMAN_PR_NUM=".*"/export PODMAN_PR_NUM="${{github.event.number}}"/g' podman-rpm-info-vars.sh + sed --sandbox -i -e "$update" podman-rpm-info-vars.sh + sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${{github.event.number}}\"/g" podman-rpm-info-vars.sh echo "Updated file:" cat podman-rpm-info-vars.sh diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml index 5dcbf57874..6fb7085b47 100644 --- a/.github/workflows/update-podmanio.yml +++ b/.github/workflows/update-podmanio.yml @@ -100,7 +100,7 @@ jobs: steps.checkpr.outputs.prexists == 'false' run: | # Replace the version in static/data/global.ts file - sed -i "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts + sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts echo "Updated file:" cat static/data/global.ts From 925107a0c9ae2ae66d2c5a1b9009c8897f29b720 Mon Sep 17 00:00:00 2001 From: Daniel Hast Date: Mon, 1 Dec 2025 08:29:24 -0500 Subject: [PATCH 3/5] ci: use env vars to avoid template expansion in code contexts Template expansions are not aware of shell script syntax, and therefore can potentially result in code injection vulnerabilities when used in code contexts: https://docs.zizmor.sh/audits/#template-injection To avoid this, instead use environment variables to safely store the values of the template expansions. Also (in the process of doing the above) added double-quotes around a some instances of variable expansions in shell scripts, which is necessary to avoid unintended shell splitting and globbing. (I didn't see any instances where this was actually likely to result in erroneous behavior, but it's good practice and makes shell scripts more robust.) Signed-off-by: Daniel Hast (cherry picked from commit 67c050bb8e2b9dc909d536a1535b81036d182108) Signed-off-by: Paul Holzinger --- .github/workflows/dev-bump.yml | 70 +++++++++--------- .../first_contrib_cert_generator.yml | 27 ++++--- .github/workflows/mac-pkg.yml | 30 +++++--- .github/workflows/machine-os-pr.yml | 54 ++++++++------ .github/workflows/release-artifacts.yml | 43 ++++++----- .github/workflows/release.yml | 71 ++++++++++++------- .github/workflows/update-podmanio.yml | 46 +++++++----- .github/workflows/upload-win-installer.yml | 55 +++++++++----- 8 files changed, 246 insertions(+), 150 deletions(-) diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml index 70c217fbee..28930f0263 100644 --- a/.github/workflows/dev-bump.yml +++ b/.github/workflows/dev-bump.yml @@ -15,8 +15,7 @@ jobs: - name: Bump id: bump run: | - ref=${{ github.ref_name }} - version=${ref#v} + version=${GITHUB_REF_NAME#v} if [[ $version == *-rc* ]]; then devbump="${version%-*}-dev" echo "::notice:: is a rc - bumping z down to $devbump" @@ -31,49 +30,52 @@ jobs: echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-${{ steps.bump.outputs.devbump }}" + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-${DEVBUMP}" git checkout -b $bumpbranch git add version/rawversion/version.go - git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}" + git commit --signoff -m "Bump Podman to v${DEVBUMP}" git remote add podmanbot https://github.com/podmanbot/podman git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo ${{ github.repository }} \ - --head bump-${{ steps.bump.outputs.devbump }} \ + --repo "${GITHUB_REPOSITORY}" \ + --head "bump-${DEVBUMP}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}." + echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - name: Open PR if: steps.checkpr.outputs.prexists == 'false' id: pr + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | - bumpbranch="bump-${{ steps.bump.outputs.devbump }}" - ref=${{ github.ref_name }} - base=${ref%.*} + bumpbranch="bump-${DEVBUMP}" + base=${GITHUB_REF_NAME%.*} body=$(printf '```release-note\nNone\n```\n') gh pr create \ - --title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \ + --title "Bump Podman to v${DEVBUMP}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ --base "$base" \ - --repo ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + --repo "${GITHUB_REPOSITORY}" mainbump: name: Bump on main runs-on: ubuntu-latest @@ -88,8 +90,7 @@ jobs: id: check run: | mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go` - ref=${{ github.ref_name }} - releasevers=${ref#v} + releasevers=${GITHUB_REF_NAME#v} if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C then echo "bump=true" >> $GITHUB_OUTPUT @@ -101,8 +102,7 @@ jobs: id: bump if: steps.check.outputs.bump == 'true' run: | - ref=${{ github.ref_name }} - releasevers=${ref#v} + releasevers=${GITHUB_REF_NAME#v} arr=($(echo "$releasevers" | tr . '\n')) arr[1]=$((${arr[1]}+1)) @@ -115,44 +115,48 @@ jobs: echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push if: steps.check.outputs.bump == 'true' + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger - # GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}" + # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-main-${DEVBUMP}" git checkout -b $bumpbranch git add version/rawversion/version.go - git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}" + git commit --signoff -m "Bump main to v${DEVBUMP}" git remote add podmanbot https://github.com/podmanbot/podman git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr if: steps.check.outputs.bump == 'true' env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo ${{ github.repository }} \ - --head bump-main-${{ steps.bump.outputs.devbump }} \ + --repo "${GITHUB_REPOSITORY}" \ + --head "bump-main-${DEVBUMP}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}." + echo "SKIPPING: PR already exists to update to ${DEVBUMP}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - name: Open PR if: steps.check.outputs.bump == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | - bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}" + bumpbranch="bump-main-${DEVBUMP}" body=$(printf '```release-note\nNone\n```\n') gh pr create \ - --title "Bump main to v${{ steps.bump.outputs.devbump }}" \ + --title "Bump main to v${DEVBUMP}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ --base "main" \ - --repo ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + --repo "${GITHUB_REPOSITORY}" diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml index 4164797687..4220f03400 100644 --- a/.github/workflows/first_contrib_cert_generator.yml +++ b/.github/workflows/first_contrib_cert_generator.yml @@ -64,10 +64,11 @@ jobs: # Step 3: Update the HTML file locally - name: Update HTML file if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} + env: + CONTRIBUTOR_NAME: ${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.pull_request.number }} run: | HTML_FILE="automation-repo/certificate-generator/certificate_generator.html" - CONTRIBUTOR_NAME="${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}" - PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}" MERGE_DATE=$(date -u +"%B %d, %Y") sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; } @@ -119,6 +120,10 @@ jobs: - name: Upload certificate to separate repository if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} uses: actions/github-script@v8 + env: + CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }} + USER_LOGIN: ${{ github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number }} with: github-token: ${{ secrets.CERTIFICATES_REPO_TOKEN }} script: | @@ -156,10 +161,10 @@ jobs: // Create a unique filename with timestamp const timestamp = new Date().toISOString().replace(/[:.]/g, '-'); const contributorName = context.eventName === 'workflow_dispatch' - ? '${{ github.event.inputs.contributor_username }}' - : '${{ github.event.pull_request.user.login }}'; + ? process.env.CONTRIBUTOR_USERNAME + : process.env.USER_LOGIN; const prNumber = context.eventName === 'workflow_dispatch' - ? '${{ github.event.inputs.pr_number }}' + ? process.env.PR_NUMBER : context.issue.number; const filename = `certificates/${contributorName}-${prNumber}-${timestamp}.png`; @@ -218,6 +223,10 @@ jobs: - name: Comment with embedded certificate image if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} uses: actions/github-script@v8 + env: + CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }} + USER_LOGIN: ${{ github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number }} with: script: | try { @@ -239,17 +248,17 @@ jobs: if (context.eventName === 'workflow_dispatch') { // Manual trigger case - const contributorName = '${{ github.event.inputs.contributor_username }}'; - const prNumber = '${{ github.event.inputs.pr_number }}'; + const contributorName = process.env.CONTRIBUTOR_USERNAME; + const prNumber = process.env.PR_NUMBER; body = `📜 Certificate preview generated for @${contributorName} (PR #${prNumber}):\n\n${body}`; } else { // Auto trigger case for first-time contributors - const username = '${{ github.event.pull_request.user.login }}'; + const username = process.env.USER_LOGIN; body = `🎉 Congratulations on your first merged pull request, @${username}! Thank you for your contribution.\n\nHere's a preview of your certificate:\n\n${body}`; } const issueNumber = context.eventName === 'workflow_dispatch' ? - parseInt('${{ github.event.inputs.pr_number }}') : + parseInt(process.env.PR_NUMBER) : context.issue.number; await github.rest.issues.createComment({ diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml index f8e88db2bc..5f91fada25 100644 --- a/.github/workflows/mac-pkg.yml +++ b/.github/workflows/mac-pkg.yml @@ -36,33 +36,42 @@ jobs: steps: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.dryrun }}" ]] + if [[ -z "${INPUT_DRYRUN}" ]] then echo "dryrun=false" >> $GITHUB_OUTPUT else - echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT + echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT fi - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}" - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi echo echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Check uploads id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" + URI="https://github.com/containers/podman/releases/download/${VERSION}" ARM_FILE="podman-installer-macos-arm64.pkg" AMD_FILE="podman-installer-macos-amd64.pkg" UNIVERSAL_FILE="podman-installer-macos-universal.pkg" @@ -165,8 +174,9 @@ jobs: steps.check.outputs.builduniversal == 'true' ) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) + (gh release download "${VERSION}" -p "shasums" || exit 0) cat contrib/pkginstaller/out/shasums >> shasums - gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg - gh release upload ${{steps.getversion.outputs.version}} --clobber shasums + gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg + gh release upload "${VERSION}" --clobber shasums diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml index 6e03a27eeb..05a4584709 100644 --- a/.github/workflows/machine-os-pr.yml +++ b/.github/workflows/machine-os-pr.yml @@ -34,9 +34,9 @@ jobs: exit 1 elif [[ $VERSION == *-dev ]] ; then echo "::warning:: SKIPPING: dev bump" - elif [[ ${{github.base_ref}} == "main" ]] ; then + elif [[ "${GITHUB_BASE_REF}" == "main" ]] ; then echo "::warning:: SKIPPING: main branch" - elif [[ ${{github.base_ref}} == *-rhel ]] ; then + elif [[ "${GITHUB_BASE_REF}" == *-rhel ]] ; then echo "::warning:: SKIPPING: rhel branch" else echo "update=true" >> "$GITHUB_OUTPUT" @@ -46,7 +46,7 @@ jobs: - name: Check machine-os-branch if: steps.getversion.outputs.update == 'true' run: | - if ! (curl -s https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches| jq -e --arg branch "${{github.base_ref}}" '.[] | select(.name==$branch)') ; then + if ! curl -s "https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches" | jq -e --arg branch "${GITHUB_BASE_REF}" '.[] | select(.name==$branch)'; then echo "::error:: Release branch does not exist." echo "::error:: Please push $branch to $UPSTREAM_MACHINE_OS, then re-run this task." exit 1 @@ -57,8 +57,9 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} + EVENT_NUMBER: ${{ github.event.number }} run: | - gh pr edit --add-label do-not-merge/wait-machine-os-build ${{github.event.number}} + gh pr edit --add-label do-not-merge/wait-machine-os-build "${EVENT_NUMBER}" - name: Install wait-for-copr if: steps.getversion.outputs.update == 'true' @@ -76,44 +77,53 @@ jobs: - name: Bump version if: steps.getversion.outputs.update == 'true' env: + EVENT_NUMBER: ${{ github.event.number }} VERS: ${{steps.getversion.outputs.version}} run: | update=$(printf 's/export PODMAN_VERSION=".*"/export PODMAN_VERSION="%s"/g\n' "$VERS") sed --sandbox -i -e "$update" podman-rpm-info-vars.sh - sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${{github.event.number}}\"/g" podman-rpm-info-vars.sh + sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${EVENT_NUMBER}\"/g" podman-rpm-info-vars.sh echo "Updated file:" cat podman-rpm-info-vars.sh - name: Wait for COPR build if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} run: | wait-for-copr \ --owner packit \ - --project containers-podman-${{github.event.number}} \ + --project "containers-podman-${EVENT_NUMBER}" \ podman \ ${SHA::9} - name: Push if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} + VERSION: ${{ steps.getversion.outputs.version }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="pr${{github.event.number}}" - git checkout -b $bumpbranch + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="pr${EVENT_NUMBER}" + git checkout -b "$bumpbranch" git add podman-rpm-info-vars.sh - git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}" + git commit --signoff -m "Bump Podman to v${VERSION}" git remote add podmanbot https://github.com/podmanbot/podman-machine-os git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo $UPSTREAM_MACHINE_OS \ - --head "pr${{github.event.number}}" \ + --repo "$UPSTREAM_MACHINE_OS" \ + --head "pr${EVENT_NUMBER}" \ --state open \ --json title \ --jq 'length') @@ -122,25 +132,25 @@ jobs: else echo "openpr=true" >> "$GITHUB_OUTPUT" fi - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - name: Open PR if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true' id: pr + env: + EVENT_NUMBER: ${{ github.event.number }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - bumpbranch="pr${{github.event.number}}" + bumpbranch="pr${EVENT_NUMBER}" body=$(printf 'Triggered by https://github.com/%s/pull/%s\n\n```release-note\nRelease v%s\n```\n' \ - "$PODMAN_REPO" "${{github.event.number}}" "${{ steps.getversion.outputs.version }}") + "$PODMAN_REPO" "${EVENT_NUMBER}" "${VERSION}") uri=`gh pr create \ - --title "Bump Podman to v${{ steps.getversion.outputs.version }}" \ + --title "Bump Podman to v${VERSION}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ - --base "${{github.base_ref}}" \ - --repo $UPSTREAM_MACHINE_OS` + --base "${GITHUB_BASE_REF}" \ + --repo "$UPSTREAM_MACHINE_OS"` echo "uri=$uri" >> "$GITHUB_OUTPUT" - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - name: Comment PR link if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true' diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index fb74d132e0..a80cec0b44 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -27,17 +27,20 @@ jobs: - name: Provide github event JSON for examination run: | echo "::group::Event JSON" - jq --color-output "." "${{ github.event_path }}" + jq --color-output "." "${GITHUB_EVENT_PATH}" echo "::endgroup::" - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION" @@ -57,24 +60,30 @@ jobs: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.dryrun }}" ]] + if [[ -z "${INPUT_DRYRUN}" ]] then echo "dryrun=false" >> $GITHUB_OUTPUT else - echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT + echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT fi - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}" - name: Check uploads id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" + URI="https://github.com/containers/podman/releases/download/${VERSION}" for artifact in "podman-remote-release-darwin_amd64.zip darwin_amd" \ 'podman-remote-release-darwin_arm64.zip darwin_arm' \ 'podman-remote-release-windows_amd64.zip windows_amd' \ @@ -186,11 +195,12 @@ jobs: steps.actual_dryrun.outputs.dryrun == 'false' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) + (gh release download "${VERSION}" -p "shasums" || exit 0) cat release/shasums >> shasums - gh release upload ${{steps.getversion.outputs.version}} release/*.zip release/*.tar.gz - gh release upload ${{steps.getversion.outputs.version}} --clobber shasums + gh release upload "${VERSION}" release/*.zip release/*.tar.gz + gh release upload "${VERSION}" --clobber shasums # WARNING: This should only be set when 'notification' job should be triggered echo "complete=true" >> $GITHUB_OUTPUT @@ -206,6 +216,7 @@ jobs: - name: Format release email id: format env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ needs.build.outputs.version }} run: | if grep -Eq '.+-rc' <<<"$VERSION" @@ -215,19 +226,19 @@ jobs: echo "mail_subj=Podman ${RC_PREFIX}${VERSION} Released" >> $GITHUB_OUTPUT - cat <email_body.txt + cat < email_body.txt Hi all, Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at - https://github.com/${{ github.repository }}/releases/tag/$VERSION + https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION Release ${RC_PREFIX}Notes: -------------- EOF - echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token - gh release view $VERSION \ - --repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt + echo "${GITHUB_TOKEN}" | gh auth login --with-token + gh release view "$VERSION" \ + --repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt # If job fails, permit operator to observe contents in case helpful. - name: Provide release e-mail contents for examination diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3ff7291251..151626a1d2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,12 +23,14 @@ jobs: steps: - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.ref_name }} + VERSION=${GITHUB_REF_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION" then @@ -45,14 +47,16 @@ jobs: echo "::notice::Building $VERSION" - name: Determine release id: buildonly + env: + INPUT_BUILDONLY: ${{ inputs.buildonly }} run: | # The 'tag' trigger will not have a 'buildonly' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.buildonly }}" ]] + if [[ -z "${INPUT_BUILDONLY}" ]] then BUILDONLY=false else - BUILDONLY=${{ inputs.buildonly }} + BUILDONLY=${INPUT_BUILDONLY} fi echo "buildonly=$BUILDONLY" >> $GITHUB_OUTPUT echo "::notice::This will be build-only: $BUILDONLY" @@ -154,8 +158,10 @@ jobs: steps: - name: Determine version id: getversion + env: + VERSION: ${{needs.check.outputs.version}} run: | - $version = "${{ needs.check.outputs.version }}" + $version = "${env:VERSION}" if ($version[0] -eq "v") { $version = $version.Substring(1) } @@ -174,13 +180,19 @@ jobs: - name: Set up WiX run: dotnet tool install --global wix --version 5.0.2 - name: Setup Signature Tooling + env: + AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }} + AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }} + AZ_APP_ID: ${{ secrets.AZ_APP_ID }} + AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} + AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }} run: | dotnet tool install --global AzureSignTool --version 3.0.0 - echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Pandoc Setup uses: r-lib/actions/setup-pandoc@v2 with: @@ -193,17 +205,23 @@ jobs: # to judge. - name: Build the MSI id: build + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | contrib\win-installer\build.ps1 ` - -Version ${{steps.getversion.outputs.version}} ` - -LocalReleaseDirPath ${{ github.workspace }}\release-artifacts ` - -Architecture ${{ matrix.arch }} + -Version "${env:VERSION}" ` + -LocalReleaseDirPath "${env:GITHUB_WORKSPACE}\release-artifacts" ` + -Architecture "${env:PODMAN_ARCH}" Exit $LASTEXITCODE - name: Build the bundle (legacy) id: build-legacy + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\build.ps1 ${{steps.getversion.outputs.version}} prod ${{ github.workspace }}\release-artifacts + .\build.ps1 "${env:VERSION}" prod "${env:GITHUB_WORKSPACE}\release-artifacts" $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append @@ -212,8 +230,6 @@ jobs: } Pop-Location Exit $code - env: - PODMAN_ARCH: ${{ matrix.arch }} - name: Display structure of built files run: | Push-Location contrib\win-installer @@ -223,14 +239,20 @@ jobs: Get-ChildItem Pop-Location - name: Rename the MSI + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer - Copy-Item -Path podman-${{steps.getversion.outputs.version}}.msi -Destination podman-installer-windows-${{ matrix.arch }}.msi + Copy-Item -Path "podman-${env:VERSION}.msi" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.msi" Pop-Location - name: Rename the bundle (legacy) + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - Copy-Item -Path podman-${{steps.getversion.outputs.version}}-setup.exe -Destination podman-installer-windows-${{ matrix.arch }}.exe + Copy-Item -Path "podman-${env:VERSION}-setup.exe" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.exe" Pop-Location - name: Upload the MSI uses: actions/upload-artifact@v4 @@ -306,7 +328,7 @@ jobs: title="${title/rc/"RC"}" else # check if this version should not be marked latest - prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${{ github.repository }}/releases/latest") + prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest") prevvers=$(echo "$prevrelease" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed -e "s/^v//") vers=${VERSION#"v"} echo "${prevvers},${vers}" @@ -334,6 +356,7 @@ jobs: - name: Format release email id: format env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ needs.check.outputs.version }} run: | if grep -Eq '.+-rc' <<<"$VERSION" @@ -347,15 +370,15 @@ jobs: Hi all, Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at - https://github.com/${{ github.repository }}/releases/tag/$VERSION + https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION Release ${RC_PREFIX}Notes: -------------- EOF - echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token - gh release view $VERSION \ - --repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt + echo "${GITHUB_TOKEN}" | gh auth login --with-token + gh release view "$VERSION" \ + --repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt # If job fails, permit operator to observe contents in case helpful. - name: Provide release e-mail contents for examination diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml index 6fb7085b47..5c6acf7264 100644 --- a/.github/workflows/update-podmanio.yml +++ b/.github/workflows/update-podmanio.yml @@ -25,13 +25,15 @@ jobs: steps: - name: Get version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi # strip out the prefix v if it's there @@ -50,20 +52,21 @@ jobs: - name: Check open PRs if: steps.getversion.outputs.notRC == 'true' id: checkpr + env: + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | prs=$(gh pr list \ --repo containers/podman.io \ - --head bump-podmanv${{ steps.getversion.outputs.version }} \ + --head "bump-podmanv${VERSION}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update to v${{ steps.getversion.outputs.version }}." + echo "SKIPPING: PR already exists to update to v${VERSION}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - uses: actions/checkout@v5 if: >- @@ -79,13 +82,15 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkpr.outputs.prexists == 'false' id: checkversion + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | # Check if version is actually higher than one on podman.io prevversion=`grep -P "(?<=export const LATEST_VERSION = ')(\d.\d.\d)" -o static/data/global.ts` echo "Version currently on site: ${prevversion}" - echo "Version to update to: ${{ steps.getversion.outputs.version }}" + echo "Version to update to: ${VERSION}" # sort -V -C returns 0 if args are ascending version order - if echo "${prevversion},${{ steps.getversion.outputs.version }}" | tr ',' '\n' | sort -V -C && [[ ${prevversion} != ${{ steps.getversion.outputs.version }} ]] + if echo "${prevversion},${VERSION}" | tr ',' '\n' | sort -V -C && [[ "${prevversion}" != "${version}" ]] then echo "needsUpdate=true" >> $GITHUB_OUTPUT echo "This release is a higher version, so we need to update podman.io" @@ -98,9 +103,11 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkversion.outputs.needsUpdate == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | # Replace the version in static/data/global.ts file - sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts + sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${VERSION}';/g" static/data/global.ts echo "Updated file:" cat static/data/global.ts @@ -109,22 +116,23 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkversion.outputs.needsUpdate == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-podmanv${{ steps.getversion.outputs.version }}" + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-podmanv${VERSION}" git checkout -b $bumpbranch git add static/data/global.ts - git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}" + git commit --signoff -m "Bump Podman to v${VERSION}" git remote -v git remote add podmanbot https://github.com/podmanbot/podman.io git push podmanbot "+$bumpbranch" gh pr create \ - --title "Bump Podman to v${{ steps.getversion.outputs.version }}" \ - --body "Bump Podman to v${{ steps.getversion.outputs.version }}" \ + --title "Bump Podman to v${VERSION}" \ + --body "Bump Podman to v${VERSION}" \ --head "podmanbot:$bumpbranch" \ --base "main" -R "containers/podman.io" - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml index 6e310bd075..3050a900ac 100644 --- a/.github/workflows/upload-win-installer.yml +++ b/.github/workflows/upload-win-installer.yml @@ -26,24 +26,31 @@ jobs: steps: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - $inputs_dryrun = "${{ inputs.dryrun }}" + $inputs_dryrun = "${env:INPUT_DRYRUN}" if ($inputs_dryrun.Length -lt 1) { Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append } else { - Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Write-Output "dryrun=${env:INPUT_DRYRUN}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append } - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + Write-Output "::notice::This workflow execution will be a dry-run: ${env:DRYRUN}" - name: Determine version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - $version = "${{ inputs.version }}" + $version = "${env:INPUT_VERSION}" if ($version.Length -lt 1) { - $version = "${{ github.event.release.tag_name }}" + $version = "${env:TAG_NAME}" if ($version.Length -lt 1) { Write-Host "::error::Could not determine version!" Exit 1 @@ -63,16 +70,18 @@ jobs: # to judge w/n (i.e. in some extreme case) it should be uploaded to the release page. - name: Check id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\check.ps1 ${{steps.getversion.outputs.version}} + .\check.ps1 "${env:VERSION}" $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append Pop-Location Exit 0 } - Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Write-Output "upload_asset_name=${env:UPLOAD_ASSET_NAME}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append Pop-Location Exit $code # The podman release process requires a cross-compile of the windows binaries be uploaded to @@ -80,8 +89,10 @@ jobs: # non-obvious ways with a non-obvious error message. Address that here. - name: Confirm upload_asset_name is non-empty if: steps.check.outputs.upload_asset_name == '' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${{steps.getversion.outputs.version}}." + Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${env:VERSION}." Exit 1 - name: Set up Go uses: actions/setup-go@v6 @@ -93,13 +104,19 @@ jobs: run: dotnet tool install --global wix - name: Setup Signature Tooling if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + env: + AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }} + AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }} + AZ_APP_ID: ${{ secrets.AZ_APP_ID }} + AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} + AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }} run: | dotnet tool install --global AzureSignTool --version 3.0.0 - echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Pandoc Setup uses: r-lib/actions/setup-pandoc@v2 with: @@ -107,9 +124,11 @@ jobs: - name: Build id: build if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\build.ps1 ${{steps.getversion.outputs.version}} prod + .\build.ps1 "${env:VERSION}" prod $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append @@ -132,14 +151,16 @@ jobs: steps.check.outputs.already-exists != 'true' && steps.build.outputs.artifact-missing != 'true' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + UPLOAD_ASSET_NAME: ${{ steps.check.outputs.upload_asset_name }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - $version = "${{ steps.getversion.outputs.version }}" + $version = "${env:VERSION}" if ($version[0] -ne "v") { $version = "v$version" } - gh release upload $version ${{ steps.check.outputs.upload_asset_name }} + gh release upload $version "${env:UPLOAD_ASSET_NAME}" if ($LASTEXITCODE -ne 0) { .\check.ps1 $version if ($LASTEXITCODE -eq 2) { From 50c105ab1f632f7f3ce0c351da8f9b64ef3d7123 Mon Sep 17 00:00:00 2001 From: Ashley Cui Date: Fri, 5 Jun 2026 00:17:53 -0400 Subject: [PATCH 4/5] Release automation: update org location containers -> podman-container-tools Signed-off-by: Ashley Cui (cherry picked from commit c0f582d734332cf8fbff4fbd5b5a486c6fe32932) Signed-off-by: Paul Holzinger --- .github/workflows/machine-os-pr.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml index 05a4584709..5728d49592 100644 --- a/.github/workflows/machine-os-pr.yml +++ b/.github/workflows/machine-os-pr.yml @@ -20,8 +20,8 @@ jobs: pull-requests: write env: SHA: ${{github.event.pull_request.head.sha}} - UPSTREAM_MACHINE_OS: "containers/podman-machine-os" - PODMAN_REPO: "containers/podman" + UPSTREAM_MACHINE_OS: "podman-container-tools/podman-machine-os" + PODMAN_REPO: "podman-container-tools/podman" steps: - name: Get version @@ -70,7 +70,7 @@ jobs: if: steps.getversion.outputs.update == 'true' id: checkout with: - repository: containers/podman-machine-os + repository: podman-container-tools/podman-machine-os ref: ${{github.base_ref}} token: ${{secrets.PODMANBOT_TOKEN}} @@ -93,7 +93,7 @@ jobs: run: | wait-for-copr \ --owner packit \ - --project "containers-podman-${EVENT_NUMBER}" \ + --project "podman-container-tools-podman-${EVENT_NUMBER}" \ podman \ ${SHA::9} From 645c4f3842050ae16c24524c4fe7629ff987b01d Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 2 Jun 2026 15:26:09 -0700 Subject: [PATCH 5/5] ci: fix validate-source checks vs stale labels When the validate-source job is re-run manually after adding a label, it uses stale labels (from the "pull_request" event that originally triggered it), and so the steps that check labels don't see new labels. Fix by querying the labels live (similar to how it was done before commits 6e597af6dc and 1da154117c). Note the logic differs slightly between hack/ci/make-and-check-size.sh and hack/ci/pr-should-include-tests. This is because pr-should-include-tests is also executed locally as well as on non-PRs, while make-and-check-size is run strictly in CI for PRs only. Signed-off-by: Kir Kolyshkin (cherry picked from commit d05c113acd0a5b6292581b132953493c476e4a40) Signed-off-by: Paul Holzinger --- .github/workflows/ci.yml | 12 +++++++----- hack/ci/make-and-check-size.sh | 18 +++++++++++++++--- hack/ci/pr-should-include-tests | 27 ++++++++++++++++++++++++--- 3 files changed, 46 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5202844283..d62b38f96a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,6 +46,8 @@ jobs: validate-source: name: Validate source code changes runs-on: cncf-ubuntu-8-32-x86 + permissions: + pull-requests: read # For hack/ci/pr-should-include-tests to query PR labels. env: # Base commit of this PR; used by the Makefile and the helper scripts to # compute the commit range (git merge-base $DEST_BRANCH HEAD). @@ -126,8 +128,9 @@ jobs: run: make swagger - name: Check that the PR includes tests - # The 'No New Tests' label lets maintainers override this check. - if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'No New Tests') }} + env: + # For hack/ci/pr-should-include-tests to query PR labels. + GITHUB_TOKEN: ${{ github.token }} run: make tests-included - name: Validate renovate config @@ -154,9 +157,8 @@ jobs: # limit enforced by hack/ci/make-and-check-size.sh. if: ${{ github.event_name == 'pull_request' }} env: - # The 'bloat_approved' label lets a repo admin override the binary - # size growth check in hack/ci/make-and-check-size.sh. - BLOAT_APPROVED: ${{ contains(github.event.pull_request.labels.*.name, 'bloat_approved') }} + # For hack/ci/make-and-check-size.sh to query PR labels. + GITHUB_TOKEN: ${{ github.token }} run: | # git rebase rewrites commits, so it needs a committer identity. git config user.name "CI" diff --git a/hack/ci/make-and-check-size.sh b/hack/ci/make-and-check-size.sh index 1c31bf4762..8dde0ae969 100755 --- a/hack/ci/make-and-check-size.sh +++ b/hack/ci/make-and-check-size.sh @@ -53,9 +53,21 @@ function bloat_approved() { # requiring a MAX_BIN_GROWTH=nnn statement in github comments. local actual_growth="$1" - # The validate-source GitHub Actions workflow sets BLOAT_APPROVED=true when - # the PR carries the '$OVERRIDE_LABEL' label. - [[ "$BLOAT_APPROVED" == "true" ]] + local var + for var in PR_NUMBER GITHUB_TOKEN GITHUB_REPOSITORY; do + if [[ -z "${!var}" ]]; then + echo "$ME: cannot query github: \$$var is undefined" >&2 + return 1 + fi + done + + labels=$(curl --fail -s \ + -H "Authorization: bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/$PR_NUMBER" | + jq -r '.labels[].name') + + grep -F -x -q "$OVERRIDE_LABEL" <<< "$labels" } # ACTUAL CODE BEGINS HERE diff --git a/hack/ci/pr-should-include-tests b/hack/ci/pr-should-include-tests index 75f55b1475..ad9568098e 100755 --- a/hack/ci/pr-should-include-tests +++ b/hack/ci/pr-should-include-tests @@ -46,9 +46,30 @@ if [[ -z "$filtered_changes" ]]; then exit 0 fi -# This PR touches non-test files but adds no tests. Fail loudly. -# The '$OVERRIDE_LABEL' label can be used to override this check; that is -# handled by the CI workflow, not here. +# This PR touches non-test files but adds no tests. Only allow it if the +# '$OVERRIDE_LABEL' github label is set. +if [[ -n "$PR_NUMBER" ]]; then + for var in GITHUB_TOKEN GITHUB_REPOSITORY; do + if [[ -z "${!var}" ]]; then + echo "$ME: cannot query github: \$$var is undefined" >&2 + return 1 + fi + done + + labels=$(curl --fail -s \ + -H "Authorization: bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/$PR_NUMBER" | + jq -r '.labels[].name') + + if grep -F -x -q "$OVERRIDE_LABEL" <<< "$labels"; then + echo "$ME: \"$OVERRIDE_LABEL\" label found, ignoring test requirements" + exit 0 + fi +fi + +# This PR touches non-test files but adds no tests, and +# the '$OVERRIDE_LABEL' is not set. Fail loudly. cat <