This PR removes support for Intel Apple Macs. The removal includes
impacts to code, tests, Makefile, builds, release builds, and so forth.
Fixes Jira: RUN-3621
Signed-off-by: Brent Baude <bbaude@redhat.com>
Zizmor (https://docs.zizmor.sh/) is a static analysis tool for GitHub
Actions. Most of the issues identified by Zizmor were fixed in #27642.
This Zizmor action integrates with GitHub Advanced Security and scans
workflows for potential security issues, which should help ensure that
such issues aren't reintroduced in the future.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).
Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.
This reduces the risk of cached credentials accidentally being leaked
via artifacts.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Also remove some unnecessary permissions:
* The notification job in release-artifacts.yml only needs to read repo
contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
only need to read repo contents. "Update podman.io" only needs to
write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
only writing repo contents and pull requests.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
This github action uses the certficate_generator.html from automation
repo to generate the badge for first time contributors and commits the
badge to the same repo which will be commented on the PR once its get
merged.
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
Our release is created by a GitHub action, and GitHub prevents workflows from running on events that were caused by other workflows to prevent unlimited recursion.
To get around this, use a reusable workflow to trigger the podman.io version bump from the release action.
Signed-off-by: Ashley Cui <acui@redhat.com>
Adds the build of the arm64 windows installer as part of the release
GitHub workflow.
When a Windows installer is uploaded to the GitHub release, it is named
consistently with the macOS one:
`podman-installer-windows-${GOARCH}.exe`
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Create GitHub action to automatically bump to a -dev version after a release is tagged.
On a branch:
- The bump will always be a z bump on branches
- If the bump is to an RC, then the bump will be back down to dev (ie, 9.9.0-rc1 to 9.9.0-dev)
- If the bump is not an RC, the bump wil be up to dev (ie, 9.9.0 to 9.9.1-dev)
On main:
- If the X.Y version on main is smaller than the X.Y on the release tag, this action will open a PR to bump the version on main to the release tag's X.Y+1
- Major version (X) dev bumps will still need to be manual
Signed-off-by: Ashley Cui <acui@redhat.com>
When a reviewer of an issue determines that an issue is incompleted, a
`needs-info` label can be added to the issue. This will trigger a GH
action with an automated response. The reviewer should also have told
the user what is needed or asked a question. Also, we have no automated
way to remove the label when a response is provided, so this still needs
to be managed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
When we do a release, we need to ensure that machine images are built before the release PR can merge.
This GitHub action is triggered on version bumps, waits for our COPR builds to finish, and then opens a PR on the podman-machine-os repo to build the required machine-os images there. Note that dev bumps, unless on main, will not open a PR
Signed-off-by: Ashley Cui <acui@redhat.com>
As pointed out in buildah[1] the action is broken in bad ways where it can
trigger 1000+ rerun wasting our cloud resources.
Get rid of it for now until we find something better or can properly
identify and fix the root cause.
[1] https://github.com/containers/buildah/issues/6035
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Automatically generate our GitHub release.
This GitHub action is traggered on a tag push, or manually. After a the trigger, all artifacts are built, including linux, mac, and windows installers. After everything is built, the release is automatically generated on our GitHub, and an email notification is sent out.
Our old actions are marked deprecated, and now can only be triggered manually. Leave them as-is otherwise, as a backup, so we have a tried-and-tested way of generating images, just in case this new action goes wrong.
Signed-off-by: Ashley Cui <acui@redhat.com>
It is flaking[1] from time to time on PRs and doesn't really add value
because noone is actually chaing the Containerfile. The task on main
that build a image based of main still exists as per Lokesh
podman-dekstop uses it for testing. In the near term we will get proper
builds in the podman-machine-os repo so this other workflow can
hopefully removed altogether.
[1] https://github.com/containers/podman/actions/runs/10618524888/job/29433963845?pr=23807
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Restore behavior for using uploaded zp file to generate the windows installer. This ensures that actions can always build and sign the installer, no matter how old the release, provided a .zip.
Signed-off-by: Ashley Cui <acui@redhat.com>
