The podman in `ubuntu-latest` environment apparently is too old to
support `--userns=keep-id:uid=1000,gid=1000`. Employ workaround in GHA
workflow and in `prebuild.sh` check.
Signed-off-by: Chris Evich <cevich@redhat.com>
As an effort to catch potential secrets and/or credential leaks, add a
github-actions workflow which is untouchable in a PR context.
To additionally guard against accidents, also check recent branch
history. This is especially important on newly created
release-branches, which may begin with content from who-knows-where.
Finally, since the new workflow bypasses PR-level changes to the scanner
config and base-line. Add a Cirrus-CI invocation of the scanning tool
to help catch tool-breaking changes from being merged.
Signed-off-by: Chris Evich <cevich@redhat.com>
`wait-for-copr` is still very flaky and has failed more often than not.
Ref: https://github.com/fedora-copr/copr/issues/2819
This change to the fcos GHA will allow nightly builds pulling in
whatever packages exist on podman-next at that time without depending on
wait-for-copr.
The commit id will still be recorded in podman version as well as the
image tag, so auditing is not affected with this change.
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The closed issue & PR lock is working fine, but it has a built-in
50-item limit. The limit is not configurable. Since there are
tens-of-thousands of issues/prs to go through, 50-per-day could take
almost a year. Speed things up 24x by running the job every hour
instead of daily.
Signed-off-by: Chris Evich <cevich@redhat.com>
Followup on #19477
Remove commented out cirrus task for fcos image build with podman-next
and add 2 github actions: 1 for running a simple uni-arch image build
on every PR and another to actually build multiarch images and push to
quay after merge.
`podman --version` will also include git short sha for clarity.
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Don't need this email as we have podman-monitor email listed wherever
relevant.
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This commit limits the blast-radius should the workflow fail
catastrophically. It also instruments the workflow with a job-level
test-failure to trigger a notification mail. This commit should be
reverted once the workflow is deemed functional.
Signed-off-by: Chris Evich <cevich@redhat.com>
This may be helpful in case SHA comparison is needed w/ files elsewhere.
For example, the files uploaded to a github release page.
Signed-off-by: Chris Evich <cevich@redhat.com>
These are visible when running either job manually. Fix the windows
workflow by including a `v` prefix to an obviously fictitious version
number. For consistency, update the mac workflow text to match.
Signed-off-by: Chris Evich <cevich@redhat.com>
Neither `release` nor `workflow_dispatch` triggers may be tested inside
a PR context. The workflow steps always run from what's already
committed to `main`. Rather than waiting for a release to discover
some unforeseen workflow problem, allow manual runs to optionally skip
the release upload step (by default).
Also, update the windows workflow to store an artifact of the signed
build, and migrate away from the deprecated "set-output" command.
Signed-off-by: Chris Evich <cevich@redhat.com>
Having hard-coded versions burried under a hidden directory is ripe for
maintenance headaches. Use the latest 'stable' version, since this will
be "close enough" to what we test in CI.
Ref: https://github.com/containers/podman/discussions/19404
Signed-off-by: Chris Evich <cevich@redhat.com>
Create a new GitHub Action that builds and signs the Mac pkginstaller. The action also uploads the installers to the release, and updates the shasums file.
This action is triggered on release creation, but it can also be triggered manually via a workflow dispatch.
Signed-off-by: Ashley Cui <acui@redhat.com>
Due to a bad file-format design, if a cirrus-cron job happened to have a
name w/ spaces, the generated e-mail text would be broken. For example:
```
Cron build 'VM' Failed: https://cirrus-ci.com/build/Image Maintenance
5630822628196352
```
Fix this by flipping the field-order in an intermediate file, so the
build ID comes first, then the job name. This makes it much easier for
`read` to process, since all words will be stored into the final
variable (now the job name).
Also change all variables that reference this intermediate file such
that they continue to reflect the expected field order. Update script
tests and add a new test to confirm expected file processing and output.
Signed-off-by: Chris Evich <cevich@redhat.com>
It's nearly impossible for humans to tell semantic-version differences
by looking at a commit sha. Since all the actions in question come from
github, there's little security/safety benefit to using SHAs.
Signed-off-by: Chris Evich <cevich@redhat.com>
Fairly universally, the last Cirrus-Cron job is set to fire off at
22:22 UTC. However, the re-run of failed jobs GHA workflow was
scheduled for 22:05, meaning it will never re-run the last cirrus-cron
job should it fail.
Re-arrange the execution order so as to give plenty of time between the
last cirrus-cron job starting, the auto-re-run attempt, and the final
failure-check e-mail.
Signed-off-by: Chris Evich <cevich@redhat.com>
The checkout action by default, clones the current repository. However,
since this workflow is re-used by other repos, and it calls scripts in
the podman repo, those calls will all fail. Fix this by hard-coding the
podman repo.
Ref: https://github.com/actions/checkout
Signed-off-by: Chris Evich <cevich@redhat.com>
It's possible to reuse a GHA workflow from another repo with minimal
YAML. However there are certain requirements, like spelling out all the
required secret values. Also any mention of `ACTIONS_STEP_DEBUG` will
cause failures and must be removed.
As usual, there's no convenient way to test these changes without pushing
to a `main` branch somewhere that also has all the proper secrets
configured. However, I did pattern these changes off of a working setup
in buildah:
fd2d05c0a7/.github/workflows/check_cirrus_cron.yml
Signed-off-by: Chris Evich <cevich@redhat.com>
Because in github-actions, setting a secret variable isn't enough. You
ALSO have to set it again in your YAML. I guess it's assumed in the
name of "security" that the person with access to secrets, might not
also have access to update YAML. Crazy!
Also, while I'm at it. Bump up the execution schedule WRT the
check_cirrus_cron workflow - this will give re-run jobs more time to
complete.
Signed-off-by: Chris Evich <cevich@redhat.com>
This component was recently migrated from being inline, into a dedicated
script file. This was necessary for testing. However, it's hard to
test the actual github-actions workflow YAML, and there was a typo. Fix
the reference to the script filename missing the `.sh` extension.
Ref: https://github.com/containers/podman/pull/16414
Signed-off-by: Chris Evich <cevich@redhat.com>
Lack of proper testing possibility for github actions and lack of
script-testing by me, allowed several flaws through into 'main'. Fix
the problems and manually test the scripts to make sure they're working.
Note: Also revert the stupid SHA-based action-pinning back to normal,
human-readable version numbers. The value of using SHAs in the name of
improved "security" is real, but the value of human-readability and
ease of maintenance is greater.
Signed-off-by: Chris Evich <cevich@redhat.com>
