This PR removes support for Intel Apple Macs. The removal includes
impacts to code, tests, Makefile, builds, release builds, and so forth.
Fixes Jira: RUN-3621
Signed-off-by: Brent Baude <bbaude@redhat.com>
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.
This reduces the risk of cached credentials accidentally being leaked
via artifacts.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Also remove some unnecessary permissions:
* The notification job in release-artifacts.yml only needs to read repo
contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
only need to read repo contents. "Update podman.io" only needs to
write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
only writing repo contents and pull requests.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Automatically generate our GitHub release.
This GitHub action is traggered on a tag push, or manually. After a the trigger, all artifacts are built, including linux, mac, and windows installers. After everything is built, the release is automatically generated on our GitHub, and an email notification is sent out.
Our old actions are marked deprecated, and now can only be triggered manually. Leave them as-is otherwise, as a backup, so we have a tried-and-tested way of generating images, just in case this new action goes wrong.
Signed-off-by: Ashley Cui <acui@redhat.com>
Assist humans by indicating clearly whe a release announcement is
pertaining to a candidate. Otherwise, it's possible someone may
overlook the `-rcX` version suffix.
Also fix a quoting problem missed in testing.
Signed-off-by: Chris Evich <cevich@redhat.com>
Rather than manually crafting what ends up being nearly identical
release e-mails, do it automatically whenever a release is created.
Note: At the time of this commit, there is a possible race condition
with the `mac-pkg.yml` workflow, since it runs in parallel. It could
fail, or fail to complete prior to the e-mail content being generated.
This should be unlikely, if `release-artifacts.yml` goes through and
compiles every artifact, but it's not guaranteed.
Signed-off-by: Chris Evich <cevich@redhat.com>
There's a reasonable chance this workflow will be triggered by a human
(via `workflow_dispatch``), and a non-zero chance with an invalid
version number for which a release should not be created. Detect this
and provide a way for the operator to debug the source of the error.
Also fix some whitespace inconsistencies.
Signed-off-by: Chris Evich <cevich@redhat.com>
This change will minimize renovate PR's.
Checkout is an action maintained by GitHub, so using the latest v4 action shouldn't have stability consequences.
Signed-off-by: Ashley Cui <acui@redhat.com>
Add a new GitHub Action that builds and uploads release artifacts. This action is triggered by publishing a release on GitHub. The action will only build if the specfic artifact is missing.
This action also triggers the Windows installer action, since the Windows installer action depends on an uploaded artifact.
Note that the action runs on ubuntu-22.04
Signed-off-by: Ashley Cui <acui@redhat.com>
