By default something like a 404 will not make curl exit with an error
code. This is problematic for obvious reasons and instead of the file
you want you may now have some 404 html text instead.
I noticed this in #28003 which well just build fine installers except
the binary downloaded by the installer Makefile simply did not exist.
So to address that add --fail to most curl commands.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit removes the steps to build and publish the legacy windows
installer from the GitHub release workflow.
It's related to #27624.
It also removes the deprecated `upload-win-installer.yml` workflow.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
This PR removes support for Intel Apple Macs. The removal includes
impacts to code, tests, Makefile, builds, release builds, and so forth.
Fixes Jira: RUN-3621
Signed-off-by: Brent Baude <bbaude@redhat.com>
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.
This reduces the risk of cached credentials accidentally being leaked
via artifacts.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Also remove some unnecessary permissions:
* The notification job in release-artifacts.yml only needs to read repo
contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
only need to read repo contents. "Update podman.io" only needs to
write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
only writing repo contents and pull requests.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Our release is created by a GitHub action, and GitHub prevents workflows from running on events that were caused by other workflows to prevent unlimited recursion.
To get around this, use a reusable workflow to trigger the podman.io version bump from the release action.
Signed-off-by: Ashley Cui <acui@redhat.com>
Adds the build of the arm64 windows installer as part of the release
GitHub workflow.
When a Windows installer is uploaded to the GitHub release, it is named
consistently with the macOS one:
`podman-installer-windows-${GOARCH}.exe`
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Automatically generate our GitHub release.
This GitHub action is traggered on a tag push, or manually. After a the trigger, all artifacts are built, including linux, mac, and windows installers. After everything is built, the release is automatically generated on our GitHub, and an email notification is sent out.
Our old actions are marked deprecated, and now can only be triggered manually. Leave them as-is otherwise, as a backup, so we have a tried-and-tested way of generating images, just in case this new action goes wrong.
Signed-off-by: Ashley Cui <acui@redhat.com>
