Commit Graph

228 Commits

Author SHA1 Message Date
Matt Heon
735d0b0093 Merge pull request #28903 from Luap99/fix-chrootarchive-remote
fix podman-remote save -f oci-dir/docker-dir
2026-06-11 09:58:56 -04:00
Mario Loriedo
d1f0833c5f Merge pull request #28895 from ashley-cui/nightly
Release CI: Migrate to re-usable build action
2026-06-11 11:48:25 +02:00
Paul Holzinger
fd07b9c6ec fix podman-remote save -f oci-dir/docker-dir
With podman-remote we do not enter a our user namespace like we do with
local podman so we keep running with the real user id.

So if we then try to use chrootarchive as normal user it fails with:
creating mount namespace before pivot: operation not permitted

So simply revert back to the normal archive code.

Now the more interesting thing is we do have a test
"podman save to directory with oci format" but it never runs
rootless+remote in our CI system with our current matrix as we wanted to
reduce jobs.
So rethink the matrix and add one such job as this shows it is needed.

Fixes: 25aee24cbd ("use chrootarchive over plain archive package")

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-10 18:47:02 +02:00
Ashley Cui
2f4e890067 Release CI: Migrate to re-usable build action
Migrate release to use release-build-artifacts action. This re-usable build action is tested nightly, so hopefully this will make our release automation more stable, as we may catch issues in our nightly runs. Followup to https://github.com/podman-container-tools/podman/pull/28176

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-06-09 14:25:10 -04:00
renovate[bot]
612a4acaab Update actions/stale action to v10.3.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-09 18:20:33 +00:00
Ashley Cui
3ca887232d Some Windows release cleanup
- Update pandoc
- Remove unused FETCH_BASE_URL
- Remove legacy installer upload (74043cf7)

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-06-09 14:15:42 -04:00
Mario Loriedo
138879058b Merge pull request #28843 from kolyshkin/should-include-tests
ci: fix validate-source checks vs stale labels
2026-06-05 19:23:44 +02:00
Mario Loriedo
3ab25801a8 Merge pull request #28867 from ashley-cui/relauto
Release automation: update org location
2026-06-05 19:04:41 +02:00
Paul Holzinger
fd9ca9d1f6 Merge pull request #28862 from podman-container-tools/renovate/actions-checkout-6.x
[skip-ci] Update actions/checkout action to v6.0.3
2026-06-05 18:15:22 +02:00
Ashley Cui
c0f582d734 Release automation: update org location
containers -> podman-container-tools

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-06-05 09:22:33 -04:00
renovate[bot]
821ab5493a Update dependency macos to v26
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-04 22:49:32 +00:00
renovate[bot]
dbd7b4c138 [skip-ci] Update actions/checkout action to v6.0.3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-04 19:13:23 +00:00
Miloslav Trmač
31544e1f10 Merge pull request #28852 from l0rd/more-gh-token-in-webrequest
Set permissions for win installer CI job
2026-06-04 18:50:29 +02:00
Mario Loriedo
9c7ad74ede Set permissions for win installer CI job
Explicitly set `content: read` permissions so that the GITHUB_TOKEN type
have permissions to "Get a release".

Fixes https://github.com/podman-container-tools/podman/issues/28850

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2026-06-04 12:25:24 +02:00
renovate[bot]
23ebddbee1 [skip-ci] Update zizmorcore/zizmor-action action to v0.5.6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-06-04 09:01:31 +00:00
Kir Kolyshkin
d05c113acd ci: fix validate-source checks vs stale labels
When the validate-source job is re-run manually after adding a label,
it uses stale labels (from the "pull_request" event that originally
triggered it), and so the steps that check labels don't see new labels.

Fix by querying the labels live (similar to how it was done before
commits 6e597af6dc and 1da154117c).

Note the logic differs slightly between hack/ci/make-and-check-size.sh
and hack/ci/pr-should-include-tests. This is because
pr-should-include-tests is also executed locally as well as on non-PRs,
while make-and-check-size is run strictly in CI for PRs only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-06-03 11:44:07 -07:00
Paul Holzinger
602a803f57 ci: fix validate job to actually work on push
We need to not hard depend on the pull_request var contexts so use the
right alternatives. The PR_ envs can be left empty, the tests using them
should skip the checks if they are unset/empty.

Fixes: #28825

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-02 19:50:37 +02:00
Jan Rodák
9cef14899f Merge pull request #28832 from ashley-cui/ci
CI: Adjust Mac tmpdir
2026-06-02 11:55:45 +02:00
Paul Holzinger
3743b9f806 Goodbye Cirrus
Removing remaining cirrus specific files that we no longer use in the
new CI setup.

Fixes: #28829

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 20:34:27 +02:00
Paul Holzinger
c4d895b07c ci: add path-filter to success job
It is not strictly needed I think since other jobs depend on this
already but for consistency this is easier to check that success waits
for all jobs.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 20:34:27 +02:00
Ashley Cui
2984c2450b CI: Adjust Mac tmpdir
Makes for easier cleanup, and follows previous cirrus convention.

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-06-01 13:24:35 -04:00
Paul Holzinger
3faf2deaf8 ci: skip validate-source on push
The checkout needs the PR context so this fails on push, as such skip it
there for now until we make this work to also work on normal pushes.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 17:00:17 +02:00
Paul Holzinger
0fce332955 ci: add GITHUB_TOKEN to win installer test
The test uses the token for API request so we do not get rate limit
failures without a token, see commit 7c7d56a0fb.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 17:00:17 +02:00
Paul Holzinger
1fb335d245 ci: disable swagger.yml job
We do not have permissions setup for this and this needs some more
design before we should use it.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 17:00:17 +02:00
Paul Holzinger
a758d09b64 ci.yml: add macos jobs
Copied from Tim, but directly integrated into the main yml file to allow
for proper task dependencies.

Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 17:00:17 +02:00
Paul Holzinger
2297695d0c ci.yml: add windows jobs
Copied from Tim, but directly integrated into the main ci.yml file to
allow for proper task dependencies.

I renamed same task and updated the task dependencies.

Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 17:00:16 +02:00
Paul Holzinger
399e822ca4 New GHA lima ci testing setup
The main gh action is just there to install lima and then call the main
ci.sh script which uses lima to start the right VM and then run the
tests inside there mostly for linux tasks where possible.

Inside the VM we use the runner.sh script to setup the env and launch the
final test.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-01 13:01:34 +02:00
Kir Kolyshkin
26e30e5f6d Publish swagger.yaml from GitHub Actions on push to main and tags
Add a 'Publish swagger' workflow that builds pkg/api/swagger.yaml and
uploads it to the libpod-master-releases GCS bucket (swagger-latest.yaml
for main, swagger-<tag>.yaml for tags), reusing the same gcsupld container
as Cirrus with GCPJSON/GCPNAME supplied via repository secrets. Per-PR
uploads to libpod-pr-releases are dropped, as nothing consumes them.

The gcsupld image tag is hardcoded (copied from .cirrus.yml IMAGE_SUFFIX)
rather than read at runtime, since Cirrus CI is to be decommissioned soon.

Remove the now-migrated swagger_task from .cirrus.yml (and its success_task
dependency) and the _run_swagger handler from hack/ci/runner.sh, and update
docs/README.md to point at the new workflow. While at it, fix the link in
docs/README.md to hack/ci/README.md#docs-task, which had been dangling ever
since that file was removed in 2020 by commit 2c9084e224.

Note: requires GCPJSON and GCPNAME to be configured as GitHub repository
secrets before the upload step can succeed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-06-01 13:01:34 +02:00
Kir Kolyshkin
6071d780e9 Run 'make swagger' in the validate-source GHA job
Build pkg/api/swagger.yaml via the go-swagger tool as part of source
validation, confirming the API spec generates cleanly. This mirrors the
generation half of the Cirrus swagger_task; that task is kept for now as
it also publishes swagger.yaml to GCS for the docs site, which is not
migrated here.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-06-01 13:01:34 +02:00
Kir Kolyshkin
1da154117c Migrate 'build each commit' check from Cirrus to GHA
Add a 'Build each commit' step to the validate-source job. It builds the
PR fork point to record baseline binary sizes, then rebuilds and size-checks
each commit via 'git rebase -x', confirming every commit compiles on its own
and that no binary grows beyond the enforced limit.

Move hack/make-and-check-size to hack/ci/make-and-check-size.sh and replace
its Cirrus-specific GitHub GraphQL label query with a BLOAT_APPROVED env var
that the workflow derives from the 'bloat_approved' PR label.

Drop the now-migrated 'Build Each Commit' matrix entry from .cirrus.yml and
the corresponding *Each* case from hack/ci/runner.sh.

NOTE due to chicken-and-egg problem with make-and-check-size we need to
make a copy of it before working with git.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-06-01 13:01:34 +02:00
Kir Kolyshkin
6e597af6dc Migrate validate-source from Cirrus to GitHub Actions
Move the Cirrus validate-source_task to a GitHub Actions workflow
(.github/workflows/ci.yml) running as a single job on the CNCF-hosted
runner. The job runs the same stages: make validate-source,
tests-included, and the conditional renovate config check.

golangci-lint for FreeBSD and macOS now runs cross-compiled (GOOS) on
the native Linux runner instead of on dedicated Cirrus VMs/workers, so
the lint steps are dropped from osx_alt_build and freebsd_alt_build.

The PR helper scripts are de-Cirrus'd: they read CI-neutral env vars
(PR_HEAD, PR_NUMBER, PR_BODY) and the "No New Tests" label override is
now handled natively in the workflow instead of via a GraphQL query.

The shared clone/setup/main YAML anchors are relocated into build_task,
and the dead _run_validate-source runner.sh function is removed.

The tests-of-tests (.t files) are fixed for new setup (mostly removing
test cases which are now obsoleted, like [CI:DOCS] and [NO NEW TESTS]
markers. NOTE we still don't run tests in CI (although we could), but
I ran them locally and fixed all the issues.

Finally, test-jira-links-included is removed as it is RHEL-branch
specific and have no place in the new repo.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-06-01 13:01:33 +02:00
Kir Kolyshkin
cd78329c3f ci: pin all github actions
Some were already pinned; let's fix the rest.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-05-19 12:11:39 -07:00
Ashley Cui
6ad87d00e0 Add nightly release pipeline validation
Build installers nightly, and test that our bot key is still valid. This is to catch hiccups before release time.

The intention is that after this is tested, the build-artifacts can be used in release.yml, like it is used in the validation action
But for now, the actual release does not use the build-artifacts action yet, let's let the testing bake a little first.

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-05-13 16:41:20 -04:00
Ashley Cui
e131ee6274 Remove deprecated release actions
Our new release has been mostly stable at this point, remove legacy actions.

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-05-12 14:54:18 -04:00
renovate[bot]
336601535a [skip-ci] Update r-lib/actions action to v2.12.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-30 11:46:52 +00:00
renovate[bot]
7812e9d814 [skip-ci] Update dawidd6/action-send-mail action to v17
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-28 12:04:43 +00:00
renovate[bot]
a1734fb02b [skip-ci] Update dawidd6/action-send-mail action to v16
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-21 20:58:17 +00:00
Ashley Cui
db6378e58d Merge pull request #28503 from containers/renovate/zizmorcore-zizmor-action-0.x
[skip-ci] Update zizmorcore/zizmor-action action to v0.5.3
2026-04-15 15:18:51 -04:00
Lokesh Mandvekar
8e78ca8ee6 [skip-ci] Update actions/github-script action to v9
Pin actions/github-script@v9 to commit hash to satisfy zizmor
security requirements. This addresses the unpinned-uses failures
in PR #28484.

Ref: https://github.com/actions/github-script/releases/tag/v9.0.0

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
2026-04-15 13:26:39 -04:00
Mario Loriedo
53fc1d902e Install WiX v5.0.2 to build the Windows installer
To avoid failures such as

https://github.com/containers/podman/actions/runs/24401569105/job/71274410909#step:10:78

use version v5.0.2 of WiX as we do in CI images:

fe80516848/win_images/win_packaging.ps1 (L27)

Related to issue https://github.com/containers/podman/issues/27042

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2026-04-14 18:44:58 +02:00
renovate[bot]
3082e88d2e [skip-ci] Update zizmorcore/zizmor-action action to v0.5.3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-14 02:12:09 +00:00
renovate[bot]
71e0456b1b [skip-ci] Update actions/create-github-app-token action to v3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-14 01:14:19 +00:00
renovate[bot]
3edb22b509 [skip-ci] Update GitHub Artifact Actions
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-13 00:48:05 +00:00
Ashley Cui
6aedada3d1 Merge pull request #27762 from containers/renovate/dessant-lock-threads-6.x
[skip-ci] Update dessant/lock-threads action to v6
2026-03-11 10:59:57 -04:00
renovate[bot]
89d4fcd791 [skip-ci] Update zizmorcore/zizmor-action action to v0.5.2
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-11 09:26:04 +00:00
Matt Heon
e6e821c6e2 Merge pull request #28059 from timcoding1988/cherry-pick-bot
update cherry pick with pr
2026-02-16 14:33:35 -05:00
Tim Zhou
243df78fb9 adding assign github action
Signed-off-by: Tim Zhou <tizhou@redhat.com>
2026-02-12 14:31:34 -05:00
Tim Zhou
c69072edb1 update cherry pick with pr
Signed-off-by: Tim Zhou <tizhou@redhat.com>
2026-02-12 14:30:46 -05:00
Paul Holzinger
40a872c9ec Merge pull request #28040 from Luap99/curl-error
make curl error on non success status codes
2026-02-09 14:01:36 +01:00
Paul Holzinger
af7c36eae3 make curl error on non success status codes
By default something like a 404 will not make curl exit with an error
code. This is problematic for obvious reasons and instead of the file
you want you may now have some 404 html text instead.

I noticed this in #28003 which well just build fine installers except
the binary downloaded by the installer Makefile simply did not exist.

So to address that add --fail to most curl commands.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-02-06 17:29:49 +01:00