Commit Graph

26440 Commits

Author SHA1 Message Date
Matt Heon
5431df23c7 Bump to v5.8.4
Signed-off-by: Matt Heon <mheon@redhat.com>
v5.8.4
2026-06-25 12:29:07 -04:00
Matt Heon
f91e707ec4 Update release notes for v5.8.4
Signed-off-by: Matt Heon <mheon@redhat.com>
2026-06-25 12:29:07 -04:00
Ashley Cui
30a5433d45 Fix release email
gh auth login fails if we set GITHUB_TOKEN

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-06-25 11:56:28 -04:00
Matt Heon
6eb839c947 Merge pull request #29040 from Luap99/v5.8
[v5.8] build the swagger.yml on readthedocs
2026-06-25 11:54:23 -04:00
Mario Loriedo
38d3442ea0 Windows installer tests: download v5.8.3 of the setup bundle
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit 6ae463a9cd)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-25 15:09:43 +02:00
Paul Holzinger
6421567bc2 build the swagger.yml on readthedocs
One problem with the swagger upload is we need an extra bucket and then
we need our own custom version schema and selector on the website. If we
can just embed the swagger.yml as part of the official build we can get
rid of all of that and have a much simpler way as the regular
readthedocs version selector will work.

We also no longer need to maintain an extra bucket upload and no longer
need to update the version list which was forgotten all the time.

Fixes: #28827

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c2ffe88ce0)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-25 14:52:44 +02:00
Paul Holzinger
5e36e3073a Revert "docs: introduce custom version selector in api.html"
This reverts commit f87c8b9cba.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 50a7acb364)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-25 14:52:44 +02:00
Paul Holzinger
e489e00710 Revert "docs: generate Reference version list from json file"
This reverts commit 858150288f.

In the next commit I add a custom build for the swagger yaml which adds
it as part of the main readthedocs build so we can use the default
version selector and drop our custom workarounds.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 250c530055)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-25 14:52:44 +02:00
Paul Holzinger
0c6d54e98e readthedocs: update build env
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 8dee14e304)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-25 14:52:43 +02:00
Matt Heon
b5fe1c5ce6 Merge pull request #29027 from Luap99/v5.8
[v5.8] fix image host env leak
2026-06-24 11:42:41 -04:00
Paul Holzinger
85832029d5 fix image host env leak
When parsing image envs we need to be strict about the format, only the
"key=value" format must be accepted. Just keys must be rejected as they
are not valid according to the image spec.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 6c431b73db)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-24 16:51:31 +02:00
Paul Holzinger
35de92568b Merge pull request #28989 from Luap99/v5.8
[v5.8] Backport some CI fixes and one regression fix
2026-06-23 19:27:23 +02:00
Paul Holzinger
b00f4f7b2f Merge pull request #28971 from lsm5/v5.8-cve-fix
[v5.8] Update golang.org/x/crypto to v0.52.0 for CVE-2026-39830
2026-06-23 18:56:03 +02:00
Lokesh Mandvekar
5eed4f1ec7 Update golang.org/x/crypto to v0.53.0 for CVE-2026-39830 and CVE-2026-42508
CVE-2026-39830: Invoking client can cause server deadlock on
unexpected responses in golang.org/x/crypto/ssh

CVE-2026-42508: Revoked SignatureKey not correctly checked for
revocation in golang.org/x/crypto/ssh/knownhosts

Update golang.org/x/crypto from v0.50.0 to v0.53.0.

References:
- https://pkg.go.dev/vuln/GO-2026-5017
- https://pkg.go.dev/vuln/GO-2026-5021
- https://go.dev/issue/79564
- https://go.dev/issue/79568

Signed-off-by: Lokesh Mandvekar <lsm5@linux.com>
2026-06-23 11:06:08 -04:00
Ashley Cui
b0fa3d4b73 Merge pull request #28987 from lsm5/v5.8-packit-update
[v5.8] Packit: skip rawhide, remove podman-next job
2026-06-22 09:50:54 -04:00
Paul Holzinger
d50b33560f test/e2e: fix flake in login tests
By default we run tests in parallel so when we mount test/certs with the
":Z" option it means only one container can read it, depending on the
startup times this can mean the container fails to start. I observed
this error in a CI run:

level=fatal msg="open /certs/domain.crt: permission denied"

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 1eda0cfbb4)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-19 17:10:53 +02:00
Lokesh Mandvekar
4bd6a2498a Packit: skip rawhide, remove podman-next job
Rawhide has moved on to v6.

Signed-off-by: Lokesh Mandvekar <lsm5@linux.com>
2026-06-19 11:10:33 -04:00
Paul Holzinger
0dad42f19d test/e2e: split cli tmpdir from per test tempdir
Right now the tmpdir for the test and cli are are the same and worse the
root/runroot directories are subdirectories of the tmpdir so tests can
create conflicting files.

Also for rootless remote builds this cuases problems for all tests which
uses the main tmpdir as context dir as they then try to copy the storage
files with different uids which will fail. Commit 79e7b0f6fd tried to
work around it but it is not enough as much more tests use this pattern.

So to fix this once and for all properly separate them. And then fixup a
few test cases that depended on the wrong value and make them use the
proper root value directly.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 6e20527004)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-19 17:09:41 +02:00
Paul Holzinger
5fbeb04184 fix podman-remote save -f oci-dir/docker-dir
With podman-remote we do not enter a our user namespace like we do with
local podman so we keep running with the real user id.

So if we then try to use chrootarchive as normal user it fails with:
creating mount namespace before pivot: operation not permitted

So simply revert back to the normal archive code.

Now the more interesting thing is we do have a test
"podman save to directory with oci format" but it never runs
rootless+remote in our CI system with our current matrix as we wanted to
reduce jobs.
So rethink the matrix and add one such job as this shows it is needed.

Fixes: 25aee24cbd ("use chrootarchive over plain archive package")

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit fd07b9c6ec)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-19 17:08:17 +02:00
Paul Holzinger
c8c7a3cdcd validate: disable golangci-lint cache
Something with the cache is not working right and results in
inconsistent lint result.

Even on PRs where there are no source code changes we observe random
failures. I have seen at least 4 different instances since we the new CI
setup. It is not reasonable to spot fix each new warning (mostly just
adding new nolint comments) each time as it affects all PRs at once.
It will also be very confusing for new contributors.

Fixes: #28893

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c8ce2c6089)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-19 17:08:05 +02:00
Paul Holzinger
c5b9ab76e2 Update automation image to 2026-06-16
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 5c189e8136)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-19 17:08:05 +02:00
Paul Holzinger
e8286b8bd8 update "No New Tests" PR filter list
For a while now we trigger CI tests based on if source files, i.e. *.go
files were changed. The "No New Tests" filter however checked something
else via a exclude list that was not being updated.

That means in many cases we needed to add the label when it is clear
that these thing should not need tests, i.e. packit or rpm/ changes.
To avoid the manual updates of all directories just grep for source
files.

Fixes: #28849

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 126d3e27ae)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-19 17:08:02 +02:00
Paul Holzinger
8a43fb4bb2 Merge pull request #28921 from podmanbot/bump-5.8.4-dev
Bump Podman to v5.8.4-dev
2026-06-15 17:35:47 +02:00
mheon
f910d00a4c Bump Podman to v5.8.4-dev
Signed-off-by: mheon <7735048+mheon@users.noreply.github.com>
2026-06-12 17:47:56 +00:00
Paul Holzinger
5ad0e5e131 Merge pull request #28916 from mheon/bump_583
Bump to v5.8.3
2026-06-12 19:05:23 +02:00
Matt Heon
93dbfd0d86 Bump to v5.8.3
Signed-off-by: Matt Heon <mheon@redhat.com>
v5.8.3
2026-06-12 10:49:45 -04:00
Matt Heon
6a33968ac6 Update release notes for v5.8.3
Signed-off-by: Matt Heon <mheon@redhat.com>
2026-06-12 10:49:26 -04:00
Matt Heon
6b8ab91d9c Bump to gvisor-tap-vsock v0.8.9
Contains an important fix for WSL2 usermode networking

Signed-off-by: Matt Heon <mheon@redhat.com>
2026-06-12 10:40:36 -04:00
Tom Sweeney
d3249cd56e Merge pull request #28885 from Luap99/v5.8
[v5.8] some more CI related backports
2026-06-10 15:51:11 -04:00
Paul Holzinger
1338dbd9e3 Merge pull request #28890 from TomSweeneyRedHat/dev/tsweeney/Buildah-1.43.2-v5.8
[v5.8] Bump Buildah to v1.43.2
2026-06-10 16:58:15 +02:00
Tom Sweeney
a082bc9c0c [v5.8] Bump Buildah to v1.43.2
Bump Buildah to v1.43.2 in prepration of the next Podman v5.8 release.

Also includes the changes from 47ab0f1e94

And adjustments to test/buildah-bud/buildah-tests.diff

Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
2026-06-09 17:13:35 -04:00
Kir Kolyshkin
645c4f3842 ci: fix validate-source checks vs stale labels
When the validate-source job is re-run manually after adding a label,
it uses stale labels (from the "pull_request" event that originally
triggered it), and so the steps that check labels don't see new labels.

Fix by querying the labels live (similar to how it was done before
commits 6e597af6dc and 1da154117c).

Note the logic differs slightly between hack/ci/make-and-check-size.sh
and hack/ci/pr-should-include-tests. This is because
pr-should-include-tests is also executed locally as well as on non-PRs,
while make-and-check-size is run strictly in CI for PRs only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d05c113acd)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:24:51 +02:00
Ashley Cui
50c105ab1f Release automation: update org location
containers -> podman-container-tools

Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit c0f582d734)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:23:20 +02:00
Daniel Hast
925107a0c9 ci: use env vars to avoid template expansion in code contexts
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection

To avoid this, instead use environment variables to safely store the
values of the template expansions.

Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 67c050bb8e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:22:46 +02:00
Daniel Hast
d97883bcc5 ci: use --sandbox for dynamically generated sed scripts
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).

Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 3f4af378f4)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:22:46 +02:00
Mario Loriedo
7179dc6d14 Update gh org from which releases are pulled in pswh scripts
Use https://api.github.com/repos/podman-container-tools/podman/releases.

That may eventually fix
https://github.com/podman-container-tools/podman/issues/28850 based on
https://docs.github.com/en/actions/concepts/security/github_token:

> The token's permissions are limited to the repository that contains your
> workflow.

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit ff9f192f4d)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:17:57 +02:00
Matt Heon
8bce4edf4f Merge pull request #28861 from Luap99/v5.8
[v5.8] Backport new GH action based CI
2026-06-08 08:57:35 -04:00
Paul Holzinger
e71ded2997 pkg/machine/e2e: set XDG_CONFIG_HOME
This is basically a partial backport of commit b14e833ef6
("machine: add test to check config mount").

It seems on the ubuntu github actions runners we have XDG_CONFIG_HOME
set so the tests do not actually use its own private dir but a shared
one for the configs which breaks the test assumptions.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-05 13:28:12 +02:00
Mario Loriedo
b45fbbeec1 Set permissions for win installer CI job
Explicitly set `content: read` permissions so that the GITHUB_TOKEN type
have permissions to "Get a release".

Fixes https://github.com/podman-container-tools/podman/issues/28850

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit 9c7ad74ede)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-05 11:47:21 +02:00
Paul Holzinger
ac1bbd33fc ci: delete netavark v2
Podman v5.8 is not designed to run with it, we want to test with the
actual packaged one from the image.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-05 11:47:21 +02:00
Paul Holzinger
9f347aa5aa ci: fix storage.conf composefs setup
The new config parser is not in 5.8, so revert to the older config
format where all is in one file.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-05 11:47:21 +02:00
Mario Loriedo
7048cf077e Update release ID in win-installer-main.ps1
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit 40a9e21644)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:29 +02:00
Mario Loriedo
927bf192cc Use GH token to download Podman release in utils.ps1
This is to avoid requests failing due to GitHub's non-authenticated
request rate limit.

See [this PR check
failure](https://github.com/podman-container-tools/podman-sandbox/actions/runs/26632208486/job/78483599334?pr=5)
for an example of such a failure.

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit 7c7d56a0fb)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:29 +02:00
Paul Holzinger
4c21d14912 validate ci.yml file
Add some basic test checks for the new ci.yml to ensure all job
dependencies are set up right.

We can expand this with more checks later.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 66e7c06073)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:29 +02:00
Paul Holzinger
4255625591 ci: add path-filter to success job
It is not strictly needed I think since other jobs depend on this
already but for consistency this is easier to check that success waits
for all jobs.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c4d895b07c)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:28 +02:00
Ashley Cui
3193b18d15 CI: Adjust Mac tmpdir
Makes for easier cleanup, and follows previous cirrus convention.

Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit 2984c2450b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:28 +02:00
Paul Holzinger
396d6e80ec ci: fix validate job to actually work on push
We need to not hard depend on the pull_request var contexts so use the
right alternatives. The PR_ envs can be left empty, the tests using them
should skip the checks if they are unset/empty.

Fixes: #28825

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 602a803f57)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:28 +02:00
Paul Holzinger
5b457e8bf2 ci: skip validate-source on push
The checkout needs the PR context so this fails on push, as such skip it
there for now until we make this work to also work on normal pushes.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 3faf2deaf8)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:27 +02:00
Paul Holzinger
d8fbe2da8f ci: add GITHUB_TOKEN to win installer test
The test uses the token for API request so we do not get rate limit
failures without a token, see commit 7c7d56a0fb.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 0fce332955)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:27 +02:00
Paul Holzinger
12885e236f test/python/docker/compat: skip test_search_image
It does not seem to work in the new CI system right now.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 30aaf14abb)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:27 +02:00