One problem with the swagger upload is we need an extra bucket and then
we need our own custom version schema and selector on the website. If we
can just embed the swagger.yml as part of the official build we can get
rid of all of that and have a much simpler way as the regular
readthedocs version selector will work.
We also no longer need to maintain an extra bucket upload and no longer
need to update the version list which was forgotten all the time.
Fixes: #28827
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c2ffe88ce0)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit 858150288f.
In the next commit I add a custom build for the swagger yaml which adds
it as part of the main readthedocs build so we can use the default
version selector and drop our custom workarounds.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 250c530055)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When parsing image envs we need to be strict about the format, only the
"key=value" format must be accepted. Just keys must be rejected as they
are not valid according to the image spec.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 6c431b73db)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
By default we run tests in parallel so when we mount test/certs with the
":Z" option it means only one container can read it, depending on the
startup times this can mean the container fails to start. I observed
this error in a CI run:
level=fatal msg="open /certs/domain.crt: permission denied"
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 1eda0cfbb4)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Right now the tmpdir for the test and cli are are the same and worse the
root/runroot directories are subdirectories of the tmpdir so tests can
create conflicting files.
Also for rootless remote builds this cuases problems for all tests which
uses the main tmpdir as context dir as they then try to copy the storage
files with different uids which will fail. Commit 79e7b0f6fd tried to
work around it but it is not enough as much more tests use this pattern.
So to fix this once and for all properly separate them. And then fixup a
few test cases that depended on the wrong value and make them use the
proper root value directly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 6e20527004)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
With podman-remote we do not enter a our user namespace like we do with
local podman so we keep running with the real user id.
So if we then try to use chrootarchive as normal user it fails with:
creating mount namespace before pivot: operation not permitted
So simply revert back to the normal archive code.
Now the more interesting thing is we do have a test
"podman save to directory with oci format" but it never runs
rootless+remote in our CI system with our current matrix as we wanted to
reduce jobs.
So rethink the matrix and add one such job as this shows it is needed.
Fixes: 25aee24cbd ("use chrootarchive over plain archive package")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit fd07b9c6ec)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Something with the cache is not working right and results in
inconsistent lint result.
Even on PRs where there are no source code changes we observe random
failures. I have seen at least 4 different instances since we the new CI
setup. It is not reasonable to spot fix each new warning (mostly just
adding new nolint comments) each time as it affects all PRs at once.
It will also be very confusing for new contributors.
Fixes: #28893
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c8ce2c6089)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For a while now we trigger CI tests based on if source files, i.e. *.go
files were changed. The "No New Tests" filter however checked something
else via a exclude list that was not being updated.
That means in many cases we needed to add the label when it is clear
that these thing should not need tests, i.e. packit or rpm/ changes.
To avoid the manual updates of all directories just grep for source
files.
Fixes: #28849
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 126d3e27ae)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Bump Buildah to v1.43.2 in prepration of the next Podman v5.8 release.
Also includes the changes from 47ab0f1e94
And adjustments to test/buildah-bud/buildah-tests.diff
Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
When the validate-source job is re-run manually after adding a label,
it uses stale labels (from the "pull_request" event that originally
triggered it), and so the steps that check labels don't see new labels.
Fix by querying the labels live (similar to how it was done before
commits 6e597af6dc and 1da154117c).
Note the logic differs slightly between hack/ci/make-and-check-size.sh
and hack/ci/pr-should-include-tests. This is because
pr-should-include-tests is also executed locally as well as on non-PRs,
while make-and-check-size is run strictly in CI for PRs only.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d05c113acd)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 67c050bb8e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).
Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 3f4af378f4)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is basically a partial backport of commit b14e833ef6
("machine: add test to check config mount").
It seems on the ubuntu github actions runners we have XDG_CONFIG_HOME
set so the tests do not actually use its own private dir but a shared
one for the configs which breaks the test assumptions.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Podman v5.8 is not designed to run with it, we want to test with the
actual packaged one from the image.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The new config parser is not in 5.8, so revert to the older config
format where all is in one file.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add some basic test checks for the new ci.yml to ensure all job
dependencies are set up right.
We can expand this with more checks later.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 66e7c06073)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is not strictly needed I think since other jobs depend on this
already but for consistency this is easier to check that success waits
for all jobs.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c4d895b07c)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Makes for easier cleanup, and follows previous cirrus convention.
Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit 2984c2450b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We need to not hard depend on the pull_request var contexts so use the
right alternatives. The PR_ envs can be left empty, the tests using them
should skip the checks if they are unset/empty.
Fixes: #28825
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 602a803f57)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The checkout needs the PR context so this fails on push, as such skip it
there for now until we make this work to also work on normal pushes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 3faf2deaf8)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test uses the token for API request so we do not get rate limit
failures without a token, see commit 7c7d56a0fb.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 0fce332955)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It does not seem to work in the new CI system right now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 30aaf14abb)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>