Commit Graph

163 Commits

Author SHA1 Message Date
Daniel Hast
64ddbfea12 ci: disable caching for actions/setup-go
This mitigates a potential cache-poisoning attack. For details, see:
https://docs.zizmor.sh/audits/#cache-poisoning

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:42:54 -05:00
Daniel Hast
0752c5327e ci: specify persist-credentials for actions/checkout
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.

This reduces the risk of cached credentials accidentally being leaked
via artifacts.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:42:49 -05:00
Daniel Hast
30495081b7 ci: specify workflow permissions per job
Also remove some unnecessary permissions:

* The notification job in release-artifacts.yml only needs to read repo
  contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
  only need to read repo contents. "Update podman.io" only needs to
  write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
  only writing repo contents and pull requests.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:42:39 -05:00
Daniel Hast
248d8f64a6 ci: pin 3rd-party action dependencies by commit hashes
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2025-12-01 08:41:55 -05:00
renovate[bot]
a23b90b119 [skip-ci] Update actions/checkout action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-11-20 16:43:50 +00:00
renovate[bot]
07a27f95d1 [skip-ci] Update GitHub Artifact Actions
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-10-24 19:10:55 +00:00
openshift-merge-bot[bot]
24872421a8 Merge pull request #27284 from l0rd/rootless-win-installer-first-draft
Add a new Windows installer supporting both user and machine scopes
2025-10-20 13:02:29 +00:00
Mario Loriedo
9dbc33bb25 Add a new Windows installer supporting user scope
Fixes #22994 and #25968

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2025-10-15 18:50:03 +02:00
renovate[bot]
73e42b3c9c [skip-ci] Update actions/setup-node action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-10-14 05:09:32 +00:00
Mohan Boddu
b8258a53dd Update github action to use pull_request_target
pull_request doesn't have access to the secret, pull_request_target
does have access to the secrets

Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2025-09-15 17:12:10 -04:00
openshift-merge-bot[bot]
1ea1958a2d Merge pull request #27048 from containers/renovate/actions-setup-node-5.x
[skip-ci] Update actions/setup-node action to v5
2025-09-11 10:10:39 +00:00
renovate[bot]
80f1d48d44 [skip-ci] Update actions/setup-node action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-10 21:03:12 +00:00
renovate[bot]
aa8bbbb1ff [skip-ci] Update actions/github-script action to v8
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-10 18:36:42 +00:00
renovate[bot]
e1c1961d48 [skip-ci] Update actions/checkout action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-10 17:04:48 +00:00
Mohan Boddu
c38babff57 Adding github action to generate a badge for first time contributor
This github action uses the certficate_generator.html from automation
repo to generate the badge for first time contributors and commits the
badge to the same repo which will be commented on the PR once its get
merged.

Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2025-09-08 12:07:47 -04:00
renovate[bot]
792bbd2046 [skip-ci] Update actions/labeler action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-04 19:19:52 +00:00
openshift-merge-bot[bot]
2499de2f27 Merge pull request #26982 from containers/renovate/actions-stale-10.x
[skip-ci] Update actions/stale action to v10
2025-09-04 09:24:20 +00:00
renovate[bot]
889a5fd0ac [skip-ci] Update actions/stale action to v10
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-04 09:11:18 +00:00
renovate[bot]
f22506b74f [skip-ci] Update actions/setup-go action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-04 05:39:43 +00:00
renovate[bot]
4bb4cf62cb [skip-ci] Update actions/checkout action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-08-11 13:22:56 +00:00
renovate[bot]
8ef76a6933 [skip-ci] Update actions/download-artifact action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-08-06 02:06:42 +00:00
Paul Holzinger
a93b63c4ad remove .github/workflows/pr-title.yml
This is not used and AFAICT has not trigger any actions for a very long
time I guess:
https://github.com/containers/podman/actions/workflows/pr-title.yml

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-06-17 18:43:24 +02:00
Ashley Cui
b85d770be0 Make podman.io update action reusable
Signed-off-by: Ashley Cui <acui@redhat.com>
2025-06-05 17:22:26 -04:00
Ashley Cui
416bb84c0e Trigger podman.io version bump from release action
Our release is created by a GitHub action, and GitHub prevents workflows from running on events that were caused by other workflows to prevent unlimited recursion.
To get around this, use a reusable workflow to trigger the podman.io version bump from the release action.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-22 10:04:00 -04:00
Paul Holzinger
6d6ebad829 github: remove fcos next image workflow
We do our proper machine os image builds in podman-machine-os now and
with [1] we also publish a next tag for easy testing. As such this
action is no longer needed.

[1] https://github.com/containers/podman-machine-os/pull/128

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-05-19 18:37:38 +02:00
Ashley Cui
53f118d135 GHA Release: Fix windows installer uploads
The new arm and amd installers were left behind, upload them automatically to the GH release

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-14 16:09:26 -04:00
Ashley Cui
3e08c2abf0 Revert "GHA: Pin Go to 1.24.2"
This reverts commit fb9ef0dda0.
Use latest stable go to build release artifacts.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-14 16:08:33 -04:00
Ashley Cui
fb9ef0dda0 GHA: Pin Go to 1.24.2
There is a bug that makes building with the latest go to fail. Pin to 1.24.2 for now.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-14 11:08:25 -04:00
Paul Holzinger
74f04e9118 Merge commit from fork
[skip-ci] Tighten version match
2025-05-12 15:54:30 +02:00
Ashley Cui
d7fefb7064 [skip-ci] Tighten version match
Tighten the regex needed to match a valid version.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-12 09:44:00 -04:00
Mario Loriedo
136f2e1ba4 Update win-installer github job for arm64
Adds the build of the arm64 windows installer as part of the release
GitHub workflow.

When a Windows installer is uploaded to the GitHub release, it is named
consistently with the macOS one:

   `podman-installer-windows-${GOARCH}.exe`

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2025-05-07 18:50:04 +02:00
Ashley Cui
3448ba5091 Automatically bump to -dev after tag
Create GitHub action to automatically bump to a -dev version after a release is tagged.

On a branch:
- The bump will always be a z bump on branches
- If the bump is to an RC, then the bump will be back down to dev (ie, 9.9.0-rc1 to 9.9.0-dev)
- If the bump is not an RC, the bump wil be up to dev (ie, 9.9.0 to 9.9.1-dev)

On main:
- If the X.Y version on main is smaller than the X.Y on the release tag, this action will open a PR to bump the version on main to the release tag's X.Y+1
- Major version (X) dev bumps will still need to be manual

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-02 17:32:35 -04:00
Ashley Cui
2b06c01357 Fix mach os pr release action
- Remove branch restrictions
- Do not open PR on main
- Add release note to PR

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-04-29 09:24:47 -04:00
Lewis Roy
081629cf01 Update pre-commit-hooks and Codespell hook
pre-commit-hooks v3.4.0 -> v5.0.0
codespell 2.3.0 -> 3.4.1

Signed-off-by: Lewis Roy <lewis@redhat.com>
2025-04-13 14:26:34 +10:00
renovate[bot]
5148cf3c14 [skip-ci] Update actions/create-github-app-token action to v2
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-03 19:51:47 +00:00
Brent Baude
8db52f8984 Add autocomment for needs-info label
When a reviewer of an issue determines that an issue is incompleted, a
`needs-info` label can be added to the issue.  This will trigger a GH
action with an automated response.  The reviewer should also have told
the user what is needed or asked a question.  Also, we have no automated
way to remove the label when a response is provided, so this still needs
to be managed.

Signed-off-by: Brent Baude <bbaude@redhat.com>
2025-04-02 07:36:12 -05:00
Ashley Cui
6e28bdcf25 GHA: Open PR to podman-machine-os on releases
When we do a release, we need to ensure that machine images are built before the release PR can merge.

This GitHub action is triggered on version bumps, waits for our COPR builds to finish, and then opens a PR on the podman-machine-os repo to build the required machine-os images there. Note that dev bumps, unless on main, will not open a PR

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-03-25 09:51:40 -04:00
Paul Holzinger
130bb21612 .github: remove cirrus rerun action
As pointed out in buildah[1] the action is broken in bad ways where it can
trigger 1000+ rerun wasting our cloud resources.

Get rid of it for now until we find something better or can properly
identify and fix the root cause.

[1] https://github.com/containers/buildah/issues/6035

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-07 17:42:27 +01:00
Ashley Cui
41dd3f2474 Automate release
Automatically generate our GitHub release.

This GitHub action is traggered on a tag push, or manually. After a the trigger, all artifacts are built, including linux, mac, and windows installers. After everything is built, the release is automatically generated on our GitHub, and an email notification is sent out.

Our old actions are marked deprecated, and now can only be triggered manually. Leave them as-is otherwise, as a backup, so we have a tried-and-tested way of generating images, just in case this new action goes wrong.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-03-05 14:30:57 -05:00
renovate[bot]
ece76a2537 chore(deps): update dependency ubuntu to v24
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-09-30 12:03:09 +00:00
Yaroslav Halchenko
c203c48c70 Detect and fix typos using codespell
Signed-off-by: Yaroslav Halchenko <debian@onerussian.com>
2024-09-05 13:56:39 -04:00
Paul Holzinger
775d27fcd8 github: remove fcos-podman-next-build-prepush
It is flaking[1] from time to time on PRs and doesn't really add value
because noone is actually chaing the Containerfile. The task on main
that build a image based of main still exists as per Lokesh
podman-dekstop uses it for testing. In the near term we will get proper
builds in the podman-machine-os repo so this other workflow can
hopefully removed altogether.

[1] https://github.com/containers/podman/actions/runs/10618524888/job/29433963845?pr=23807

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2024-08-29 18:23:37 +02:00
Mario Loriedo
014b7af4f3 Never skip checkout step in release workflow
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2024-08-01 16:09:03 +02:00
Ashley Cui
7202e6172d Use uploaded .zip for Windows action
Restore behavior for using uploaded zp file to generate the windows installer. This ensures that actions can always build and sign the installer, no matter how old the release, provided a .zip.

Signed-off-by: Ashley Cui <acui@redhat.com>
2024-07-18 09:03:51 -04:00
Lokesh Mandvekar
e2ff5d4e5d Windows Installer: switch to wix5
The chocolatey tool that was fetching us wix v3 can no longer be used to
fetch wix v4+ so we had to switch to dotnet to fetch the latest wix.

This commit builds the installer with wix v5.
wix v5 is installed via the `dotnet` tool in the windows image itself
at https://github.com/containers/automation_images/pull/354.

Going forward, the `dotnet` tool will also be used to build the installer.

In the process, the wix v3 files were converted to wix v4+ using `wix
convert` followed by manual modifications along with switch to wixproj
builds with dotnet.

The GitHub Action to upload windows installer now builds the installer
using winmake.ps1.

Contributions from Mario Loriedo:
- bundle setup update to wix5
- updates to build and release process scripts
Ref: https://github.com/lsm5/podman/pull/3

- small fixes to windows installer theme
Ref: https://github.com/lsm5/podman/pull/4

- Better win-installer sidebar logo
Ref: https://github.com/lsm5/podman/pull/5

Resolves: RUN-2055

Co-authored-by: Mario Loriedo <mario.loriedo@gmail.com>
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
2024-07-05 15:28:19 -04:00
Chris Evich
54edf3d8ee Release workflow: Include candidate descriptor
Assist humans by indicating clearly whe a release announcement is
pertaining to a candidate.  Otherwise, it's possible someone may
overlook the `-rcX` version suffix.

Also fix a quoting problem missed in testing.

Signed-off-by: Chris Evich <cevich@redhat.com>
2024-06-13 17:22:03 -04:00
Chris Evich
19989380b8 Minor: Fix indentation in GHA release workflow
Simply indent list items two spaces to the right WRT their parent.

Signed-off-by: Chris Evich <cevich@redhat.com>
2024-06-13 10:49:37 -04:00
Chris Evich
82973c38e4 GHA: Send release notification mail
Rather than manually crafting what ends up being nearly identical
release e-mails, do it automatically whenever a release is created.

Note: At the time of this commit, there is a possible race condition
with the `mac-pkg.yml` workflow, since it runs in parallel.  It could
fail, or fail to complete prior to the e-mail content being generated.
This should be unlikely, if `release-artifacts.yml` goes through and
compiles every artifact, but it's not guaranteed.

Signed-off-by: Chris Evich <cevich@redhat.com>
2024-06-13 10:48:14 -04:00
Chris Evich
ad56dc7e2b GHA: Validate release version number
There's a reasonable chance this workflow will be triggered by a human
(via `workflow_dispatch``), and a non-zero chance with an invalid
version number for which a release should not be created.  Detect this
and provide a way for the operator to debug the source of the error.

Also fix some whitespace inconsistencies.

Signed-off-by: Chris Evich <cevich@redhat.com>
2024-06-13 10:47:26 -04:00
Ashley Cui
8f8dfb971f [CI:DOCS] Fix windows action trigger
Give the artifact action the permission to trigger the windows installer action

Signed-off-by: Ashley Cui <acui@redhat.com>
2024-05-21 14:42:49 -04:00