The nightly release validation builds both on main and the latest release branch,
we should upload the artifacts with a suffix to differentiate the two
Signed-off-by: Ashley Cui <acui@redhat.com>
See the prior commit, we now build the swagger yaml as part of the
official readthedocs process so we do not need to host it elsewhere.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Many GitHub Actions workflows currently trigger on user forks, leading to
unnecessary CI resource consumption, unwanted bot behavior, and inevitable
failures. This commit restricts these specific workflows to only run on the
primary `containers/podman` repository.
The restricted workflows fall into two main categories:
1. Require Custom Upstream Secrets: Workflows like `release`, `mac-pkg`,
`cherry-pick`, and `dev-bump` rely on secrets (e.g., Apple/Azure certs,
PODMANBOT_TOKEN, ACTION_MAIL_*) that are unavailable in forks.
2. Manage Upstream Tracker State: Workflows like `assign`, `stale`, and
`labeler` are intended strictly for managing the primary project's
issues and PRs. Running them on personal forks creates unwanted noise.
Additionally, refactored several complex `if` conditions using YAML
multi-line strings (`|`) to maintain and improve readability.
Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
Something with the cache is not working right and results in
inconsistent lint result.
Even on PRs where there are no source code changes we observe random
failures. I have seen at least 4 different instances since we the new CI
setup. It is not reasonable to spot fix each new warning (mostly just
adding new nolint comments) each time as it affects all PRs at once.
It will also be very confusing for new contributors.
Fixes: #28893
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
With podman-remote we do not enter a our user namespace like we do with
local podman so we keep running with the real user id.
So if we then try to use chrootarchive as normal user it fails with:
creating mount namespace before pivot: operation not permitted
So simply revert back to the normal archive code.
Now the more interesting thing is we do have a test
"podman save to directory with oci format" but it never runs
rootless+remote in our CI system with our current matrix as we wanted to
reduce jobs.
So rethink the matrix and add one such job as this shows it is needed.
Fixes: 25aee24cbd ("use chrootarchive over plain archive package")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Migrate release to use release-build-artifacts action. This re-usable build action is tested nightly, so hopefully this will make our release automation more stable, as we may catch issues in our nightly runs. Followup to https://github.com/podman-container-tools/podman/pull/28176
Signed-off-by: Ashley Cui <acui@redhat.com>
To make it a bit more obvious when any CI related files such as github
workflows are touched add a label.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the validate-source job is re-run manually after adding a label,
it uses stale labels (from the "pull_request" event that originally
triggered it), and so the steps that check labels don't see new labels.
Fix by querying the labels live (similar to how it was done before
commits 6e597af6dc and 1da154117c).
Note the logic differs slightly between hack/ci/make-and-check-size.sh
and hack/ci/pr-should-include-tests. This is because
pr-should-include-tests is also executed locally as well as on non-PRs,
while make-and-check-size is run strictly in CI for PRs only.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The bug reporting instructions previously asked users to compare
their Podman version with the one documented at the top of the README.
This commit updates the issue templates and troubleshooting guide to
point users directly to the latest GitHub release page instead.
Additionally, the obsolete .github/ISSUE_TEMPLATE.md file is removed.
Fixes: #28818
Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
We need to not hard depend on the pull_request var contexts so use the
right alternatives. The PR_ envs can be left empty, the tests using them
should skip the checks if they are unset/empty.
Fixes: #28825
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is not strictly needed I think since other jobs depend on this
already but for consistency this is easier to check that success waits
for all jobs.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The checkout needs the PR context so this fails on push, as such skip it
there for now until we make this work to also work on normal pushes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test uses the token for API request so we do not get rate limit
failures without a token, see commit 7c7d56a0fb.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Copied from Tim, but directly integrated into the main yml file to allow
for proper task dependencies.
Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Copied from Tim, but directly integrated into the main ci.yml file to
allow for proper task dependencies.
I renamed same task and updated the task dependencies.
Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The main gh action is just there to install lima and then call the main
ci.sh script which uses lima to start the right VM and then run the
tests inside there mostly for linux tasks where possible.
Inside the VM we use the runner.sh script to setup the env and launch the
final test.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a 'Publish swagger' workflow that builds pkg/api/swagger.yaml and
uploads it to the libpod-master-releases GCS bucket (swagger-latest.yaml
for main, swagger-<tag>.yaml for tags), reusing the same gcsupld container
as Cirrus with GCPJSON/GCPNAME supplied via repository secrets. Per-PR
uploads to libpod-pr-releases are dropped, as nothing consumes them.
The gcsupld image tag is hardcoded (copied from .cirrus.yml IMAGE_SUFFIX)
rather than read at runtime, since Cirrus CI is to be decommissioned soon.
Remove the now-migrated swagger_task from .cirrus.yml (and its success_task
dependency) and the _run_swagger handler from hack/ci/runner.sh, and update
docs/README.md to point at the new workflow. While at it, fix the link in
docs/README.md to hack/ci/README.md#docs-task, which had been dangling ever
since that file was removed in 2020 by commit 2c9084e224.
Note: requires GCPJSON and GCPNAME to be configured as GitHub repository
secrets before the upload step can succeed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Build pkg/api/swagger.yaml via the go-swagger tool as part of source
validation, confirming the API spec generates cleanly. This mirrors the
generation half of the Cirrus swagger_task; that task is kept for now as
it also publishes swagger.yaml to GCS for the docs site, which is not
migrated here.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Add a 'Build each commit' step to the validate-source job. It builds the
PR fork point to record baseline binary sizes, then rebuilds and size-checks
each commit via 'git rebase -x', confirming every commit compiles on its own
and that no binary grows beyond the enforced limit.
Move hack/make-and-check-size to hack/ci/make-and-check-size.sh and replace
its Cirrus-specific GitHub GraphQL label query with a BLOAT_APPROVED env var
that the workflow derives from the 'bloat_approved' PR label.
Drop the now-migrated 'Build Each Commit' matrix entry from .cirrus.yml and
the corresponding *Each* case from hack/ci/runner.sh.
NOTE due to chicken-and-egg problem with make-and-check-size we need to
make a copy of it before working with git.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Move the Cirrus validate-source_task to a GitHub Actions workflow
(.github/workflows/ci.yml) running as a single job on the CNCF-hosted
runner. The job runs the same stages: make validate-source,
tests-included, and the conditional renovate config check.
golangci-lint for FreeBSD and macOS now runs cross-compiled (GOOS) on
the native Linux runner instead of on dedicated Cirrus VMs/workers, so
the lint steps are dropped from osx_alt_build and freebsd_alt_build.
The PR helper scripts are de-Cirrus'd: they read CI-neutral env vars
(PR_HEAD, PR_NUMBER, PR_BODY) and the "No New Tests" label override is
now handled natively in the workflow instead of via a GraphQL query.
The shared clone/setup/main YAML anchors are relocated into build_task,
and the dead _run_validate-source runner.sh function is removed.
The tests-of-tests (.t files) are fixed for new setup (mostly removing
test cases which are now obsoleted, like [CI:DOCS] and [NO NEW TESTS]
markers. NOTE we still don't run tests in CI (although we could), but
I ran them locally and fixed all the issues.
Finally, test-jira-links-included is removed as it is RHEL-branch
specific and have no place in the new repo.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Build installers nightly, and test that our bot key is still valid. This is to catch hiccups before release time.
The intention is that after this is tested, the build-artifacts can be used in release.yml, like it is used in the validation action
But for now, the actual release does not use the build-artifacts action yet, let's let the testing bake a little first.
Signed-off-by: Ashley Cui <acui@redhat.com>