Commit Graph

175 Commits

Author SHA1 Message Date
Kir Kolyshkin
645c4f3842 ci: fix validate-source checks vs stale labels
When the validate-source job is re-run manually after adding a label,
it uses stale labels (from the "pull_request" event that originally
triggered it), and so the steps that check labels don't see new labels.

Fix by querying the labels live (similar to how it was done before
commits 6e597af6dc and 1da154117c).

Note the logic differs slightly between hack/ci/make-and-check-size.sh
and hack/ci/pr-should-include-tests. This is because
pr-should-include-tests is also executed locally as well as on non-PRs,
while make-and-check-size is run strictly in CI for PRs only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d05c113acd)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:24:51 +02:00
Ashley Cui
50c105ab1f Release automation: update org location
containers -> podman-container-tools

Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit c0f582d734)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:23:20 +02:00
Daniel Hast
925107a0c9 ci: use env vars to avoid template expansion in code contexts
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection

To avoid this, instead use environment variables to safely store the
values of the template expansions.

Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 67c050bb8e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:22:46 +02:00
Daniel Hast
d97883bcc5 ci: use --sandbox for dynamically generated sed scripts
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).

Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 3f4af378f4)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:22:46 +02:00
Mario Loriedo
b45fbbeec1 Set permissions for win installer CI job
Explicitly set `content: read` permissions so that the GITHUB_TOKEN type
have permissions to "Get a release".

Fixes https://github.com/podman-container-tools/podman/issues/28850

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit 9c7ad74ede)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-05 11:47:21 +02:00
Paul Holzinger
4255625591 ci: add path-filter to success job
It is not strictly needed I think since other jobs depend on this
already but for consistency this is easier to check that success waits
for all jobs.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c4d895b07c)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:28 +02:00
Ashley Cui
3193b18d15 CI: Adjust Mac tmpdir
Makes for easier cleanup, and follows previous cirrus convention.

Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit 2984c2450b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:28 +02:00
Paul Holzinger
396d6e80ec ci: fix validate job to actually work on push
We need to not hard depend on the pull_request var contexts so use the
right alternatives. The PR_ envs can be left empty, the tests using them
should skip the checks if they are unset/empty.

Fixes: #28825

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 602a803f57)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:28 +02:00
Paul Holzinger
5b457e8bf2 ci: skip validate-source on push
The checkout needs the PR context so this fails on push, as such skip it
there for now until we make this work to also work on normal pushes.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 3faf2deaf8)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:27 +02:00
Paul Holzinger
d8fbe2da8f ci: add GITHUB_TOKEN to win installer test
The test uses the token for API request so we do not get rate limit
failures without a token, see commit 7c7d56a0fb.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 0fce332955)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:27 +02:00
Paul Holzinger
1b01fd5223 ci.yml: add macos jobs
Copied from Tim, but directly integrated into the main yml file to allow
for proper task dependencies.

Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit a758d09b64)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:26 +02:00
Paul Holzinger
4f26184156 ci.yml: add windows jobs
Copied from Tim, but directly integrated into the main ci.yml file to
allow for proper task dependencies.

I renamed same task and updated the task dependencies.

Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 2297695d0c)

[fixed merge conflicts]

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:26 +02:00
Paul Holzinger
eec74abe89 New GHA lima ci testing setup
The main gh action is just there to install lima and then call the main
ci.sh script which uses lima to start the right VM and then run the
tests inside there mostly for linux tasks where possible.

Inside the VM we use the runner.sh script to setup the env and launch the
final test.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 399e822ca4)

[fixed merge conflict]

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:26 +02:00
Kir Kolyshkin
bd4c90d0c8 Run 'make swagger' in the validate-source GHA job
Build pkg/api/swagger.yaml via the go-swagger tool as part of source
validation, confirming the API spec generates cleanly. This mirrors the
generation half of the Cirrus swagger_task; that task is kept for now as
it also publishes swagger.yaml to GCS for the docs site, which is not
migrated here.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6071d780e9)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:26 +02:00
Kir Kolyshkin
11111fc9d0 Migrate 'build each commit' check from Cirrus to GHA
Add a 'Build each commit' step to the validate-source job. It builds the
PR fork point to record baseline binary sizes, then rebuilds and size-checks
each commit via 'git rebase -x', confirming every commit compiles on its own
and that no binary grows beyond the enforced limit.

Move hack/make-and-check-size to hack/ci/make-and-check-size.sh and replace
its Cirrus-specific GitHub GraphQL label query with a BLOAT_APPROVED env var
that the workflow derives from the 'bloat_approved' PR label.

Drop the now-migrated 'Build Each Commit' matrix entry from .cirrus.yml and
the corresponding *Each* case from hack/ci/runner.sh.

NOTE due to chicken-and-egg problem with make-and-check-size we need to
make a copy of it before working with git.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1da154117c)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:26 +02:00
Kir Kolyshkin
a01608d944 Migrate validate-source from Cirrus to GitHub Actions
Move the Cirrus validate-source_task to a GitHub Actions workflow
(.github/workflows/ci.yml) running as a single job on the CNCF-hosted
runner. The job runs the same stages: make validate-source,
tests-included, and the conditional renovate config check.

golangci-lint for FreeBSD and macOS now runs cross-compiled (GOOS) on
the native Linux runner instead of on dedicated Cirrus VMs/workers, so
the lint steps are dropped from osx_alt_build and freebsd_alt_build.

The PR helper scripts are de-Cirrus'd: they read CI-neutral env vars
(PR_HEAD, PR_NUMBER, PR_BODY) and the "No New Tests" label override is
now handled natively in the workflow instead of via a GraphQL query.

The shared clone/setup/main YAML anchors are relocated into build_task,
and the dead _run_validate-source runner.sh function is removed.

The tests-of-tests (.t files) are fixed for new setup (mostly removing
test cases which are now obsoleted, like [CI:DOCS] and [NO NEW TESTS]
markers. NOTE we still don't run tests in CI (although we could), but
I ran them locally and fixed all the issues.

Finally, test-jira-links-included is removed as it is RHEL-branch
specific and have no place in the new repo.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6e597af6dc)

[fixed merge commit]

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-04 20:04:25 +02:00
Mario Loriedo
78da75528f Install WiX v5.0.2 to build the Windows installer
To avoid failures such as

https://github.com/containers/podman/actions/runs/24401569105/job/71274410909#step:10:78

use version v5.0.2 of WiX as we do in CI images:

fe80516848/win_images/win_packaging.ps1 (L27)

Related to issue https://github.com/containers/podman/issues/27042

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit 53fc1d902e)
2026-04-14 18:51:33 +02:00
Mario Loriedo
2b52342af9 Use explicit download-artifact name and path for win-installer release
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
(cherry picked from commit 22b10fa153)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-12-10 17:30:42 +01:00
openshift-merge-bot[bot]
24872421a8 Merge pull request #27284 from l0rd/rootless-win-installer-first-draft
Add a new Windows installer supporting both user and machine scopes
2025-10-20 13:02:29 +00:00
Mario Loriedo
9dbc33bb25 Add a new Windows installer supporting user scope
Fixes #22994 and #25968

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2025-10-15 18:50:03 +02:00
renovate[bot]
73e42b3c9c [skip-ci] Update actions/setup-node action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-10-14 05:09:32 +00:00
Mohan Boddu
b8258a53dd Update github action to use pull_request_target
pull_request doesn't have access to the secret, pull_request_target
does have access to the secrets

Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2025-09-15 17:12:10 -04:00
openshift-merge-bot[bot]
1ea1958a2d Merge pull request #27048 from containers/renovate/actions-setup-node-5.x
[skip-ci] Update actions/setup-node action to v5
2025-09-11 10:10:39 +00:00
renovate[bot]
80f1d48d44 [skip-ci] Update actions/setup-node action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-10 21:03:12 +00:00
renovate[bot]
aa8bbbb1ff [skip-ci] Update actions/github-script action to v8
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-10 18:36:42 +00:00
renovate[bot]
e1c1961d48 [skip-ci] Update actions/checkout action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-10 17:04:48 +00:00
Mohan Boddu
c38babff57 Adding github action to generate a badge for first time contributor
This github action uses the certficate_generator.html from automation
repo to generate the badge for first time contributors and commits the
badge to the same repo which will be commented on the PR once its get
merged.

Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2025-09-08 12:07:47 -04:00
renovate[bot]
792bbd2046 [skip-ci] Update actions/labeler action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-04 19:19:52 +00:00
openshift-merge-bot[bot]
2499de2f27 Merge pull request #26982 from containers/renovate/actions-stale-10.x
[skip-ci] Update actions/stale action to v10
2025-09-04 09:24:20 +00:00
renovate[bot]
889a5fd0ac [skip-ci] Update actions/stale action to v10
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-04 09:11:18 +00:00
renovate[bot]
f22506b74f [skip-ci] Update actions/setup-go action to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-09-04 05:39:43 +00:00
renovate[bot]
4bb4cf62cb [skip-ci] Update actions/checkout action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-08-11 13:22:56 +00:00
renovate[bot]
8ef76a6933 [skip-ci] Update actions/download-artifact action to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-08-06 02:06:42 +00:00
Paul Holzinger
a93b63c4ad remove .github/workflows/pr-title.yml
This is not used and AFAICT has not trigger any actions for a very long
time I guess:
https://github.com/containers/podman/actions/workflows/pr-title.yml

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-06-17 18:43:24 +02:00
Ashley Cui
b85d770be0 Make podman.io update action reusable
Signed-off-by: Ashley Cui <acui@redhat.com>
2025-06-05 17:22:26 -04:00
Ashley Cui
416bb84c0e Trigger podman.io version bump from release action
Our release is created by a GitHub action, and GitHub prevents workflows from running on events that were caused by other workflows to prevent unlimited recursion.
To get around this, use a reusable workflow to trigger the podman.io version bump from the release action.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-22 10:04:00 -04:00
Paul Holzinger
6d6ebad829 github: remove fcos next image workflow
We do our proper machine os image builds in podman-machine-os now and
with [1] we also publish a next tag for easy testing. As such this
action is no longer needed.

[1] https://github.com/containers/podman-machine-os/pull/128

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-05-19 18:37:38 +02:00
Ashley Cui
53f118d135 GHA Release: Fix windows installer uploads
The new arm and amd installers were left behind, upload them automatically to the GH release

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-14 16:09:26 -04:00
Ashley Cui
3e08c2abf0 Revert "GHA: Pin Go to 1.24.2"
This reverts commit fb9ef0dda0.
Use latest stable go to build release artifacts.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-14 16:08:33 -04:00
Ashley Cui
fb9ef0dda0 GHA: Pin Go to 1.24.2
There is a bug that makes building with the latest go to fail. Pin to 1.24.2 for now.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-14 11:08:25 -04:00
Paul Holzinger
74f04e9118 Merge commit from fork
[skip-ci] Tighten version match
2025-05-12 15:54:30 +02:00
Ashley Cui
d7fefb7064 [skip-ci] Tighten version match
Tighten the regex needed to match a valid version.

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-12 09:44:00 -04:00
Mario Loriedo
136f2e1ba4 Update win-installer github job for arm64
Adds the build of the arm64 windows installer as part of the release
GitHub workflow.

When a Windows installer is uploaded to the GitHub release, it is named
consistently with the macOS one:

   `podman-installer-windows-${GOARCH}.exe`

Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
2025-05-07 18:50:04 +02:00
Ashley Cui
3448ba5091 Automatically bump to -dev after tag
Create GitHub action to automatically bump to a -dev version after a release is tagged.

On a branch:
- The bump will always be a z bump on branches
- If the bump is to an RC, then the bump will be back down to dev (ie, 9.9.0-rc1 to 9.9.0-dev)
- If the bump is not an RC, the bump wil be up to dev (ie, 9.9.0 to 9.9.1-dev)

On main:
- If the X.Y version on main is smaller than the X.Y on the release tag, this action will open a PR to bump the version on main to the release tag's X.Y+1
- Major version (X) dev bumps will still need to be manual

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-05-02 17:32:35 -04:00
Ashley Cui
2b06c01357 Fix mach os pr release action
- Remove branch restrictions
- Do not open PR on main
- Add release note to PR

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-04-29 09:24:47 -04:00
Lewis Roy
081629cf01 Update pre-commit-hooks and Codespell hook
pre-commit-hooks v3.4.0 -> v5.0.0
codespell 2.3.0 -> 3.4.1

Signed-off-by: Lewis Roy <lewis@redhat.com>
2025-04-13 14:26:34 +10:00
renovate[bot]
5148cf3c14 [skip-ci] Update actions/create-github-app-token action to v2
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-03 19:51:47 +00:00
Brent Baude
8db52f8984 Add autocomment for needs-info label
When a reviewer of an issue determines that an issue is incompleted, a
`needs-info` label can be added to the issue.  This will trigger a GH
action with an automated response.  The reviewer should also have told
the user what is needed or asked a question.  Also, we have no automated
way to remove the label when a response is provided, so this still needs
to be managed.

Signed-off-by: Brent Baude <bbaude@redhat.com>
2025-04-02 07:36:12 -05:00
Ashley Cui
6e28bdcf25 GHA: Open PR to podman-machine-os on releases
When we do a release, we need to ensure that machine images are built before the release PR can merge.

This GitHub action is triggered on version bumps, waits for our COPR builds to finish, and then opens a PR on the podman-machine-os repo to build the required machine-os images there. Note that dev bumps, unless on main, will not open a PR

Signed-off-by: Ashley Cui <acui@redhat.com>
2025-03-25 09:51:40 -04:00
Paul Holzinger
130bb21612 .github: remove cirrus rerun action
As pointed out in buildah[1] the action is broken in bad ways where it can
trigger 1000+ rerun wasting our cloud resources.

Get rid of it for now until we find something better or can properly
identify and fix the root cause.

[1] https://github.com/containers/buildah/issues/6035

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-03-07 17:42:27 +01:00