When the validate-source job is re-run manually after adding a label,
it uses stale labels (from the "pull_request" event that originally
triggered it), and so the steps that check labels don't see new labels.
Fix by querying the labels live (similar to how it was done before
commits 6e597af6dc and 1da154117c).
Note the logic differs slightly between hack/ci/make-and-check-size.sh
and hack/ci/pr-should-include-tests. This is because
pr-should-include-tests is also executed locally as well as on non-PRs,
while make-and-check-size is run strictly in CI for PRs only.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d05c113acd)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 67c050bb8e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
sed scripts are capable of doing file I/O and executing arbitrary
commands. The `--sandbox` option prevents this by rejecting sed commands
with such capabilities; it's good practice to use this whenever the sed
script is dynamically generated (e.g. if it involves a variable
expansion).
Also fixed an error in one sed script where `.*` had been placed outside
of the quoted string (and would therefore be subject to shell globbing),
presumably due to single-quotes having been changed to double-quotes at
some point in the past.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 3f4af378f4)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is not strictly needed I think since other jobs depend on this
already but for consistency this is easier to check that success waits
for all jobs.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c4d895b07c)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Makes for easier cleanup, and follows previous cirrus convention.
Signed-off-by: Ashley Cui <acui@redhat.com>
(cherry picked from commit 2984c2450b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We need to not hard depend on the pull_request var contexts so use the
right alternatives. The PR_ envs can be left empty, the tests using them
should skip the checks if they are unset/empty.
Fixes: #28825
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 602a803f57)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The checkout needs the PR context so this fails on push, as such skip it
there for now until we make this work to also work on normal pushes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 3faf2deaf8)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test uses the token for API request so we do not get rate limit
failures without a token, see commit 7c7d56a0fb.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 0fce332955)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Copied from Tim, but directly integrated into the main yml file to allow
for proper task dependencies.
Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit a758d09b64)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Copied from Tim, but directly integrated into the main ci.yml file to
allow for proper task dependencies.
I renamed same task and updated the task dependencies.
Co-authored-by: Tim Zhou <tizhou@redhat.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 2297695d0c)
[fixed merge conflicts]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The main gh action is just there to install lima and then call the main
ci.sh script which uses lima to start the right VM and then run the
tests inside there mostly for linux tasks where possible.
Inside the VM we use the runner.sh script to setup the env and launch the
final test.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 399e822ca4)
[fixed merge conflict]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Build pkg/api/swagger.yaml via the go-swagger tool as part of source
validation, confirming the API spec generates cleanly. This mirrors the
generation half of the Cirrus swagger_task; that task is kept for now as
it also publishes swagger.yaml to GCS for the docs site, which is not
migrated here.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6071d780e9)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a 'Build each commit' step to the validate-source job. It builds the
PR fork point to record baseline binary sizes, then rebuilds and size-checks
each commit via 'git rebase -x', confirming every commit compiles on its own
and that no binary grows beyond the enforced limit.
Move hack/make-and-check-size to hack/ci/make-and-check-size.sh and replace
its Cirrus-specific GitHub GraphQL label query with a BLOAT_APPROVED env var
that the workflow derives from the 'bloat_approved' PR label.
Drop the now-migrated 'Build Each Commit' matrix entry from .cirrus.yml and
the corresponding *Each* case from hack/ci/runner.sh.
NOTE due to chicken-and-egg problem with make-and-check-size we need to
make a copy of it before working with git.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1da154117c)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Move the Cirrus validate-source_task to a GitHub Actions workflow
(.github/workflows/ci.yml) running as a single job on the CNCF-hosted
runner. The job runs the same stages: make validate-source,
tests-included, and the conditional renovate config check.
golangci-lint for FreeBSD and macOS now runs cross-compiled (GOOS) on
the native Linux runner instead of on dedicated Cirrus VMs/workers, so
the lint steps are dropped from osx_alt_build and freebsd_alt_build.
The PR helper scripts are de-Cirrus'd: they read CI-neutral env vars
(PR_HEAD, PR_NUMBER, PR_BODY) and the "No New Tests" label override is
now handled natively in the workflow instead of via a GraphQL query.
The shared clone/setup/main YAML anchors are relocated into build_task,
and the dead _run_validate-source runner.sh function is removed.
The tests-of-tests (.t files) are fixed for new setup (mostly removing
test cases which are now obsoleted, like [CI:DOCS] and [NO NEW TESTS]
markers. NOTE we still don't run tests in CI (although we could), but
I ran them locally and fixed all the issues.
Finally, test-jira-links-included is removed as it is RHEL-branch
specific and have no place in the new repo.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6e597af6dc)
[fixed merge commit]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This github action uses the certficate_generator.html from automation
repo to generate the badge for first time contributors and commits the
badge to the same repo which will be commented on the PR once its get
merged.
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
Our release is created by a GitHub action, and GitHub prevents workflows from running on events that were caused by other workflows to prevent unlimited recursion.
To get around this, use a reusable workflow to trigger the podman.io version bump from the release action.
Signed-off-by: Ashley Cui <acui@redhat.com>
Adds the build of the arm64 windows installer as part of the release
GitHub workflow.
When a Windows installer is uploaded to the GitHub release, it is named
consistently with the macOS one:
`podman-installer-windows-${GOARCH}.exe`
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Create GitHub action to automatically bump to a -dev version after a release is tagged.
On a branch:
- The bump will always be a z bump on branches
- If the bump is to an RC, then the bump will be back down to dev (ie, 9.9.0-rc1 to 9.9.0-dev)
- If the bump is not an RC, the bump wil be up to dev (ie, 9.9.0 to 9.9.1-dev)
On main:
- If the X.Y version on main is smaller than the X.Y on the release tag, this action will open a PR to bump the version on main to the release tag's X.Y+1
- Major version (X) dev bumps will still need to be manual
Signed-off-by: Ashley Cui <acui@redhat.com>
When a reviewer of an issue determines that an issue is incompleted, a
`needs-info` label can be added to the issue. This will trigger a GH
action with an automated response. The reviewer should also have told
the user what is needed or asked a question. Also, we have no automated
way to remove the label when a response is provided, so this still needs
to be managed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
When we do a release, we need to ensure that machine images are built before the release PR can merge.
This GitHub action is triggered on version bumps, waits for our COPR builds to finish, and then opens a PR on the podman-machine-os repo to build the required machine-os images there. Note that dev bumps, unless on main, will not open a PR
Signed-off-by: Ashley Cui <acui@redhat.com>
As pointed out in buildah[1] the action is broken in bad ways where it can
trigger 1000+ rerun wasting our cloud resources.
Get rid of it for now until we find something better or can properly
identify and fix the root cause.
[1] https://github.com/containers/buildah/issues/6035
Signed-off-by: Paul Holzinger <pholzing@redhat.com>