Files
podman/.github/workflows/release-artifacts.yml
Daniel Hast 925107a0c9 ci: use env vars to avoid template expansion in code contexts
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection

To avoid this, instead use environment variables to safely store the
values of the template expansions.

Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 67c050bb8e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2026-06-08 15:22:46 +02:00

259 lines
8.8 KiB
YAML

name: Upload Release Artifacts [DEPRECATED]
on:
workflow_dispatch:
inputs:
version:
description: 'Release version to build and upload (e.g. "v9.8.7")'
required: true
dryrun:
description: 'Perform all the steps except uploading to the release page'
required: true
default: "true" # 'choice' type requires string value
type: choice
options:
- "true" # Must be quoted string, boolean value not supported.
- "false"
permissions:
contents: write
actions: write
jobs:
build:
runs-on: ubuntu-24.04
steps:
# If the job fails, these details are all but impossible to observe.yy
- name: Provide github event JSON for examination
run: |
echo "::group::Event JSON"
jq --color-output "." "${GITHUB_EVENT_PATH}"
echo "::endgroup::"
- name: Determine Version
id: getversion
env:
INPUT_VERSION: ${{ inputs.version }}
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
if [[ -z "${INPUT_VERSION}" ]]
then
VERSION=${TAG_NAME}
else
VERSION=${INPUT_VERSION}
fi
if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION"
then
echo "Unable to parse release version '$VERSION' from github event JSON, or workflow 'version' input."
exit 1
fi
if grep -Eq '.+-dev$' <<<"$VERSION"
then
echo "Refusing to process a "-dev" version '$VERSION'"
exit 1
fi
echo
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
env:
INPUT_DRYRUN: ${{ inputs.dryrun }}
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${INPUT_DRYRUN}" ]]
then
echo "dryrun=false" >> $GITHUB_OUTPUT
else
echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
fi
- name: Dry Run Status
env:
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
run: |
echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
- name: Check uploads
id: check
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
URI="https://github.com/containers/podman/releases/download/${VERSION}"
for artifact in "podman-remote-release-darwin_amd64.zip darwin_amd" \
'podman-remote-release-darwin_arm64.zip darwin_arm' \
'podman-remote-release-windows_amd64.zip windows_amd' \
'podman-remote-static-linux_amd64.tar.gz linux_amd' \
'podman-remote-static-linux_arm64.tar.gz linux_arm'
do
set -- $artifact # Convert the "tuple" into the param args $1 $2...
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${1:?}")
if [[ "$status" == "404" ]] ; then
echo "${1:?} will be built"
needsbuild=true
echo "${2:?}=true" >> $GITHUB_OUTPUT
else
echo "::warning::${1:?} already exists, skipping"
fi
done
if [ "$needsbuild" = true ]; then
echo "buildartifacts=true" >> $GITHUB_OUTPUT
else
echo "No new artifacts need to be built."
fi
- name: Checkout Version
uses: actions/checkout@v5
with:
ref: ${{steps.getversion.outputs.version}}
- name: Set up Go
if: >-
steps.check.outputs.buildartifacts == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/setup-go@v6
with:
go-version: stable
- name: Setup artifact directory
if: >-
steps.check.outputs.buildartifacts == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: mkdir -p release/
- name: Build Darwin AMD
if: >-
steps.check.outputs.darwin_amd == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
make podman-remote-release-darwin_amd64.zip
mv podman-remote-release-darwin_amd64.zip release/
- name: Build Darwin ARM
if: >-
steps.check.outputs.darwin_arm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
make podman-remote-release-darwin_arm64.zip
mv podman-remote-release-darwin_arm64.zip release/
- name: Build Linux AMD
if: >-
steps.check.outputs.linux_amd == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
make podman-remote-static-linux_amd64
tar -cvzf podman-remote-static-linux_amd64.tar.gz bin/podman-remote-static-linux_amd64
mv podman-remote-static-linux_amd64.tar.gz release/
- name: Build Linux ARM
if: >-
steps.check.outputs.linux_arm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
make podman-remote-static-linux_arm64
tar -cvzf podman-remote-static-linux_arm64.tar.gz bin/podman-remote-static-linux_arm64
mv podman-remote-static-linux_arm64.tar.gz release/
- name: Build Windows AMD
if: >-
steps.check.outputs.windows_amd == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
sudo apt-get install -y pandoc
make podman-remote-release-windows_amd64.zip
mv podman-remote-release-windows_amd64.zip release/
- name: shasums
if: >-
steps.check.outputs.buildartifacts == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: |
pushd release
sha256sum *.zip *.tar.gz > shasums
popd
- name: Upload to Actions as artifact
if: >-
steps.check.outputs.buildartifacts == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/upload-artifact@v4
with:
name: artifacts
path: |
release/*
- name: Upload to Release
id: upload
if: >-
steps.check.outputs.buildartifacts == 'true' &&
steps.actual_dryrun.outputs.dryrun == 'false'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
(gh release download "${VERSION}" -p "shasums" || exit 0)
cat release/shasums >> shasums
gh release upload "${VERSION}" release/*.zip release/*.tar.gz
gh release upload "${VERSION}" --clobber shasums
# WARNING: This should only be set when 'notification' job should be triggered
echo "complete=true" >> $GITHUB_OUTPUT
outputs:
uploaded: ${{ steps.upload.outputs.complete }}
version: ${{ steps.getversion.outputs.version }}
notification:
if: needs.build.outputs.uploaded == 'true'
runs-on: ubuntu-24.04
needs: build
steps:
- name: Format release email
id: format
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ needs.build.outputs.version }}
run: |
if grep -Eq '.+-rc' <<<"$VERSION"
then
RC_PREFIX="candidate "
fi
echo "mail_subj=Podman ${RC_PREFIX}${VERSION} Released" >> $GITHUB_OUTPUT
cat <<EOF > email_body.txt
Hi all,
Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at
https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION
Release ${RC_PREFIX}Notes:
--------------
EOF
echo "${GITHUB_TOKEN}" | gh auth login --with-token
gh release view "$VERSION" \
--repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt
# If job fails, permit operator to observe contents in case helpful.
- name: Provide release e-mail contents for examination
run: cat email_body.txt
- name: Send release notification e-mail
# Ref: https://github.com/dawidd6/action-send-mail
uses: dawidd6/action-send-mail@v3.12.0
with:
server_address: ${{secrets.ACTION_MAIL_SERVER}}
server_port: 465
username: ${{secrets.ACTION_MAIL_USERNAME}}
password: ${{secrets.ACTION_MAIL_PASSWORD}}
subject: ${{ steps.format.outputs.mail_subj }}
to: Podman List <podman@lists.podman.io>
from: ${{secrets.ACTION_MAIL_SENDER}}
body: file://./email_body.txt