diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-16 16:08:34 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-16 16:08:34 +0000 |
| commit | 18de2315ea5ebdbb9e7537d2d472358107578d53 (patch) | |
| tree | 698563a9c4f388e351185cd8cf98c3f3060676e7 /.github | |
| parent | Initial commit. (diff) | |
| download | libpod-18de2315ea5ebdbb9e7537d2d472358107578d53.tar.xz libpod-18de2315ea5ebdbb9e7537d2d472358107578d53.zip | |
Adding upstream version 4.9.3+ds1.upstream/4.9.3+ds1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '.github')
25 files changed, 1711 insertions, 0 deletions
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 0000000..b0e0d67 --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,21 @@ +<!-- +--------------------------------------------------- +BUG REPORT INFORMATION +--------------------------------------------------- +Use the commands below to provide key information from your environment: + +**NOTE** A large number of issues reported against Podman are often found to already be fixed +in more current versions of the project. Before reporting an issue, please verify the +version you are running with `podman version` and compare it to the latest release +documented on the top of Podman's [README.md](../README.md). If they differ, please +update your version of Podman to the latest possible and retry your command before creating +an issue. + +Also, there is a running list of known issues in the [Podman Troubleshooting Guide](https://github.com/containers/podman/blob/main/troubleshooting.md), +please reference that page before opening a new issue. + +If you are filing a bug against `podman build`, please instead file a bug +against Buildah (https://github.com/containers/buildah/issues). Podman build +executes Buildah to perform container builds, and as such the Buildah +maintainers are best equipped to handle these bugs. +--> diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml new file mode 100644 index 0000000..5a6688e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -0,0 +1,100 @@ +name: Bug Report +description: File a bug report +labels: ["kind/bug", "triage-needed"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this bug report! + + **NOTE** A large number of issues reported against Podman are often found to already be fixed in more current versions of the project. Before reporting an issue, please verify the version you are running with `podman version` and compare it to the latest release documented on the top of Podman's [README.md](https://github.com/containers/podman#readme). If they differ, please update your version of Podman to the latest possible and retry your command before creating an issue. + + Also, there is a running list of known issues in the [Podman Troubleshooting Guide](https://github.com/containers/podman/blob/main/troubleshooting.md), please reference that page before opening a new issue. + + Commands you might need to run to create the issue + $ podman version + $ podman info + $ rpm -q podman + - type: textarea + id: description + attributes: + label: Issue Description + description: Please explain your issue + value: "Describe your issue" + validations: + required: true + - type: textarea + id: reproducer + attributes: + label: Steps to reproduce the issue + description: Please explain the steps to reproduce the issue + value: "Steps to reproduce the issue\n1.\n2.\n3.\n" + validations: + required: true + - type: textarea + id: received_results + attributes: + label: Describe the results you received + description: Please explain the results you are noticing + value: "Describe the results you received" + validations: + required: true + - type: textarea + id: expected_results + attributes: + label: Describe the results you expected + description: Please explain the results you are expecting + value: "Describe the results you expected" + validations: + required: true + - type: textarea + id: podman_info + attributes: + label: podman info output + description: Please copy and paste podman info output. + value: If you are unable to run podman info for any reason, please provide the podman version, operating system and its version and the architecture you are running. + render: yaml + validations: + required: true + - type: dropdown + id: podman_in_a_container + attributes: + label: Podman in a container + description: Please select Yes if you are running podman in a container + options: + - 'No' + - 'Yes' + validations: + required: true + - type: dropdown + id: privileged_rootless + attributes: + label: Privileged Or Rootless + description: Are you running the containers as privileged or non-root user? Note that using `su` or `sudo` does not establish a proper login session required for running Podman as a non-root user. Please refer to the [troubleshooting guide](https://github.com/containers/podman/blob/main/troubleshooting.md#solution-28) for alternatives. + options: + - Privileged + - Rootless + - type: dropdown + id: upstream_latest + attributes: + label: Upstream Latest Release + description: Have you tried running the [latest upstream release](https://github.com/containers/podman/releases/latest) + options: + - 'Yes' + - 'No' + validations: + required: true + - type: textarea + id: additional_environment + attributes: + label: Additional environment details + description: Please describe any additional environment details like (AWS, VirtualBox,...) + value: "Additional environment details" + - type: textarea + id: additional_info + attributes: + label: Additional information + description: Please explain the additional information you deem important + value: "Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting" + validations: + required: false diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..aec4875 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: true +contact_links: + - name: Podman Desktop issues + url: https://github.com/containers/podman-desktop/issues + about: Please report issues with Podman Desktop here. + - name: Ask a question + url: https://github.com/containers/podman/discussions/new + about: Ask a question about Podman diff --git a/.github/ISSUE_TEMPLATE/feature_request.yaml b/.github/ISSUE_TEMPLATE/feature_request.yaml new file mode 100644 index 0000000..1d83bf8 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yaml @@ -0,0 +1,40 @@ +name: Feature Request +description: Suggest an idea for this project +labels: ["kind/feature"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this feature request! + - type: textarea + id: feature_description + attributes: + label: Feature request description + description: Please explain your feature request and if it is related to a problem + value: "A clear and concise description of what the feature request is about." + validations: + required: true + - type: textarea + id: potential_solution + attributes: + label: Suggest potential solution + description: Please explain if you can suggest any potential solution + value: "A clear and concise description of what you want to happen." + validations: + required: false + - type: textarea + id: alternatives + attributes: + label: Have you considered any alternatives? + description: Please explain what alternatives you have tried. + value: "A clear and concise description of any alternative solutions or features you've considered." + validations: + required: false + - type: textarea + id: additional_context + attributes: + label: Additional context + description: Please add any context to this feature request + value: "Add any other context or screenshots about the feature request here." + validations: + required: false diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..cc8b618 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,27 @@ +<!-- +Thanks for sending a pull request! + +Please make sure you've read our contributing guidelines and how to submit a pull request (https://github.com/containers/podman/blob/main/CONTRIBUTING.md#submitting-pull-requests). + +In case you're only changing docs, make sure to prefix the pull-request title with "[CI:DOCS]". That will prevent functional tests from running and save time and energy. + +Finally, be sure to sign commits with your real name. Since by opening +a PR you already have commits, you can add signatures if needed with +something like `git commit -s --amend`. +--> + +#### Does this PR introduce a user-facing change? + +<!-- +If no, just write `None` in the release-note block below. If yes, a release note +is required: Enter your extended release note in the block below. If the PR +requires additional action from users switching to the new release, include the +string "action required". + +For more information on release notes, please follow the Kubernetes model: +https://git.k8s.io/community/contributors/guide/release-notes.md +--> + +```release-note + +``` diff --git a/.github/actions/check_cirrus_cron/cron_failures.sh b/.github/actions/check_cirrus_cron/cron_failures.sh new file mode 100755 index 0000000..e97754d --- /dev/null +++ b/.github/actions/check_cirrus_cron/cron_failures.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +set -eo pipefail + +# Intended to be executed from a github action workflow step. +# Outputs the Cirrus cron names and IDs of any failed builds + +source $(dirname "${BASH_SOURCE[0]}")/lib.sh + +_errfmt="Expecting %s value to not be empty" +if [[ -z "$GITHUB_REPOSITORY" ]]; then # <owner>/<repo> + err $(printf "$_errfmt" "\$GITHUB_REPOSITORY") +elif [[ -z "$ID_NAME_FILEPATH" ]]; then # output filepath + err $(printf "$_errfmt" "\$ID_NAME_FILEPATH") +fi + +confirm_gha_environment + +mkdir -p ./artifacts +cat > ./artifacts/query_raw.json << "EOF" +query { + ownerRepository(platform: "github", owner: "@@OWNER@@", name: "@@REPO@@") { + cronSettings { + name + lastInvocationBuild { + id + status + } + } + } +} +EOF +# Makes for easier copy/pasting query to/from +# https://cirrus-ci.com/explorer +owner=$(cut -d '/' -f 1 <<<"$GITHUB_REPOSITORY") +repo=$(cut -d '/' -f 2 <<<"$GITHUB_REPOSITORY") +sed -r -e "s/@@OWNER@@/$owner/g" -e "s/@@REPO@@/$repo/g" \ + ./artifacts/query_raw.json > ./artifacts/query.json + +if grep -q '@@' ./artifacts/query.json; then + err "Found unreplaced substitution token in query JSON" +fi + +# The query should never ever return an empty-list, unless there are no cirrus-cron +# jobs defined for the repository. In that case, this monitoring script shouldn't +# be running anyway. +filt_head='.data.ownerRepository.cronSettings' + +gql "$(<./artifacts/query.json)" "$filt_head" > ./artifacts/reply.json +# e.x. reply.json +# { +# "data": { +# "ownerRepository": { +# "cronSettings": [ +# { +# "name": "Keepalive_v2.0", +# "lastInvocationBuild": { +# "id": "5776050544181248", +# "status": "EXECUTING" +# } +# }, +# { +# "name": "Keepalive_v1.9", +# "lastInvocationBuild": { +# "id": "5962921081569280", +# "status": "COMPLETED" +# } +# }, +# { +# "name": "Keepalive_v2.0.5-rhel", +# "lastInvocationBuild": { +# "id": "5003065549914112", +# "status": "FAILED" +# } +# ... + +# Output format: <build id> <cron-job name> +# Where <cron-job name> may contain multiple words +filt="$filt_head | map(select(.lastInvocationBuild.status==\"FAILED\") | {id:.lastInvocationBuild.id, name:.name} | join(\" \")) | join(\"\n\")" +jq --raw-output "$filt" ./artifacts/reply.json > "$ID_NAME_FILEPATH" + +# Print out the file to assist in job debugging +echo "<Failed Build ID> <Cron Name>" +cat "$ID_NAME_FILEPATH" + +# Count non-empty lines (in case there are any) +records=$(awk -r -e '/\w+/{print $0}' "$ID_NAME_FILEPATH" | wc -l) +# Set the output of this step. +# Ref: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter +# shellcheck disable=SC2154 +echo "failures=$records" >> $GITHUB_OUTPUT +echo "Total failed Cirrus-CI cron builds: $records" diff --git a/.github/actions/check_cirrus_cron/lib.sh b/.github/actions/check_cirrus_cron/lib.sh new file mode 100644 index 0000000..7e8d42e --- /dev/null +++ b/.github/actions/check_cirrus_cron/lib.sh @@ -0,0 +1,95 @@ + + +# Send text to stderr +msg() { + echo "$@" > /dev/stderr +} + +# Must be called from top-level of script, not another function. +err() { + # Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions + msg "::error file=${BASH_SOURCE[1]},line=${BASH_LINENO[0]}::$*" + exit 1 +} + +confirm_gha_environment() { + local _err_fmt + _err_fmt="I don't seem to be running from a github-actions workflow" + # These are all defined by github-actions + # shellcheck disable=SC2154 + if [[ -z "$GITHUB_OUTPUT" ]]; then + err "$_err_fmt, \$GITHUB_OUTPUT is empty" + elif [[ -z "$GITHUB_WORKFLOW" ]]; then + err "$_err_fmt, \$GITHUB_WORKFLOW is empty" + elif [[ ! -d "$GITHUB_WORKSPACE" ]]; then + # Defined by github-actions + # shellcheck disable=SC2154 + err "$_err_fmt, \$GITHUB_WORKSPACE='$GITHUB_WORKSPACE' isn't a directory" + fi + + cd "$GITHUB_WORKSPACE" || false +} + +# Using python3 here is a compromise for readability and +# properly handling quote, control and unicode character encoding. +escape_query() { + local json_string + # Assume it's okay to squash repeated whitespaces inside the query + json_string=$(printf '%s' "$1" | \ + tr --delete '\r\n' | \ + tr --squeeze-repeats '[[:space:]]' | \ + python3 -c 'import sys,json; print(json.dumps(sys.stdin.read()))') + # The $json_string in message is already quoted + echo -n "$json_string" +} + +# Given a GraphQL query/mutation, fire it at the API. +# and return the output on stdout. The optional +# second parameter may contain a jq filter-string. +# When provided, if the GQL result is empty, null, +# fails to parse, or does not match the filter-string, +# non-zero will be returned. +gql() { + local e_query query + e_query=$(escape_query "$1") + query="{\"query\": $e_query}" + local filter + filter="$2" + local output + local filtered + msg "::group::Posting GraphQL Query and checking result" + msg "query: " + if ! jq -e . <<<"$query" > /dev/stderr; then + msg "::error file=${BASH_SOURCE[1]},line=${BASH_LINENO[0]}::Invalid query JSON: $query" + return 1 + fi + # SECRET_CIRRUS_API_KEY is defined github secret + # shellcheck disable=SC2154 + if output=$(curl \ + --request POST \ + --silent \ + --show-error \ + --location \ + --header 'content-type: application/json' \ + --header "Authorization: Bearer $SECRET_CIRRUS_API_KEY" \ + --url 'https://api.cirrus-ci.com/graphql' \ + --data "$query") && [[ -n "$output" ]]; then + + if filtered=$(jq -e "$filter" <<<"$output") && [[ -n "$filtered" ]]; then + msg "result:" + # Make debugging easier w/ formatted output + # to stderr for display, stdout for consumption by caller + jq --indent 2 . <<<"$output" | tee /dev/stderr + msg "::endgroup::" + return 0 + fi + + msg "::error file=${BASH_SOURCE[1]},line=${BASH_LINENO[0]}::Query result did not pass filter '$2': '$output'" + msg "::endgroup::" + return 2 + fi + + msg "::error file=${BASH_SOURCE[1]},line=${BASH_LINENO[0]}::Query failed or result empty: '$output'" + msg "::endgroup::" + return 3 +} diff --git a/.github/actions/check_cirrus_cron/make_email_body.sh b/.github/actions/check_cirrus_cron/make_email_body.sh new file mode 100755 index 0000000..ef013a8 --- /dev/null +++ b/.github/actions/check_cirrus_cron/make_email_body.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +set -eo pipefail + +# Intended to be executed from a github action workflow step. +# Input: File listing space separated failed cron build names and IDs +# Output: $GITHUB_WORKSPACE/artifacts/email_body.txt file + +source $(dirname "${BASH_SOURCE[0]}")/lib.sh + +_errfmt="Expecting %s value to not be empty" +# ID_NAME_FILEPATH is defined by workflow YAML +# shellcheck disable=SC2154 +if [[ -z "$GITHUB_REPOSITORY" ]]; then + err $(printf "$_errfmt" "\$GITHUB_REPOSITORY") +elif [[ ! -r "$ID_NAME_FILEPATH" ]]; then + err "Expecting \$ID_NAME_FILEPATH value ($ID_NAME_FILEPATH) to be a readable file" +fi + +confirm_gha_environment + +# GITHUB_WORKSPACE confirmed by confirm_gha_environment() +# shellcheck disable=SC2154 +mkdir -p "$GITHUB_WORKSPACE/artifacts" +( + echo "Detected one or more Cirrus-CI cron-triggered jobs have failed recently:" + echo "" + + while read -r BID NAME; do + echo "Cron build '$NAME' Failed: https://cirrus-ci.com/build/$BID" + done < "$ID_NAME_FILEPATH" + + echo "" + # Defined by github-actions + # shellcheck disable=SC2154 + echo "# Source: ${GITHUB_WORKFLOW} workflow on ${GITHUB_REPOSITORY}." + # Separate content from sendgrid.com automatic footer. + echo "" + echo "" +) > $GITHUB_WORKSPACE/artifacts/email_body.txt diff --git a/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh b/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh new file mode 100755 index 0000000..3c422b0 --- /dev/null +++ b/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +set -eo pipefail + +# Intended to be executed from a github action workflow step. +# Input: File listing space separated failed cron build names and IDs +# Output: $GITHUB_WORKSPACE/artifacts/email_body.txt file +# +# HOW TO TEST: This script may be manually tested assuming you have +# access to the github containers-org. Cirrus API key. With that in-hand, +# this script may be manually run by: +# 1. export SECRET_CIRRUS_API_KEY=<value> +# 2. Find an old podman build that failed on `main` or another **branch**. +# For example, from https://cirrus-ci.com/github/containers/podman/main +# (pick an old one from the bottom, since re-running it won't affect anybody) +# 3. Create a temp. file, like /tmp/fail with a single line, of the form: +# <cirrus build id number> <cirrus-cron name> +# 4. export ID_NAME_FILEPATH=/tmp/fail +# 5. execute this script, and refresh the build in the WebUI, all unsuccessful +# tasks should change status to running or scheduled. Note: some later +# tasks may remain red as they wait for dependencies to run and pass. +# 6. After each run, cleanup with 'rm -rf $GITHUB_WORKSPACE/artifacts' +# (unless you want to examine them) + +source $(dirname "${BASH_SOURCE[0]}")/lib.sh + +_errfmt="Expecting %s value to not be empty" +# ID_NAME_FILEPATH is defined by workflow YAML +# shellcheck disable=SC2154 +if [[ -z "$SECRET_CIRRUS_API_KEY" ]]; then + err $(printf "$_errfmt" "\$SECRET_CIRRUS_API_KEY") +elif [[ ! -r "$ID_NAME_FILEPATH" ]]; then # output from cron_failures.sh + err $(printf "Expecting %s value to be a readable file" "\$ID_NAME_FILEPATH") +fi + +confirm_gha_environment + +# GITHUB_WORKSPACE confirmed by confirm_gha_environment() +# shellcheck disable=SC2154 +mkdir -p $GITHUB_WORKSPACE/artifacts +# If there are no tasks, don't fail reading the file +truncate -s 0 $GITHUB_WORKSPACE/artifacts/rerun_tids.txt + +cat "$ID_NAME_FILEPATH" | \ + while read -r BID NAME; do + if [[ -z "$NAME" ]]; then + err $(printf "$_errfmt" "\$NAME") + elif [[ -z "$BID" ]]; then + err $(printf "$_errfmt" "\$BID") + fi + + id_status_q=" + query { + build(id: \"$BID\") { + tasks { + id, + status + } + } + } + " + task_id_status=$(gql "$id_status_q" '.data.build.tasks[0]') + # Expected query result like: + # { + # "data": { + # "build": { + # "tasks": [ + # { + # "id": "6321184690667520", + # "status": "COMPLETED" + # }, + # ... + msg "::group::Selecting failed/aborted tasks to re-run" + jq -r -e '.data.build.tasks[] | join(" ")' <<<"$task_id_status" | \ + while read -r TID STATUS; do + if [[ -z "$TID" ]] || [[ -z "$STATUS" ]]; then + # assume empty line and/or end of file + msg "Skipping TID '$TID' with status '$STATUS'" + continue + # Failed task dependencies will have 'aborted' status + elif [[ "$STATUS" == "FAILED" ]] || [[ "$STATUS" == "ABORTED" ]]; then + msg "Rerunning build $BID task $TID" + # Must send result through a file into rerun_tasks array + # because this section is executing in a child-shell + echo "$TID" >> $GITHUB_WORKSPACE/artifacts/rerun_tids.txt + fi + done + declare -a rerun_tasks + mapfile rerun_tasks <$GITHUB_WORKSPACE/artifacts/rerun_tids.txt + msg "::endgroup::" + + if [[ "${#rerun_tasks[*]}" -eq 0 ]]; then + msg "No tasks to re-run for build $BID" + continue; + fi + + msg "::warning::Rerunning ${#rerun_tasks[*]} tasks for build $BID" + # Check-value returned if the gql call was successful + canary=$(uuidgen) + # Ensure the trailing ',' is stripped from the end (would be invalid JSON) + # Rely on shell word-splitting in this case. + # shellcheck disable=SC2048 + task_ids=$(printf '[%s]' $(printf '"%s",' ${rerun_tasks[*]} | head -c -1)) + rerun_m=" + mutation { + batchReRun(input: { + clientMutationId: \"$canary\", + taskIds: $task_ids + } + ) { + clientMutationId + } + } + " + filter='.data.batchReRun.clientMutationId' + if [[ ! "$NAME" =~ "testing" ]]; then # see test.sh + result=$(gql "$rerun_m" "$filter") + if [[ $(jq -r -e "$filter"<<<"$result") != "$canary" ]]; then + err "Attempt to re-run tasks for build $BID failed: ${rerun_tasks[*]}" + fi + else + warn "Test-mode: Would have sent GraphQL request: '$rerun_m'" + fi + done diff --git a/.github/actions/check_cirrus_cron/test.sh b/.github/actions/check_cirrus_cron/test.sh new file mode 100644 index 0000000..19f2e35 --- /dev/null +++ b/.github/actions/check_cirrus_cron/test.sh @@ -0,0 +1,101 @@ + + +# This script attempts to confirm functional github action scripts. +# It expects to be called from Cirrus-CI, in a special execution +# environment. Any use outside this environment will probably fail. + +set -eo pipefail + +# Defined by setup_environment.sh +# shellcheck disable=SC2154 +if ! ((PREBUILD)); then + echo "Not operating under expected environment" + exit 1 +fi + +expect_regex() { + local expected_regex + local input_file + expected_regex="$1" + input_file="$2" + grep -E -q "$expected_regex" $input_file || \ + die "No match to '$expected_regex' in '$(<$input_file)'" +} + +req_env_vars CIRRUS_CI CIRRUS_REPO_FULL_NAME CIRRUS_WORKING_DIR CIRRUS_BUILD_ID + +# Defined by the CI system +# shellcheck disable=SC2154 +cd $CIRRUS_WORKING_DIR || fail + +header="Testing cirrus-cron github-action script:" +msg "$header cron_failures.sh" + +base=$CIRRUS_WORKING_DIR/.github/actions/check_cirrus_cron +# Don't care about mktemp return value +# shellcheck disable=SC2155 +export GITHUB_OUTPUT=$(mktemp -p '' cron_failures_output_XXXX) +# CIRRUS_REPO_FULL_NAME checked above in req_env_vars +# shellcheck disable=SC2154 +export GITHUB_REPOSITORY="$CIRRUS_REPO_FULL_NAME" +# shellcheck disable=SC2155 +export GITHUB_WORKSPACE=$(mktemp -d -p '' cron_failures_workspace_XXXX) +export GITHUB_WORKFLOW="testing" +# shellcheck disable=SC2155 +export ID_NAME_FILEPATH=$(mktemp -p '' cron_failures_data_XXXX) +trap "rm -rf $GITHUB_OUTPUT $GITHUB_WORKSPACE $ID_NAME_FILEPATH" EXIT + +##### + +cd $GITHUB_WORKSPACE || fail +# Replace newlines and indentation to make grep easier +if ! $base/cron_failures.sh |& \ + tr -s '[:space:]' ' ' > $GITHUB_WORKSPACE/output; then + die "Failed: $base/cron_failures.sh with output '$(<$GITHUB_WORKSPACE/output)'" +fi + +expect_regex \ + 'result.+data.+ownerRepository.+cronSettings.+endgroup' \ + "$GITHUB_WORKSPACE/output" + +##### + +msg "$header make_email_body.sh" +# It's possible no cirrus-cron jobs actually failed +echo -e '\n\n \n\t\n' >> "$ID_NAME_FILEPATH" # blank lines should be ignored +# Don't need to test stdout/stderr of this +if ! $base/make_email_body.sh; then + die "make_email_body.sh failed" +fi + +expect_regex \ + '^Detected.+Cirrus-CI.+failed.*' \ + "$GITHUB_WORKSPACE/artifacts/email_body.txt" + +##### + +msg "$header make_email_body.sh name and link" +# Job names may contain spaces, confirm lines are parsed properly +echo -e '1234567890 cirrus-cron test job' >> "$ID_NAME_FILEPATH" # Append to blank lines +$base/make_email_body.sh +expected="Cron build 'cirrus-cron test job' Failed: https://cirrus-ci.com/build/1234567890" +if ! grep -q "$expected" $GITHUB_WORKSPACE/artifacts/email_body.txt; then + die "Expecting to find string '$expected' in generated e-mail body: +$(<$GITHUB_WORKSPACE/artifacts/email_body.txt)" +fi + +##### + +msg "$header rerun_failed_tasks.sh" +export SECRET_CIRRUS_API_KEY=testing-nottherightkey +# test.sh is sensitive to the 'testing' name. Var. defined by cirrus-ci +# shellcheck disable=SC2154 +echo "$CIRRUS_BUILD_ID test cron job name" > "$ID_NAME_FILEPATH" +if ! $base/rerun_failed_tasks.sh |& \ + tr -s '[:space:]' ' ' > $GITHUB_WORKSPACE/rerun_output; then + die "rerun_failed_tasks.sh failed" +fi + +expect_regex \ + "Posting GraphQL Query.+$CIRRUS_BUILD_ID.+Selecting.+re-run" \ + "$GITHUB_WORKSPACE/rerun_output" diff --git a/.github/issue-labeler.yml b/.github/issue-labeler.yml new file mode 100644 index 0000000..e285749 --- /dev/null +++ b/.github/issue-labeler.yml @@ -0,0 +1,13 @@ +# List of labels which should be assigned to issues based on a regex +windows: + # info prints OsArch: ... + # version prints OS/Arch: ... + - 'O[Ss]\/?Arch:\s*windows' +macos: + # info prints OsArch: ... + # version prints OS/Arch: ... + - 'O[Ss]\/?Arch:\s*darwin' + +remote: + # we cannot use multiline regex so we check for serviceIsRemote in podman info + - 'serviceIsRemote:\strue' diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..4d00bac --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,4 @@ +# Add labels based on file paths in PR +# https://github.com/actions/labeler +kind/api-change: + - pkg/api/**/* diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 0000000..cbd704e --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,77 @@ +/* + Renovate is a service similar to GitHub Dependabot, but with + (fantastically) more configuration options. So many options + in fact, if you're new I recommend glossing over this cheat-sheet + prior to the official documentation: + + https://www.augmentedmind.de/2021/07/25/renovate-bot-cheat-sheet + + Configuration Update/Change Procedure: + 1. Make changes + 2. Manually validate changes (from repo-root): + + podman run -it \ + -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \ + docker.io/renovate/renovate:latest \ + renovate-config-validator + 3. Commit. + + Configuration Reference: + https://docs.renovatebot.com/configuration-options/ + + Monitoring Dashboard: + https://app.renovatebot.com/dashboard#github/containers + + Note: The Renovate bot will create/manage it's business on + branches named 'renovate/*'. Otherwise, and by + default, the only the copy of this file that matters + is the one on the `main` branch. No other branches + will be monitored or touched in any way. +*/ + +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + + /************************************************* + ****** Global/general configuration options ***** + *************************************************/ + + // Re-use predefined sets of configuration options to DRY + "extends": [ + // https://github.com/containers/automation/blob/main/renovate/defaults.json5 + "github>containers/automation//renovate/defaults.json5" + ], + + /************************************************* + *** Repository-specific configuration options *** + *************************************************/ + + "ignorePaths": [ + "**/vendor/**", + "**/docs/**", + ], + + "addLabels": ["release-note-none"], + + "golang": { + // N/B: LAST matching rule wins + "packageRules": [ + // Updates for `github.com/containers/*` should be checked hourly. + { + "matchPackagePrefixes": ["github.com/containers"], + "schedule": "before 11am", // UTC + }, + + // Updates for c/common, c/image, and c/storage should be grouped into a single PR + { + "matchPackagePatterns": [ + "^github.com/containers/common", + "^github.com/containers/image", + "^github.com/containers/storage", + ], + "groupName": "common, image, and storage deps", + "schedule": "before 11am", // UTC + } + ], + } +} diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml new file mode 100644 index 0000000..c6048aa --- /dev/null +++ b/.github/workflows/check_cirrus_cron.yml @@ -0,0 +1,92 @@ +--- + +# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions + +# Required to un-FUBAR default ${{github.workflow}} value +name: check_cirrus_cron + +on: + # Note: This only applies to the main branch. + schedule: + # N/B: This should correspond to a period slightly after + # the last job finishes running. See job defs. at: + # https://cirrus-ci.com/settings/repository/6707778565701632 + - cron: '03 03 * * 1-5' + # Debug: Allow triggering job manually in github-actions WebUI + workflow_dispatch: {} + # Allow re-use of this workflow by other repositories + # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows + workflow_call: + secrets: + SECRET_CIRRUS_API_KEY: + required : true + ACTION_MAIL_SERVER: + required: true + ACTION_MAIL_USERNAME: + required: true + ACTION_MAIL_PASSWORD: + required: true + ACTION_MAIL_SENDER: + required: true + +env: + # CSV listing of e-mail addresses for delivery failure or error notices + RCPTCSV: podman-monitor@lists.podman.io + # Filename for table of build-id to cron-name data + # (must be in $GITHUB_WORKSPACE/artifacts/) + ID_NAME_FILEPATH: './artifacts/id_name.txt' + +permissions: + contents: read + +jobs: + cron_failures: + runs-on: ubuntu-latest + steps: + # This is where the scripts live + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + with: + repository: containers/podman + ref: 'main' + persist-credentials: false + + - name: Get failed cron names and Build IDs + id: cron + run: './.github/actions/check_cirrus_cron/cron_failures.sh' + + - if: steps.cron.outputs.failures > 0 + shell: bash + run: './.github/actions/check_cirrus_cron/make_email_body.sh' + + - if: steps.cron.outputs.failures > 0 + name: Send failure notification e-mail + # Ref: https://github.com/dawidd6/action-send-mail + uses: dawidd6/action-send-mail@v3.9.0 + with: + server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_port: 465 + username: ${{secrets.ACTION_MAIL_USERNAME}} + password: ${{secrets.ACTION_MAIL_PASSWORD}} + subject: Cirrus-CI cron build failures on ${{github.repository}} + to: ${{env.RCPTCSV}} + from: ${{secrets.ACTION_MAIL_SENDER}} + body: file://./artifacts/email_body.txt + + - if: always() + uses: actions/upload-artifact@v3 + with: + name: ${{ github.job }}_artifacts + path: artifacts/* + + - if: failure() + name: Send error notification e-mail + uses: dawidd6/action-send-mail@v3.9.0 + with: + server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_port: 465 + username: ${{secrets.ACTION_MAIL_USERNAME}} + password: ${{secrets.ACTION_MAIL_PASSWORD}} + subject: Github workflow error on ${{github.repository}} + to: ${{env.RCPTCSV}} + from: ${{secrets.ACTION_MAIL_SENDER}} + body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" diff --git a/.github/workflows/discussion_lock.yml b/.github/workflows/discussion_lock.yml new file mode 100644 index 0000000..9a4f3a6 --- /dev/null +++ b/.github/workflows/discussion_lock.yml @@ -0,0 +1,68 @@ +--- + +# Format ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions + +name: "Lock closed Issue/PR discussions" + +on: + schedule: + - cron: '0 0 * * *' + # Allow re-use of this workflow by other repositories + # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows + workflow_call: + secrets: + ACTION_MAIL_SERVER: + required: true + ACTION_MAIL_USERNAME: + required: true + ACTION_MAIL_PASSWORD: + required: true + ACTION_MAIL_SENDER: + required: true + # Debug: Allow triggering job manually in github-actions WebUI + workflow_dispatch: {} + +permissions: + contents: read + +concurrency: + group: lock + +env: + # Number of days before a closed issue/PR is be comment-locked. + # Note: dessant/lock-threads will only process a max. of + # 50 issues/PRs at a time. + CLOSED_DAYS: 90 + # Pre-created issue/PR label to add (preferably a bright color). + # This is intended to direct a would-be commenter's actions. + LOCKED_LABEL: 'locked - please file new issue/PR' + +jobs: + closed_issue_discussion_lock: + name: "Lock closed Issue/PR discussions" + runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + steps: + # Ref: https://github.com/dessant/lock-threads#usage + - uses: dessant/lock-threads@v5 + with: + issue-inactive-days: '${{env.CLOSED_DAYS}}' + pr-inactive-days: '${{env.CLOSED_DAYS}}' + add-issue-labels: '${{env.LOCKED_LABEL}}' + add-pr-labels: '${{env.LOCKED_LABEL}}' + pr-lock-reason: 'resolved' + log-output: true + - if: failure() + name: Send job failure notification e-mail + uses: dawidd6/action-send-mail@v3.9.0 + with: + server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_port: 465 + username: ${{secrets.ACTION_MAIL_USERNAME}} + password: ${{secrets.ACTION_MAIL_PASSWORD}} + subject: Github workflow error on ${{github.repository}} + to: podman-monitor@lists.podman.io + from: ${{secrets.ACTION_MAIL_SENDER}} + body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" diff --git a/.github/workflows/fcos-podman-next-build-prepush-test.yml b/.github/workflows/fcos-podman-next-build-prepush-test.yml new file mode 100644 index 0000000..1352e9c --- /dev/null +++ b/.github/workflows/fcos-podman-next-build-prepush-test.yml @@ -0,0 +1,31 @@ +# This workflow only runs a build test to check for buildability issues before +# PR merge. No registry push occurs here. +name: Build FCOS image with podman-next + +on: + pull_request: + branches: + - main + +env: + IMAGE_NAME: fcos + IMAGE_REGISTRY: quay.io/podman + COPR_OWNER: rhcontainerbot + COPR_PROJECT: podman-next + +jobs: + fcos-podman-next-image-build-prepush-test: + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Build FCOS Image + id: build_image_test + # Ref: https://github.com/redhat-actions/buildah-build + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} + tags: ${{ github.sha }} + containerfiles: ./contrib/podman-next/fcos-podmanimage/Containerfile diff --git a/.github/workflows/fcos-podman-next-build.yml b/.github/workflows/fcos-podman-next-build.yml new file mode 100644 index 0000000..cb24a46 --- /dev/null +++ b/.github/workflows/fcos-podman-next-build.yml @@ -0,0 +1,97 @@ +name: Build FCOS image with packages from rhcontainerbot/podman-next + +on: + push: + branches: + - main + # Run everyday at midnight and pull the latest packages from the copr + schedule: + - cron: '0 0 * * *' + +env: + IMAGE_NAME: fcos + # IMAGE_ARCHS has to be comma separated + IMAGE_ARCHS: amd64, arm64 + IMAGE_REGISTRY: quay.io/podman + COPR_OWNER: rhcontainerbot + COPR_PROJECT: podman-next + +jobs: + fcos-podman-next-image-build: + runs-on: ubuntu-latest + + steps: + - name: Install qemu dependency + run: | + sudo apt update + sudo apt -y install qemu-user-static + + - name: Set up wait-for-copr + # Do not run on scheduled nightly builds + if: ${{ github.event_name != 'schedule' }} + run: | + pip3 install git+https://github.com/packit/wait-for-copr.git@main + + - name: Check out code + uses: actions/checkout@v4 + + - name: Get short SHA from HEAD + run: echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV" + id: short_sha + + - name: Wait for successful podman-next build with the latest commit + # Do not run on scheduled nightly builds + if: ${{ github.event_name != 'schedule' }} + run: | + # TODO: add this in the Containerfile itself or as a --build-arg + wait-for-copr --owner ${{ env.COPR_OWNER }} --project ${{ env.COPR_PROJECT }} podman ${{ env.SHORT_SHA }} + echo "podman-next build successful." + + - name: Build FCOS Image + id: build_image_multiarch + # Ref: https://github.com/redhat-actions/buildah-build + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.IMAGE_NAME }} + tags: ${{ env.COPR_PROJECT }} podman-${{ env.SHORT_SHA }} + archs: ${{ env.IMAGE_ARCHS }} + containerfiles: ./contrib/podman-next/fcos-podmanimage/Containerfile + labels: | + org.opencontainers.image.title=fcos-podman-next image + org.opencontainers.image.source=https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/contrib/podman-next/fcos-podmanimage/Containerfile + org.opencontainers.image.url=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + org.opencontainers.image.description=FCOS image with rpms from rhcontainerbot/podman-next copr + org.opencontainers.image.revision=${{ github.sha }} + + + - name: Echo Outputs + run: | + echo "Image: ${{ steps.build_image_multiarch.outputs.image }}" + echo "Tags: ${{ steps.build_image_multiarch.outputs.tags }}" + echo "Tagged Image: ${{ steps.build_image_multiarch.outputs.image-with-tag }}" + + - name: Check images created + run: buildah images | grep '${{ env.IMAGE_NAME }}' + + - name: Check image metadata + run: | + set -x + # COPR_PROJECT envvar is used for the `podman-next` floating tag + buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:${{ env.COPR_PROJECT }} | jq ".OCIv1.architecture" + buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:${{ env.COPR_PROJECT }} | jq ".Docker.architecture" + buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:podman-${{ env.SHORT_SHA }} | jq ".OCIv1.architecture" + buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:podman-${{ env.SHORT_SHA }} | jq ".Docker.architecture" + + - name: Run image + run: podman run --privileged --rm ${{ steps.build_image_multiarch.outputs.image-with-tag }} podman system info + + - name: Push to Quay + id: push-to-quay + # Ref: https://github.com/redhat-actions/push-to-registry + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ env.IMAGE_NAME }} + tags: ${{ steps.build_image_multiarch.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ secrets.QUAY_PODMAN_USERNAME }} + password: ${{ secrets.QUAY_PODMAN_PASSWORD }} diff --git a/.github/workflows/issue-labeler.yml b/.github/workflows/issue-labeler.yml new file mode 100644 index 0000000..e03ea24 --- /dev/null +++ b/.github/workflows/issue-labeler.yml @@ -0,0 +1,21 @@ +name: "Issue Labeler" +on: + issues: + types: [opened, edited] + +permissions: + contents: read + +jobs: + triage: + permissions: + contents: read # for github/issue-labeler to get repo contents + issues: write # for github/issue-labeler to create or remove labels + runs-on: ubuntu-latest + steps: + - uses: github/issue-labeler@v3.3 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + configuration-path: .github/issue-labeler.yml + not-before: 2022-01-27T00:00:00Z + enable-versioned-regex: 0 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 0000000..64505bb --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,15 @@ +# https://github.com/actions/labeler +name: "Pull Request Labeler" +on: +- pull_request_target + +jobs: + triage: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v4 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml new file mode 100644 index 0000000..c21f290 --- /dev/null +++ b/.github/workflows/mac-pkg.yml @@ -0,0 +1,154 @@ +name: Sign and Upload Mac Installer + +on: + release: + types: [created, published] + workflow_dispatch: + inputs: + version: + description: 'Release version to build and upload (e.g. "v9.8.7")' + required: true + dryrun: + description: 'Perform all the steps except uploading to the release page' + required: true + default: "true" # 'choice' type requires string value + type: choice + options: + - "true" # Must be quoted string, boolean value not supported. + - "false" + +permissions: + contents: write + +jobs: + build: + runs-on: macos-latest + env: + APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }} + CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }} + INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }} + PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }} + CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + + NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} + NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} + NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }} + + KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }} + steps: + - name: Consolidate dryrun setting to always be true or false + id: actual_dryrun + run: | + # The 'release' trigger will not have a 'dryrun' input set. Handle + # this case in a readable/maintainable way. + if [[ -z "${{ inputs.dryrun }}" ]] + then + echo "dryrun=false" >> $GITHUB_OUTPUT + else + echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT + fi + - name: Dry Run Status + run: | + echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + - name: Determine Version + id: getversion + run: | + if [[ -z "${{ inputs.version }}" ]] + then + VERSION=${{ github.event.release.tag_name }} + else + VERSION=${{ inputs.version }} + fi + echo + echo "version=$VERSION" >> $GITHUB_OUTPUT + - name: Check uploads + id: check + run: | + URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" + ARM_FILE="podman-installer-macos-arm64.pkg" + AMD_FILE="podman-installer-macos-amd64.pkg" + + status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}") + if [[ "$status" == "404" ]] ; then + echo "buildarm=true" >> $GITHUB_OUTPUT + else + echo "::warning::ARM installer already exists, skipping" + echo "buildarm=false" >> $GITHUB_OUTPUT + fi + + status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}") + if [[ "$status" == "404" ]] ; then + echo "buildamd=true" >> $GITHUB_OUTPUT + else + echo "::warning::AMD installer already exists, skipping" + echo "buildamd=false" >> $GITHUB_OUTPUT + fi + - name: Checkout Version + if: >- + steps.check.outputs.buildamd == 'true' || + steps.check.outputs.buildarm == 'true' || + steps.actual_dryrun.outputs.dryrun == 'true' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + with: + ref: ${{steps.getversion.outputs.version}} + - name: Set up Go + # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases + if: >- + steps.check.outputs.buildamd == 'true' || + steps.check.outputs.buildarm == 'true' || + steps.actual_dryrun.outputs.dryrun == 'true' + uses: actions/setup-go@v4 + with: + go-version: stable + - name: Create Keychain + if: >- + steps.check.outputs.buildamd == 'true' || + steps.check.outputs.buildarm == 'true' || + steps.actual_dryrun.outputs.dryrun == 'true' + run: | + echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12 + echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12 + + security create-keychain -p "$KEYCHAIN_PWD" build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain + security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign + security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null + + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null + - name: Build and Sign ARM + if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + working-directory: contrib/pkginstaller + run: | + make ARCH=aarch64 notarize &> /dev/null + cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums + - name: Build and Sign AMD + if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + working-directory: contrib/pkginstaller + run: | + make ARCH=amd64 notarize &> /dev/null + cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums + - name: Artifact + if: >- + steps.check.outputs.buildamd == 'true' || + steps.check.outputs.buildarm == 'true' || + steps.actual_dryrun.outputs.dryrun == 'true' + uses: actions/upload-artifact@v3 + with: + name: installers + path: | + contrib/pkginstaller/out/podman-installer-macos-*.pkg + contrib/pkginstaller/out/shasums + - name: Upload to Release + if: >- + steps.actual_dryrun.outputs.dryrun == 'false' && + (steps.check.outputs.buildamd == 'true' || + steps.check.outputs.buildarm == 'true') + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) + cat contrib/pkginstaller/out/shasums >> shasums + gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg + gh release upload ${{steps.getversion.outputs.version}} --clobber shasums diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml new file mode 100644 index 0000000..66599a8 --- /dev/null +++ b/.github/workflows/pr-title.yml @@ -0,0 +1,24 @@ +# Upstream: github.com/tzkhan/pr-update-action + +name: "PR title check" + +on: + pull_request_target: + branches: + - "!master" # causes errors; reason unknown + +permissions: + contents: read + +jobs: + update_pr: + permissions: + pull-requests: write # for tzkhan/pr-update-action to update PRs + runs-on: ubuntu-latest + steps: + - uses: tzkhan/pr-update-action@bbd4c9395df8a9c4ef075b8b7fe29f2ca76cdca9 # v2 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + base-branch-regex: '^(?!master).*$' + title-template: '[%basebranch%]' + title-prefix-space: true diff --git a/.github/workflows/rerun_cirrus_cron.yml b/.github/workflows/rerun_cirrus_cron.yml new file mode 100644 index 0000000..fcb7ef1 --- /dev/null +++ b/.github/workflows/rerun_cirrus_cron.yml @@ -0,0 +1,78 @@ +--- + +# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions + +# Required to un-FUBAR default ${{github.workflow}} value +name: rerun_cirrus_cron + +on: + # Note: This only applies to the main branch. + schedule: + # N/B: This should fire about an hour prior to check_cirrus_cron + # so the re-runs have a chance to complete. + - cron: '01 01 * * 1-5' + # Debug: Allow triggering job manually in github-actions WebUI + workflow_dispatch: {} + # Allow re-use of this workflow by other repositories + # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows + workflow_call: + secrets: + SECRET_CIRRUS_API_KEY: + required : true + ACTION_MAIL_SERVER: + required: true + ACTION_MAIL_USERNAME: + required: true + ACTION_MAIL_PASSWORD: + required: true + ACTION_MAIL_SENDER: + required: true + +env: + # CSV listing of e-mail addresses for delivery failure or error notices + RCPTCSV: podman-monitor@lists.podman.io + # Filename for table of build-id to cron-name data + # (must be in $GITHUB_WORKSPACE/artifacts/) + ID_NAME_FILEPATH: './artifacts/id_name.txt' + +permissions: + contents: read + +jobs: + cron_rerun: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + with: + # All scripts used by this workflow live in podman repo. + repository: "containers/podman" + ref: "main" + persist-credentials: false + + - name: Get failed cron names and Build IDs + id: cron + run: './.github/actions/check_cirrus_cron/cron_failures.sh' + + - if: steps.cron.outputs.failures > 0 + shell: bash + env: + SECRET_CIRRUS_API_KEY: ${{ secrets.SECRET_CIRRUS_API_KEY }} + run: './.github/actions/check_cirrus_cron/rerun_failed_tasks.sh' + + - uses: actions/upload-artifact@v3 + with: + name: ${{ github.job }}_artifacts + path: artifacts/* + + - if: failure() + name: Send error notification e-mail + uses: dawidd6/action-send-mail@v3.9.0 + with: + server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_port: 465 + username: ${{secrets.ACTION_MAIL_USERNAME}} + password: ${{secrets.ACTION_MAIL_PASSWORD}} + subject: Github workflow error on ${{github.repository}} + to: ${{env.RCPTCSV}} + from: ${{secrets.ACTION_MAIL_SENDER}} + body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" diff --git a/.github/workflows/scan-secrets.yml b/.github/workflows/scan-secrets.yml new file mode 100644 index 0000000..2ae7112 --- /dev/null +++ b/.github/workflows/scan-secrets.yml @@ -0,0 +1,207 @@ +--- + +name: Scan for secret leaks and changes + +on: + # Block PR modification of workflow + pull_request_target: + push: + workflow_dispatch: + +# N/B: Default write-all permission for pull_request_target +permissions: read-all + +env: + # How far back in history to go when scanning a branch/tag + # This is most significant when scanning vs new release-branches + # with commit IDs that may differ from those encoded in the + # .gitleaks/baseline.json data (which always comes from + # the default branch). + # TODO: Is there any way to not hard-code this? + # N/B: This value is reused by Cirrus-CI, see contrib/cirrus/prebuild.sh + brdepth: 50 + + # GitLeaks container image to use. + # N/B: Updating this is hard to test, esp. care must be exercised re: new leak-ignore behaviors + # (example ref: 'Check for inline scan overrides' step below). Also b/c this workflow is not + # intended to be used with the 'pull_request' trigger - as doing so defeats gitleaks scan + # result trustworthiness. + # N/B: This value is reused by Cirrus-CI, see contrib/cirrus/prebuild.sh + glfqin: ghcr.io/gitleaks/gitleaks@sha256:e5f6d1a62786affd1abd882ecc73e9353ce78adea1650711f6e351767723712d # v8.18.0 + + # General arguments to pass for all execution contexts + # Ref: https://github.com/gitleaks/gitleaks#usage + # N/B: This value is reused by Cirrus-CI, see contrib/cirrus/prebuild.sh + glargs: >- + --exit-code=1 + --no-banner + --verbose + --log-level=debug + --source=/subject + --config=/default/.gitleaks.toml + --report-path=/report/gitleaks-report.json + --baseline-path=/default/.gitleaks/baseline.json + + # Where to send notification e-mail + RCPTCSV: podman-monitor@lists.podman.io + +jobs: + scan-secrets: + runs-on: ubuntu-latest + env: + # Reduce duplication & command-line length + gitlogcmd: "git -C ${{ github.workspace }}/_subject log -p -U0" + steps: + - name: Define git log command and options for re-use + id: gitlog + shell: bash + run: | + set -exuo pipefail + if [[ "${{ github.base_ref }}" == "" ]]; then # It's a branch/tag + echo "range=-${{ env.brdepth }}" >> $GITHUB_OUTPUT + else # It's a PR + echo "range=${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }}..HEAD" >> $GITHUB_OUTPUT + fi + + # On a large repo, there's no need to check out the entire thing. For PRs + # the depth can be limited to one-greater than the number of PR commits. + # Unfortunately, GHA is incapable of performing simple math in-line. + - name: Do some simple math for PR clone depth + if: github.base_ref != '' + id: one_more_commit + shell: bash + run: | + echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT + + - name: Show important context details + shell: bash + run: | + set -euo pipefail + echo "The workspace path is '${{ github.workspace }}'" + echo "The github.base_ref value is '${{ github.base_ref }}'" + echo "The branch scan depth value is '${{ env.brdepth }}'" + echo "The PR clone depth value is '${{ steps.one_more_commit.outputs.depth }}'" + echo "The gitlogcmd value is '${{ env.gitlogcmd }}'" + echo "The gitlog range value is '${{ steps.gitlog.outputs.range }}'" + echo "The GitLeaks container FQIN is '${{ env.glfqin }}'" + echo "::group::The trigger event JSON" + jq --color-output --indent 2 --sort-keys . $GITHUB_EVENT_PATH + echo "::endgroup::" + + # N/B: Use "_" prefixed paths to (somewhat) guard against clashes. GHA has some + # non-POLA behaviors WRT `${{ github.workspace }}` + checkout action. + - name: Checkout PR + if: github.base_ref != '' + uses: actions/checkout@v4 + with: + persist-credentials: false + path: _subject + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: ${{ steps.one_more_commit.outputs.depth }} + + - name: Checkout Branch/Tag + if: github.base_ref == '' + uses: actions/checkout@v4 + with: + persist-credentials: false + path: _subject + fetch-depth: ${{ env.brdepth }} + + # Trusted source of gitleaks config. + - name: Checkout default branch + uses: actions/checkout@v4 + with: + persist-credentials: false + ref: ${{ github.event.repository.default_branch }} + path: _default + fetch-depth: 1 + + - name: Create report directory + shell: bash + run: | + set -exuo pipefail + mkdir ${{ github.workspace }}/_report + touch ${{ github.workspace }}/_report/gitleaks-report.json + + # A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs + - name: Show content being scanned + shell: bash + run: | + set -exuo pipefail + ${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} + + # Unfortunately gitleaks provides several in-built ways to + # completely bypass an alert within PR-level commits. Assume + # it's not possible to detect these with gitleaks-config rules. + - name: Check for inline scan overrides + if: github.base_ref != '' # A PR + shell: bash + env: + # Workaround erronously detecting the string in this file + _rx1: "gitleaks" + _rx2: ":" + _rx3: "allow" + run: | + set -euo pipefail + verboten_rx="${_rx1}${_rx2}${_rx3}" + verboten=$(set -x ; ${{ env.gitlogcmd }} "-G$verboten_rx" ${{ steps.gitlog.outputs.range }}) + if [[ -n "$verboten" ]]; then + printf '::error::%s' 'Found comment(s) utilizing detection override(s) (see job log for details)' + # Hack: Grep will never colorize an end of a line match + echo "$verboten" | grep --color=always -E "($verboten_rx)|$" + exit 1 + fi + + if [[ -r "${{ github.workspace }}/_subject/.gitleaksignore" ]]; then + printf '::error::%s' 'Detected a .gitleaksignore file from untrusted source.' + exit 1 + fi + + - name: Scan for secrets + shell: bash + # gitleaks entrypoint runs as gitleaks user (UID/GID 1000) + run: | + set -exuo pipefail + # TODO: Workaround podman < v4.3.0 support for `--userns=keep-id:uid=1000,gid=1000`. + declare -a workaround_args + workaround_args=(\ + --user 1000:1000 + --uidmap 0:1:1000 + --uidmap 1000:0:1 + --uidmap 1001:1001:64536 + --gidmap 0:1:1000 + --gidmap 1000:0:1 + --gidmap 1001:1001:64536 + ) + # Careful: Changes need coordination with contrib/cirrus/prebuild.sh + podman run --rm \ + --security-opt=label=disable \ + "${workaround_args[@]}" \ + -v ${{ github.workspace }}/_default:/default:ro \ + -v ${{ github.workspace }}/_subject:/subject:ro \ + -v ${{ github.workspace }}/_report:/report:rw \ + $glfqin \ + detect $glargs --log-opts=${{ steps.gitlog.outputs.range }} + + - name: Collect scan report artifact + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v3 + with: + name: gitleaks-report + path: ${{ github.workspace }}/_report/gitleaks-report.json + + # Nobody monitors the actions-tab for failures, and may not see this + # fail on push to a nefarious PR. Send an e-mail alert to unmask + # this activity or some other general job failure. + - if: failure() && !contains(github.event.pull_request.labels.*.name,'BypassLeakNotification') + name: Send leak detection notification e-mail + uses: dawidd6/action-send-mail@v3.9.0 + with: + server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_port: 465 + username: ${{secrets.ACTION_MAIL_USERNAME}} + password: ${{secrets.ACTION_MAIL_PASSWORD}} + subject: Addition|Change|Use of sensitive ${{github.repository}}-CI value + to: ${{env.RCPTCSV}} + from: ${{secrets.ACTION_MAIL_SENDER}} + body: "Please investigate: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..14f36fc --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,31 @@ +name: Mark stale issues and pull requests + +# Please refer to https://github.com/actions/stale/blob/master/action.yml +# to see all config knobs of the stale action. + +on: + schedule: + - cron: "0 0 * * *" + +permissions: + contents: read + +jobs: + stale: + + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs + runs-on: ubuntu-latest + + steps: + - uses: actions/stale@v8 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.' + stale-pr-message: 'A friendly reminder that this PR had no activity for 30 days.' + stale-issue-label: 'stale-issue' + stale-pr-label: 'stale-pr' + days-before-stale: 30 + days-before-close: 365 + remove-stale-when-updated: true diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml new file mode 100644 index 0000000..88125e3 --- /dev/null +++ b/.github/workflows/upload-win-installer.yml @@ -0,0 +1,151 @@ +name: Upload Windows Installer + +on: + release: + types: [created, published, edited] + workflow_dispatch: + inputs: + version: + description: 'Release version to build and upload (e.g. "v9.8.7")' + required: true + dryrun: + description: 'Perform all the steps except uploading to the release page' + required: true + default: "true" # 'choice' type requires string value + type: choice + options: + - "true" # Must be quoted string, boolean value not supported. + - "false" + +permissions: + contents: write + +jobs: + build: + runs-on: windows-latest + env: + FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }} + steps: + - name: Consolidate dryrun setting to always be true or false + id: actual_dryrun + run: | + # The 'release' trigger will not have a 'dryrun' input set. Handle + # this case in a readable/maintainable way. + $inputs_dryrun = "${{ inputs.dryrun }}" + if ($inputs_dryrun.Length -lt 1) { + Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + } else { + Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + } + - name: Dry Run Status + run: | + Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + - name: Determine version + id: getversion + run: | + $version = "${{ inputs.version }}" + if ($version.Length -lt 1) { + $version = "${{ github.event.release.tag_name }}" + if ($version.Length -lt 1) { + Write-Host "::error::Could not determine version!" + Exit 1 + } + } + Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + with: + ref: ${{steps.getversion.outputs.version}} + # This step is super-duper critical for the built/signed windows installer .exe file. + # It ensures the referenced $version github release page does NOT already contain + # this file. Windows assigns a UUID to the installer at build time, it's assumed + # by windows that one release version == one UUID (always). Breaking this assumption + # has some rather nasty side-effects in windows, such as possibly breaking 'uninstall' + # functionality. For dry-runs, the .exe is saved in the workflow artifacts for a human + # to judge w/n (i.e. in some extreme case) it should be uploaded to the release page. + - name: Check + id: check + run: | + Push-Location contrib\win-installer + .\check.ps1 ${{steps.getversion.outputs.version}} + $code = $LASTEXITCODE + if ($code -eq 2) { + Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Pop-Location + Exit 0 + } + Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Pop-Location + Exit $code + # The podman release process requires a cross-compile of the windows binaries be uploaded to + # the release page as a hard-coded filename. If non-existent, this workflow will fail in + # non-obvious ways with a non-obvious error message. Address that here. + - name: Confirm upload_asset_name is non-empty + if: ${{ steps.check.outputs.upload_asset_name == '' }} + run: | + Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_md64.zip github release asset for version ${{steps.getversion.outputs.version}}." + Exit 1 + - name: Set up Go + uses: actions/setup-go@v4 + # N/B: already-exists may be an empty-string or "false", handle both cases. + if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + with: + go-version: stable + - name: Setup Signature Tooling + if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + run: | + dotnet tool install --global AzureSignTool --version 3.0.0 + echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + - name: Build + id: build + if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + run: | + Push-Location contrib\win-installer + .\build.ps1 ${{steps.getversion.outputs.version}} prod + $code = $LASTEXITCODE + if ($code -eq 2) { + Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Pop-Location + Exit 0 + } + Pop-Location + Exit $code + - name: Artifact + if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + uses: actions/upload-artifact@v3 + with: + name: installer + path: | + ${{ steps.check.outputs.upload_asset_name }} + .\contrib\win-installer\shasums + - name: Upload + if: >- + steps.actual_dryrun.outputs.dryrun == 'false' && + steps.check.outputs.already-exists != 'true' && + steps.build.outputs.artifact-missing != 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + Push-Location contrib\win-installer + $version = "${{ steps.getversion.outputs.version }}" + if ($version[0] -ne "v") { + $version = "v$version" + } + gh release upload $version ${{ steps.check.outputs.upload_asset_name }} + if ($LASTEXITCODE -ne 0) { + .\check.ps1 $version + if ($LASTEXITCODE -eq 2) { + Write-Host "Another job uploaded before us, skipping" + Pop-Location + Exit 0 + } + Pop-Location + Exit 1 + } + if (Test-Path -Path shasums) { + gh release upload --clobber $version shasums + } + Pop-Location |