Skip to content

Commit 711907c

Browse files
author
Tim Zhou
committed
Merge branch 'main' into chore/new_base_image_for_fedora_43
2 parents 9eecc89 + 9a811bf commit 711907c

File tree

158 files changed

+2738
-6629
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

158 files changed

+2738
-6629
lines changed

.github/workflows/check_cirrus_cron.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ jobs:
6161
- if: steps.cron.outputs.failures > 0
6262
name: Send failure notification e-mail
6363
# Ref: https://github.com/dawidd6/action-send-mail
64-
uses: dawidd6/action-send-mail@v3.12.0
64+
uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
6565
with:
6666
server_address: ${{secrets.ACTION_MAIL_SERVER}}
6767
server_port: 465
@@ -80,7 +80,7 @@ jobs:
8080

8181
- if: failure()
8282
name: Send error notification e-mail
83-
uses: dawidd6/action-send-mail@v3.12.0
83+
uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
8484
with:
8585
server_address: ${{secrets.ACTION_MAIL_SERVER}}
8686
server_port: 465

.github/workflows/dev-bump.yml

Lines changed: 50 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -3,20 +3,26 @@ on:
33
push:
44
tags:
55
- '*'
6+
7+
permissions: {}
8+
69
jobs:
710
bump:
811
name: Bump to -dev
912
runs-on: ubuntu-latest
13+
permissions:
14+
contents: write # to create and push to a branch
15+
pull-requests: write # to read and create pull requests
1016
steps:
1117
- uses: actions/checkout@v6
1218
with:
1319
ref: ${{ github.ref_name }}
1420
token: ${{ secrets.PODMANBOT_TOKEN }}
21+
persist-credentials: true
1522
- name: Bump
1623
id: bump
1724
run: |
18-
ref=${{ github.ref_name }}
19-
version=${ref#v}
25+
version=${GITHUB_REF_NAME#v}
2026
if [[ $version == *-rc* ]]; then
2127
devbump="${version%-*}-dev"
2228
echo "::notice:: is a rc - bumping z down to $devbump"
@@ -27,69 +33,75 @@ jobs:
2733
echo "::notice:: bumping z up to $devbump"
2834
fi
2935
30-
sed -i "s/const RawVersion = ".*"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
36+
sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
3137
3238
echo "devbump=$devbump" >> $GITHUB_OUTPUT
3339
- name: Push
40+
env:
41+
DEVBUMP: ${{ steps.bump.outputs.devbump }}
3442
run: |
3543
# Make committer the user who triggered the action, either through cutting a release or manual trigger
3644
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
37-
git config --local user.name ${{ github.actor }}
38-
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
39-
bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
45+
git config --local user.name "${GITHUB_ACTOR}"
46+
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
47+
bumpbranch="bump-${DEVBUMP}"
4048
git checkout -b $bumpbranch
4149
git add version/rawversion/version.go
42-
git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}"
50+
git commit --signoff -m "Bump Podman to v${DEVBUMP}"
4351
git remote add podmanbot https://github.com/podmanbot/podman
4452
git push -f podmanbot "$bumpbranch"
4553
- name: Check open PRs
4654
id: checkpr
4755
env:
56+
DEVBUMP: ${{ steps.bump.outputs.devbump }}
4857
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
4958
run: |
5059
prs=$(gh pr list \
51-
--repo ${{ github.repository }} \
52-
--head bump-${{ steps.bump.outputs.devbump }} \
60+
--repo "${GITHUB_REPOSITORY}" \
61+
--head "bump-${DEVBUMP}" \
5362
--state open \
5463
--json title \
5564
--jq 'length')
5665
if ((prs > 0)); then
57-
echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}."
66+
echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}."
5867
else
5968
echo "prexists=false" >> "$GITHUB_OUTPUT"
6069
fi
6170
- name: Open PR
6271
if: steps.checkpr.outputs.prexists == 'false'
6372
id: pr
73+
env:
74+
DEVBUMP: ${{ steps.bump.outputs.devbump }}
75+
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
6476
run: |
65-
bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
66-
ref=${{ github.ref_name }}
67-
base=${ref%.*}
77+
bumpbranch="bump-${DEVBUMP}"
78+
base=${GITHUB_REF_NAME%.*}
6879
body=$(printf '```release-note\nNone\n```\n')
6980
gh pr create \
70-
--title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \
81+
--title "Bump Podman to v${DEVBUMP}" \
7182
--body "$body" \
7283
--head "podmanbot:$bumpbranch" \
7384
--base "$base" \
74-
--repo ${{ github.repository }}
75-
env:
76-
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
85+
--repo "${GITHUB_REPOSITORY}"
7786
mainbump:
7887
name: Bump on main
7988
runs-on: ubuntu-latest
89+
permissions:
90+
contents: write # to create and push to a branch
91+
pull-requests: write # to read and create pull requests
8092
env:
8193
GH_TOKEN: ${{ github.token }}
8294
steps:
8395
- uses: actions/checkout@v6
8496
with:
8597
ref: main
8698
token: ${{ secrets.PODMANBOT_TOKEN }}
99+
persist-credentials: true
87100
- name: Check version on main
88101
id: check
89102
run: |
90103
mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go`
91-
ref=${{ github.ref_name }}
92-
releasevers=${ref#v}
104+
releasevers=${GITHUB_REF_NAME#v}
93105
if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C
94106
then
95107
echo "bump=true" >> $GITHUB_OUTPUT
@@ -101,58 +113,61 @@ jobs:
101113
id: bump
102114
if: steps.check.outputs.bump == 'true'
103115
run: |
104-
ref=${{ github.ref_name }}
105-
releasevers=${ref#v}
116+
releasevers=${GITHUB_REF_NAME#v}
106117
107118
arr=($(echo "$releasevers" | tr . '\n'))
108119
arr[1]=$((${arr[1]}+1))
109120
arr[2]=0
110121
devbump="$(IFS=. ; echo "${arr[*]}")-dev"
111122
echo "::notice:: Bumping main to: $devbump"
112123
113-
sed -i "s/const RawVersion = \".*\"/const RawVersion = \"$devbump\"/g" version/rawversion/version.go
124+
sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
114125
115126
echo "devbump=$devbump" >> $GITHUB_OUTPUT
116127
- name: Push
117128
if: steps.check.outputs.bump == 'true'
129+
env:
130+
DEVBUMP: ${{ steps.bump.outputs.devbump }}
118131
run: |
119132
# Make committer the user who triggered the action, either through cutting a release or manual trigger
120-
# GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off
121-
git config --local user.name ${{ github.actor }}
122-
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
123-
bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
133+
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
134+
git config --local user.name "${GITHUB_ACTOR}"
135+
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
136+
bumpbranch="bump-main-${DEVBUMP}"
124137
git checkout -b $bumpbranch
125138
git add version/rawversion/version.go
126-
git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}"
139+
git commit --signoff -m "Bump main to v${DEVBUMP}"
127140
git remote add podmanbot https://github.com/podmanbot/podman
128141
git push -f podmanbot "$bumpbranch"
129142
- name: Check open PRs
130143
id: checkpr
131144
if: steps.check.outputs.bump == 'true'
132145
env:
146+
DEVBUMP: ${{ steps.bump.outputs.devbump }}
133147
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
134148
run: |
135149
prs=$(gh pr list \
136-
--repo ${{ github.repository }} \
137-
--head bump-main-${{ steps.bump.outputs.devbump }} \
150+
--repo "${GITHUB_REPOSITORY}" \
151+
--head "bump-main-${DEVBUMP}" \
138152
--state open \
139153
--json title \
140154
--jq 'length')
141155
if ((prs > 0)); then
142-
echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}."
156+
echo "SKIPPING: PR already exists to update to ${DEVBUMP}."
143157
else
144158
echo "prexists=false" >> "$GITHUB_OUTPUT"
145159
fi
146160
- name: Open PR
147161
if: steps.check.outputs.bump == 'true' && steps.checkpr.outputs.prexists == 'false'
162+
env:
163+
DEVBUMP: ${{ steps.bump.outputs.devbump }}
164+
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
148165
run: |
149-
bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
166+
bumpbranch="bump-main-${DEVBUMP}"
150167
body=$(printf '```release-note\nNone\n```\n')
151168
gh pr create \
152-
--title "Bump main to v${{ steps.bump.outputs.devbump }}" \
169+
--title "Bump main to v${DEVBUMP}" \
153170
--body "$body" \
154171
--head "podmanbot:$bumpbranch" \
155172
--base "main" \
156-
--repo ${{ github.repository }}
157-
env:
158-
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
173+
--repo "${GITHUB_REPOSITORY}"

.github/workflows/first_contrib_cert_generator.yml

Lines changed: 27 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -16,18 +16,18 @@ on:
1616
description: 'The pull request number'
1717
required: true
1818

19-
# Permissions needed for this workflow.
20-
permissions:
21-
contents: read # Write access for certificate storage
22-
pull-requests: write # Write access to comment on PRs
23-
actions: read # Read access for workflow actions
19+
permissions: {}
2420

2521
jobs:
2622
screenshot_and_comment:
2723
# This job runs if the PR was merged or if it's a manual trigger.
2824
# The logic for first-time contributors is handled in a dedicated step below.
2925
if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
3026
runs-on: ubuntu-latest
27+
permissions:
28+
contents: read # Write access for certificate storage
29+
pull-requests: write # Write access to comment on PRs
30+
actions: read # Read access for workflow actions
3131
steps:
3232
# Step 1: Check if this is the contributor's first merged PR.
3333
# This step is the source of truth and will control the execution of subsequent steps.
@@ -60,19 +60,21 @@ jobs:
6060
with:
6161
repository: containers/automation
6262
path: automation-repo
63+
persist-credentials: false
6364

6465
# Step 3: Update the HTML file locally
6566
- name: Update HTML file
6667
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
68+
env:
69+
CONTRIBUTOR_NAME: ${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}
70+
PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.pull_request.number }}
6771
run: |
6872
HTML_FILE="automation-repo/certificate-generator/certificate_generator.html"
69-
CONTRIBUTOR_NAME="${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}"
70-
PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}"
7173
MERGE_DATE=$(date -u +"%B %d, %Y")
7274
73-
sed -i "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
74-
sed -i "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
75-
sed -i "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }
75+
sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
76+
sed --sandbox -i -e "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
77+
sed --sandbox -i -e "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }
7678
7779
# Step 4: Setup Node.js environment
7880
- name: Setup Node.js
@@ -119,6 +121,10 @@ jobs:
119121
- name: Upload certificate to separate repository
120122
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
121123
uses: actions/github-script@v8
124+
env:
125+
CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
126+
USER_LOGIN: ${{ github.event.pull_request.user.login }}
127+
PR_NUMBER: ${{ github.event.inputs.pr_number }}
122128
with:
123129
github-token: ${{ secrets.CERTIFICATES_REPO_TOKEN }}
124130
script: |
@@ -156,10 +162,10 @@ jobs:
156162
// Create a unique filename with timestamp
157163
const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
158164
const contributorName = context.eventName === 'workflow_dispatch'
159-
? '${{ github.event.inputs.contributor_username }}'
160-
: '${{ github.event.pull_request.user.login }}';
165+
? process.env.CONTRIBUTOR_USERNAME
166+
: process.env.USER_LOGIN;
161167
const prNumber = context.eventName === 'workflow_dispatch'
162-
? '${{ github.event.inputs.pr_number }}'
168+
? process.env.PR_NUMBER
163169
: context.issue.number;
164170
165171
const filename = `certificates/${contributorName}-${prNumber}-${timestamp}.png`;
@@ -218,6 +224,10 @@ jobs:
218224
- name: Comment with embedded certificate image
219225
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
220226
uses: actions/github-script@v8
227+
env:
228+
CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
229+
USER_LOGIN: ${{ github.event.pull_request.user.login }}
230+
PR_NUMBER: ${{ github.event.inputs.pr_number }}
221231
with:
222232
script: |
223233
try {
@@ -239,17 +249,17 @@ jobs:
239249
240250
if (context.eventName === 'workflow_dispatch') {
241251
// Manual trigger case
242-
const contributorName = '${{ github.event.inputs.contributor_username }}';
243-
const prNumber = '${{ github.event.inputs.pr_number }}';
252+
const contributorName = process.env.CONTRIBUTOR_USERNAME;
253+
const prNumber = process.env.PR_NUMBER;
244254
body = `📜 Certificate preview generated for @${contributorName} (PR #${prNumber}):\n\n${body}`;
245255
} else {
246256
// Auto trigger case for first-time contributors
247-
const username = '${{ github.event.pull_request.user.login }}';
257+
const username = process.env.USER_LOGIN;
248258
body = `🎉 Congratulations on your first merged pull request, @${username}! Thank you for your contribution.\n\nHere's a preview of your certificate:\n\n${body}`;
249259
}
250260
251261
const issueNumber = context.eventName === 'workflow_dispatch' ?
252-
parseInt('${{ github.event.inputs.pr_number }}') :
262+
parseInt(process.env.PR_NUMBER) :
253263
context.issue.number;
254264
255265
await github.rest.issues.createComment({

.github/workflows/issue_pr_lock.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ jobs:
6161
private-key: ${{ secrets.STALE_LOCKING_APP_PRIVATE_KEY }}
6262

6363
# Ref: https://github.com/dessant/lock-threads#usage
64-
- uses: dessant/lock-threads@v5
64+
- uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
6565
with:
6666
github-token: '${{ steps.generate-token.outputs.token }}'
6767
process-only: 'issues, prs'
@@ -73,7 +73,7 @@ jobs:
7373
log-output: true
7474
- if: failure()
7575
name: Send job failure notification e-mail
76-
uses: dawidd6/action-send-mail@v3.12.0
76+
uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
7777
with:
7878
server_address: ${{secrets.ACTION_MAIL_SERVER}}
7979
server_port: 465

.github/workflows/labeler.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ name: "Pull Request Labeler"
33
on:
44
- pull_request_target
55

6+
permissions: {}
7+
68
jobs:
79
triage:
810
permissions:

0 commit comments

Comments
 (0)