Publish swagger.yaml from GitHub Actions on push to main and tags

Add a 'Publish swagger' workflow that builds pkg/api/swagger.yaml and
uploads it to the libpod-master-releases GCS bucket (swagger-latest.yaml
for main, swagger-<tag>.yaml for tags), reusing the same gcsupld container
as Cirrus with GCPJSON/GCPNAME supplied via repository secrets. Per-PR
uploads to libpod-pr-releases are dropped, as nothing consumes them.

The gcsupld image tag is hardcoded (copied from .cirrus.yml IMAGE_SUFFIX)
rather than read at runtime, since Cirrus CI is to be decommissioned soon.

Remove the now-migrated swagger_task from .cirrus.yml (and its success_task
dependency) and the _run_swagger handler from hack/ci/runner.sh, and update
docs/README.md to point at the new workflow. While at it, fix the link in
docs/README.md to hack/ci/README.md#docs-task, which had been dangling ever
since that file was removed in 2020 by commit 2c9084e.

Note: requires GCPJSON and GCPNAME to be configured as GitHub repository
secrets before the upload step can succeed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Author: kolyshkin

.cirrus.yml

@@ -380,31 +380,6 @@ bindings_task:
         time_script: '$SCRIPT_BASE/logcollector.sh time'
 
 
-# Build the "libpod" API documentation `swagger.yaml` and
-# publish it to google-cloud-storage (GCS).
-swagger_task:
-    name: "Test Swagger"
-    alias: swagger
-    depends_on: *build
-    gce_instance: *standardvm
-    env:
-        <<: *stdenvars
-        TEST_FLAVOR: swagger
-        CTR_FQIN: 'quay.io/libpod/gcsupld:${IMAGE_SUFFIX}'
-        GCPJSON: ENCRYPTED[927dc01e755eaddb4242b0845cf86c9098d1e3dffac38c70aefb1487fd8b4fe6dd6ae627b3bffafaba70e2c63172664e]
-        GCPNAME: ENCRYPTED[c145e9c16b6fb88d476944a454bf4c1ccc84bb4ecaca73bdd28bdacef0dfa7959ebc8171a27b2e4064d66093b2cdba49]
-        GCPPROJECT: 'libpod-218412'
-        TEST_BUILD_TAGS: ""
-    clone_script: *get_gosrc
-    setup_script: *setup
-    main_script: *main
-    always:
-        <<: *runner_stats
-        swagger_artifacts:
-            path: ./swagger.yaml
-            type: text/plain
-
-
 win_installer_task:
     name: "Verify Win Installer Build"
     matrix:
@@ -1095,7 +1070,6 @@ success_task:
     depends_on:
         - build_success
         - bindings
-        - swagger
         - win_installer
         - docker-py_test
         - unit_test

.github/workflows/swagger.yml

@@ -0,0 +1,72 @@
+name: Publish swagger
+
+# Build the libpod API spec (pkg/api/swagger.yaml) and publish it to the
+# public GCS bucket consumed by the API reference docs
+# (docs/source/_static/api.html -> https://storage.googleapis.com/libpod-master-releases/swagger-<version>.yaml).
+# Pushes to main publish "swagger-latest.yaml"; tags publish "swagger-<tag>.yaml".
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-swagger:
+    name: Build and publish swagger.yaml
+    runs-on: cncf-ubuntu-8-32-x86
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            gawk \
+            libassuan-dev \
+            libbtrfs-dev \
+            libgpgme-dev \
+            libseccomp-dev \
+            libsystemd-dev \
+            libclone-perl \
+            man-db \
+            podman \
+            python3-pip
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Build swagger.yaml
+        run: make swagger
+
+      - name: Publish swagger.yaml to GCS
+        env:
+          GCPJSON: ${{ secrets.GCPJSON }}
+          GCPNAME: ${{ secrets.GCPNAME }}
+          GCPPROJECT: libpod-218412
+          # Pushes to main publish "latest"; tags publish under their tag name.
+          TO_GCSURI: gs://libpod-master-releases/swagger-${{ github.ref_type == 'tag' && github.ref_name || 'latest' }}.yaml
+          FROM_FILEPATH: /src/pkg/api/swagger.yaml
+          # Uploader image tag, copied from .cirrus.yml IMAGE_SUFFIX.
+          GCSUPLD_FQIN: quay.io/libpod/gcsupld:c20260425t010036z-f43f42d14
+        run: |
+          # Pass secrets through podman's environment (-e VAR) rather than an
+          # env-file so they are never written to disk.
+          podman run --rm --security-opt label=disable \
+            -e GCPJSON -e GCPNAME -e GCPPROJECT -e FROM_FILEPATH -e TO_GCSURI \
+            -v "$GITHUB_WORKSPACE:/src:ro" \
+            --workdir /src \
+            "$GCSUPLD_FQIN"

docs/README.md

@@ -35,8 +35,8 @@ The syntax for the formatting of all man pages can be found [here](MANPAGE_SYNTA
 
 The [latest online documentation](http://docs.podman.io/en/latest/_static/api.html) is
 automatically generated by two cooperating automation systems based on committed upstream
-source code.  Firstly, [the Cirrus-CI docs task](../hack/ci/README.md#docs-task) builds
-`pkg/api/swagger.yaml` and uploads it to a public-facing location (Google Storage Bucket -
+source code.  Firstly, the [`Publish swagger` GitHub Actions workflow](../.github/workflows/swagger.yml)
+builds `pkg/api/swagger.yaml` and uploads it to a public-facing location (Google Storage Bucket -
 an online service for storing unstructured data).  Second, [Read The Docs](readthedocs.com)
 reacts to the github.com repository change, building the content for the [libpod documentation
 site](https://podman.readthedocs.io/).  This site includes for the API section,

hack/ci/runner.sh

@@ -122,64 +122,6 @@ exec_container() {
         $CTR_FQIN bash -c "$SCRIPT_BASE/setup_environment.sh && $SCRIPT_BASE/runner.sh"
 }
 
-function _run_swagger() {
-    local upload_filename
-    local upload_bucket
-    local download_url
-    local envvarsfile
-    req_env_vars GCPJSON GCPNAME GCPPROJECT CTR_FQIN
-
-    # The filename and bucket depend on the automation context
-    #shellcheck disable=SC2154,SC2153
-    if [[ -n "$CIRRUS_PR" ]]; then
-        upload_bucket="libpod-pr-releases"
-        upload_filename="swagger-pr$CIRRUS_PR.yaml"
-    elif [[ -n "$CIRRUS_TAG" ]]; then
-        upload_bucket="libpod-master-releases"
-        upload_filename="swagger-$CIRRUS_TAG.yaml"
-    elif [[ "$CIRRUS_BRANCH" == "main" ]]; then
-        upload_bucket="libpod-master-releases"
-        # readthedocs versioning uses "latest" for "main" (default) branch
-        upload_filename="swagger-latest.yaml"
-    elif [[ -n "$CIRRUS_BRANCH" ]]; then
-        upload_bucket="libpod-master-releases"
-        upload_filename="swagger-$CIRRUS_BRANCH.yaml"
-    else
-        die "Unknown execution context, expected a non-empty value for \$CIRRUS_TAG, \$CIRRUS_BRANCH, or \$CIRRUS_PR"
-    fi
-
-    # Swagger validation takes a significant amount of time
-    msg "Pulling \$CTR_FQIN '$CTR_FQIN' (background process)"
-    showrun bin/podman pull --quiet $CTR_FQIN &
-
-    cd $GOSRC
-    showrun make swagger
-
-    # Cirrus-CI Artifact instruction expects file here
-    cp -v $GOSRC/pkg/api/swagger.yaml ./
-
-    envvarsfile=$(mktemp -p '' .tmp_$(basename $0)_XXXXXXXX)
-    trap "rm -f $envvarsfile" EXIT  # contains secrets
-    # Warning: These values must _not_ be quoted, podman will not remove them.
-    #shellcheck disable=SC2154
-    cat <<eof >>$envvarsfile
-GCPJSON=$GCPJSON
-GCPNAME=$GCPNAME
-GCPPROJECT=$GCPPROJECT
-FROM_FILEPATH=$GOSRC/swagger.yaml
-TO_GCSURI=gs://$upload_bucket/$upload_filename
-eof
-
-    msg "Waiting for backgrounded podman pull to complete..."
-    wait %%
-    showrun bin/podman run -it --rm --security-opt label=disable \
-        --env-file=$envvarsfile \
-        -v $GOSRC:$GOSRC:ro \
-        --workdir $GOSRC \
-        $CTR_FQIN
-    rm -f $envvarsfile
-}
-
 function _run_build() {
     # Ensure always start from clean-slate with all vendor modules downloaded
     showrun make clean