podman-container-tools · timcoding1988 · May 23, 2026 · May 26, 2026 · May 27, 2026 · May 27, 2026
diff --git a/.cirrus.yml b/.cirrus.yml
diff --git a/.github/filters.yaml b/.github/filters.yaml
@@ -0,0 +1,51 @@
+all:
+#  - '.github/workflows/ci.yml'
+#  - '.github/workflows/lima.yml'
+#  - '.github/workflows/windows.yml'
+#  - 'hack/**'
+#  - 'Makefile'
+#  - 'vendor/**'
+#  - 'test/tools/**'
+#  - 'test/registries*.conf'
+#  - 'version/rawversion/*'
+  - 'willnotmatch'
+
+apiv2:
+  - 'test/apiv2/**'
+  - 'test/python/**'
+
+bindings:
+ - 'pkg/bindings/test/**'
+
+docker_py:
+ - 'test/python/**'
+
+unit:
+  - '**/*_test.go'
+
+compose_v2:
+  - 'test/compose/**'
+
+int:
+  - 'test/e2e/**'
+  - 'test/utils/**'
+
+sys:
+  - 'test/system/**'
+
+machine:
+  - 'cmd/podman/machine/**'
+  - 'pkg/machine/**'
+  - '**/*machine*.go'
+
+upgrade:
+  - 'test/upgrade/**'
+  - 'test/system/*.bash'
+
+windows:
+  - 'winmake.ps1'
+  - 'hack/ci/win-*.ps1'
+  - '.github/workflows/windows.yml'
+
+installer:
+  - 'contrib/win-installer/**'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,326 @@
+name: "ci"
+
+on:
+  push:
+    branches:
+      - main
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+      - 'v*'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  path-filter:
+    runs-on: ubuntu-latest
+    outputs:
+      all: ${{ steps.filter.outputs.all }}
+      apiv2: ${{ steps.filter.outputs.apiv2 }}
+      bindings: ${{ steps.filter.outputs.bindings }}
+      docker_py: ${{ steps.filter.outputs.docker_py }}
+      unit: ${{ steps.filter.outputs.unit }}
+      compose_v2: ${{ steps.filter.outputs.compose_v2 }}
+      int: ${{ steps.filter.outputs.int }}
+      sys: ${{ steps.filter.outputs.sys }}
+      machine: ${{ steps.filter.outputs.machine }}
+      upgrade: ${{ steps.filter.outputs.upgrade }}
+      windows: ${{ steps.filter.outputs.windows }}
+      installer: ${{ steps.filter.outputs.installer }}
+
+      code: ${{ steps.filter-code.outputs.code }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        id: filter
+        with:
+          filters: .github/filters.yaml
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        id: filter-code
+        with:
+          # Needed so all rules match
+          predicate-quantifier: 'every'
+          filters: |
+            code:
+              # First check for all source code files, but then because test files are also .go exclude them again.
+              - '**/*.@(go|c|h)'
+              - '!test/**'
+              - '!pkg/machine/e2e/**'
+              - '!pkg/bindings/test/**'
+
+
+  validate-source:
+    name: Validate source code changes
+    runs-on: cncf-ubuntu-8-32-x86
+    env:
+      # Base commit of this PR; used by the Makefile and the helper scripts to
+      # compute the commit range (git merge-base $DEST_BRANCH HEAD..HEAD).
+      DEST_BRANCH: ${{ github.event.pull_request.base.sha }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      PR_HEAD: ${{ github.event.pull_request.head.sha }}
+      PR_BODY: ${{ github.event.pull_request.body }}
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Check out the actual PR head (not the synthetic merge commit) so
+          # the commit-range checks validate the contributor's commits.
+          ref: refs/pull/${{ github.event.pull_request.number }}/head
+          # Full history (all branches) is required for git merge-base to find
+          # the fork point against the base branch.
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            gawk \
+            libassuan-dev \
+            libbtrfs-dev \
+            libgpgme-dev \
+            libseccomp-dev \
+            libsystemd-dev \
+            libclone-perl \
+            man-db \
+            podman \
+            python3-pip
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Read golangci-lint version from Makefile
+        id: gv
+        run: |
+          v=$(awk -F':=' '/^GOLANGCI_LINT_VERSION/ {gsub(/ /,"",$2); print $2; exit}' Makefile)
+          echo "version=v${v}" >> $GITHUB_OUTPUT
+
+      - uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
+        with:
+          version: ${{ steps.gv.outputs.version }}
+          install-only: true
+
+      - name: Install pre-commit
+        run: pipx install pre-commit
+
+      - name: Validate source
+        run: make validate-source
+
+      - name: Build and validate the swagger API spec
+        # 'make swagger' builds pkg/api/swagger.yaml via the go-swagger tool,
+        # which validates that the spec generates cleanly.
+        run: make swagger
+
+      - name: Check that the PR includes tests
+        # The 'No New Tests' label lets maintainers override this check.
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'No New Tests') }}
+        run: make tests-included
+
+      - name: Validate renovate config
+        run: |
+          diffs=$(git diff --name-only "$DEST_BRANCH" "${PR_HEAD:-HEAD}")
+          # The renovate validator image is large, only pull it when needed.
+          if ! grep -E -q '^\.github/renovate\.json5' <<<"$diffs"; then
+            echo "renovate config unchanged, skipping."
+            exit 0
+          fi
+          echo "Checking renovate config."
+          podman run --rm \
+            -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
+            ghcr.io/renovatebot/renovate:latest \
+            renovate-config-validator
+
+      # IMPORTANT: keep this as the LAST step. Don't add anything after this.
+      # The 'git rebase' below rewrites HEAD and, on failure, leaves the
+      # checkout mid-rebase, so any step running afterwards would see a
+      # mutated/detached repo state.
+      - name: Build each commit
+        # Confirm that every commit in the PR builds on its own (so that
+        # 'git bisect' stays usable) and that no binary grows beyond the
+        # limit enforced by hack/ci/make-and-check-size.sh.
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          # The 'bloat_approved' label lets a repo admin override the binary
+          # size growth check in hack/ci/make-and-check-size.sh.
+          BLOAT_APPROVED: ${{ contains(github.event.pull_request.labels.*.name, 'bloat_approved') }}
+        run: |
+          # git rebase rewrites commits, so it needs a committer identity.
+          git config user.name "CI"
+          git config user.email "ci@podman.io"
+          context_dir=$(mktemp -d --tmpdir make-size-check.XXXXXXX)
+          savedhead=$(git rev-parse HEAD)
+          # Make a copy of the script as we'll be rolling git back.
+          cp -a ./hack/ci/make-and-check-size.sh .
+          # Replay only the PR's own commits: the fork point against the base
+          # branch, not the (possibly advanced) base branch tip.
+          pr_base=$(git merge-base "$DEST_BRANCH" HEAD)
+          # Build the PR base first; this run records the baseline binary
+          # sizes that subsequent (per-commit) runs compare against.
+          git checkout --quiet "$pr_base"
+          ./make-and-check-size.sh "$context_dir"
+          # Back to the PR head, then build (and size-check) each commit.
+          git checkout --quiet "$savedhead"
+          git rebase "$pr_base" -x "./make-and-check-size.sh $context_dir"
+          rm -rf "$context_dir" ./make-and-check-size.sh
+
+  build-alt:
+    name: Cross Build (Linux, FreeBSD)
+    runs-on: cncf-ubuntu-16-64-x86
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: false
+      - name: Run cross build
+        run: make cross
+
+  build:
+    name: build ${{ matrix.distro }}
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [fedora-current, fedora-prior, fedora-rawhide, debian-sid]
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-8-32-x86
+      test: build
+      distro: ${{ matrix.distro }}
+      timeout: 20
+
+  big-tests:
+    needs: [path-filter, build, build-alt, validate-source]
+    name: ${{ matrix.test }} ${{ matrix.mode }} ${{ matrix.priv }} ${{ matrix.distro }}
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [fedora-current, fedora-prior, fedora-rawhide, debian-sid]
+        test: [sys, int]
+        priv: [rootless, root]
+        mode: [local, remote]
+        exclude:
+          # try to keep the task somewhat sane and not run remote test rootless
+          - priv: rootless
+            mode: remote
+        include:
+          # Add machine test
+          - test: machine
+            distro: fedora-current
+            priv: rootless
+            mode: local
+            timeout: 45
+          # Add buildah bud tests, only runs as root for now.
+          - test: bud
+            distro: fedora-current
+            priv: root
+            mode: local
+          - test: bud
+            distro: fedora-current
+            priv: root
+            mode: remote
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-8-32-x86
+      test: ${{ matrix.test }}
+      distro: ${{ matrix.distro }}
+      mode: ${{ matrix.mode }}
+      priv: ${{ matrix.priv }}
+      timeout: ${{ matrix.timeout || 30 }}
+      if: >-
+        github.event_name != 'pull_request' ||
+        needs.path-filter.outputs.all == 'true' ||
+        needs.path-filter.outputs.code == 'true' ||
+        needs.path-filter.outputs.${{ matrix.test }} == 'true'
+
+  small-tests:
+    needs: [path-filter, build, build-alt, validate-source]
+    name: ${{ matrix.test }} ${{ matrix.mode }} ${{ matrix.priv }} ${{ matrix.distro }}
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [fedora-current]
+        test: [apiv2, bindings, compose_v2, docker_py, unit]
+        priv: [rootless, root]
+        exclude:
+          # bindings, and docker_py, upgrade are only run as root
+          - test: bindings
+            priv: rootless
+          - test: docker_py
+            priv: rootless
+
+        include:
+          # need an extra include for the upgrade tests to set the mode
+          - test: upgrade
+            distro: fedora-current
+            mode: v5.3.1
+            priv: root
+          - test: upgrade
+            distro: fedora-current
+            mode: v5.6.2
+            priv: root
+
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-4-16-x86
+      test: ${{ matrix.test }}
+      distro: ${{ matrix.distro }}
+      priv: ${{ matrix.priv }}
+      mode: ${{ matrix.mode }}
+      timeout: 20
+      if: >-
+        github.event_name != 'pull_request' ||
+        needs.path-filter.outputs.all == 'true' ||
+        needs.path-filter.outputs.code == 'true' ||
+        needs.path-filter.outputs.${{ matrix.test }} == 'true'
+
+
+  windows:
+    needs: [path-filter, validate-source]
+    if: >-
+      github.event_name != 'pull_request' ||
+      needs.path-filter.outputs.all == 'true' ||
+      needs.path-filter.outputs.code == 'true' ||
+      needs.path-filter.outputs.windows == 'true' ||
+      needs.path-filter.outputs.machine == 'true' ||
+      needs.path-filter.outputs.installer == 'true'
+    uses: ./.github/workflows/windows.yml
+
+### TODO missing
+# Macos, build and libkrun/apple hv testing, needs the macos pool, Ashley works on it.
+# machine linux tests.
+# Farm, needs extra setup I need to look into
+
+  # Merge protection is setup for this job name, do not change it.
+  success:
+    name: "Total Success"
+    if: always()
+    needs:
+      - validate-source
+      - build
+      - build-alt
+      - big-tests
+      - small-tests
+      - windows
+      #- machine-linux
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check all required jobs
+        run: |
+          if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]] || \
+             [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
+            echo "One or more required jobs failed or were cancelled"
+            exit 1
+          fi
+          echo "All required jobs passed or were skipped"