diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml deleted file mode 100644 index 7f79b67777..0000000000 --- a/.github/workflows/mac-pkg.yml +++ /dev/null @@ -1,145 +0,0 @@ -name: Sign and Upload Mac Installer [DEPRECATED] - -on: - workflow_dispatch: - inputs: - version: - description: 'Release version to build and upload (e.g. "v9.8.7")' - required: true - dryrun: - description: 'Perform all the steps except uploading to the release page' - required: true - default: "true" # 'choice' type requires string value - type: choice - options: - - "true" # Must be quoted string, boolean value not supported. - - "false" - -permissions: {} - -jobs: - build: - runs-on: macos-latest - permissions: - contents: write - env: - APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }} - CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }} - INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }} - PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }} - CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} - - NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} - NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} - NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }} - - KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }} - steps: - - name: Consolidate dryrun setting to always be true or false - id: actual_dryrun - env: - INPUT_DRYRUN: ${{ inputs.dryrun }} - run: | - # The 'release' trigger will not have a 'dryrun' input set. Handle - # this case in a readable/maintainable way. - if [[ -z "${INPUT_DRYRUN}" ]] - then - echo "dryrun=false" >> $GITHUB_OUTPUT - else - echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT - fi - - name: Dry Run Status - env: - DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} - run: | - echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}" - - name: Determine Version - id: getversion - env: - INPUT_VERSION: ${{ inputs.version }} - TAG_NAME: ${{ github.event.release.tag_name }} - run: | - if [[ -z "${INPUT_VERSION}" ]] - then - VERSION=${TAG_NAME} - else - VERSION=${INPUT_VERSION} - fi - echo - echo "version=$VERSION" >> $GITHUB_OUTPUT - - name: Check uploads - id: check - env: - VERSION: ${{ steps.getversion.outputs.version }} - run: | - URI="https://github.com/containers/podman/releases/download/${VERSION}" - ARM_FILE="podman-installer-macos-arm64.pkg" - - status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}") - if [[ "$status" == "404" ]] ; then - echo "buildarm=true" >> $GITHUB_OUTPUT - else - echo "::warning::ARM installer already exists, skipping" - echo "buildarm=false" >> $GITHUB_OUTPUT - fi - - name: Checkout Version - if: >- - steps.check.outputs.buildarm == 'true' || - steps.actual_dryrun.outputs.dryrun == 'true' - uses: actions/checkout@v6 - with: - ref: ${{steps.getversion.outputs.version}} - persist-credentials: false - - name: Set up Go - # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases - if: >- - steps.check.outputs.buildarm == 'true' || - steps.actual_dryrun.outputs.dryrun == 'true' - uses: actions/setup-go@v6 - with: - go-version: stable - cache: false - - name: Create Keychain - if: >- - steps.check.outputs.buildarm == 'true' || - steps.actual_dryrun.outputs.dryrun == 'true' - run: | - echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12 - echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12 - - security create-keychain -p "$KEYCHAIN_PWD" build.keychain - security default-keychain -s build.keychain - security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain - security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign - security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null - - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null - - name: Build and Sign ARM - if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' - working-directory: contrib/pkginstaller - run: | - make ARCH=aarch64 notarize &> /dev/null - cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums - - name: Artifact - if: >- - steps.check.outputs.buildarm == 'true' || - steps.actual_dryrun.outputs.dryrun == 'true' - uses: actions/upload-artifact@v7 - with: - name: installers - path: | - contrib/pkginstaller/out/podman-installer-macos-*.pkg - contrib/pkginstaller/out/shasums - - name: Upload to Release - if: >- - steps.actual_dryrun.outputs.dryrun == 'false' && - steps.check.outputs.buildarm == 'true' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VERSION: ${{ steps.getversion.outputs.version }} - run: | - (gh release download "${VERSION}" -p "shasums" || exit 0) - cat contrib/pkginstaller/out/shasums >> shasums - gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg - gh release upload "${VERSION}" --clobber shasums diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml new file mode 100644 index 0000000000..43c61decb3 --- /dev/null +++ b/.github/workflows/mac.yml @@ -0,0 +1,132 @@ +name: Mac + +on: + workflow_dispatch: + pull_request: + paths: + - '.github/workflows/mac.yml' + - 'Makefile' + - 'contrib/gha/mac/**' + - 'vendor/**' + - 'test/tools/**' + - 'test/registries*.conf' + - 'hack/**' + - 'version/rawversion/*' + - 'cmd/podman/machine/**' + - 'pkg/machine/**' + - '**/*machine*.go' + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build: + name: build (darwin arm64) + runs-on: macos-15 + timeout-minutes: 30 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: go.mod + cache: true + + - name: Cache golangci-lint + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 + with: + path: ~/Library/Caches/golangci-lint + key: ${{ runner.os }}-golangci-${{ hashFiles('**/go.sum', '**/.golangci.yml') }} + restore-keys: | + ${{ runner.os }}-golangci- + + - name: Lint + run: make golangci-lint + + - name: Build core binaries + run: | + make .install.ginkgo + make podman-remote + make podman-mac-helper + + - name: Upload test binaries + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: podman-bin + # Single path keeps the `bin/` prefix; a path list would trigger LCA + # stripping and lose it, breaking chmod in the machine job. + path: bin + if-no-files-found: error + + - name: Build .pkg installer + run: | + pushd contrib/pkginstaller + make ARCH=aarch64 NO_CODESIGN=1 pkginstaller + popd + + - name: Build release zip + run: make podman-remote-release-darwin_arm64.zip + + - name: Upload release artifacts + if: always() + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: podman-darwin-arm64 + path: | + podman-remote-release-darwin_arm64.zip + contrib/pkginstaller/out/podman-installer-macos-*.pkg + if-no-files-found: error + + machine: + name: machine (${{ matrix.provider }}) + needs: build + runs-on: + group: mac-pool + timeout-minutes: 60 + strategy: + fail-fast: false + max-parallel: 1 + matrix: + provider: [applehv, libkrun] + env: + PROVIDER: ${{ matrix.provider }} + CONTAINERS_MACHINE_PROVIDER: ${{ matrix.provider }} + # machine_test.go rejects TMPDIR >= 22 chars on darwin (socket path budget). + TMPDIR: /private/tmp + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: go.mod + cache: true + + - name: Pre-clean machine state + run: ./contrib/gha/mac/clean_state.sh + + - name: Download test binaries + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: podman-bin + # `path: bin` on upload sent the *contents* of bin/ (no prefix). + # Extract into bin/ to restore the layout. + path: bin + + - name: Restore executable bits + run: chmod +x bin/ginkgo bin/darwin/podman bin/darwin/podman-mac-helper + + - name: Run machine e2e + run: make localmachine + + - name: Post-run cleanup + if: always() + run: ./contrib/gha/mac/clean_state.sh diff --git a/contrib/gha/mac/clean_state.sh b/contrib/gha/mac/clean_state.sh new file mode 100755 index 0000000000..48bf7dad78 --- /dev/null +++ b/contrib/gha/mac/clean_state.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# Best-effort cleanup of podman machine state and leaked test processes. + +set +e + +pkill -f vfkit 2>/dev/null || true +pkill -f krunkit 2>/dev/null || true +pkill -f gvproxy 2>/dev/null || true +pkill -f ginkgo 2>/dev/null || true + +rm -rf "$HOME/.local/share/containers/podman/machine" 2>/dev/null || true +rm -rf "$HOME/.config/containers/podman" 2>/dev/null || true +rm -rf "${TMPDIR:-/private/tmp}/podman" 2>/dev/null || true + +true