Migrate validate-source, build-each-commit, swagger-check, cross (alt) from cirrus to gha

.github/workflows/ci.yml

@@ -0,0 +1,138 @@
+name: "ci"
+
+on:
+  push:
+    branches:
+      - main
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+      - 'v*'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate-source:
+    name: Validate source code changes
+    runs-on: cncf-ubuntu-8-32-x86
+    env:
+      # Base commit of this PR; used by the Makefile and the helper scripts to
+      # compute the commit range (git merge-base $DEST_BRANCH HEAD..HEAD).
+      DEST_BRANCH: ${{ github.event.pull_request.base.sha }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      PR_HEAD: ${{ github.event.pull_request.head.sha }}
+      PR_BODY: ${{ github.event.pull_request.body }}
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Check out the actual PR head (not the synthetic merge commit) so
+          # the commit-range checks validate the contributor's commits.
+          ref: refs/pull/${{ github.event.pull_request.number }}/head
+          # Full history (all branches) is required for git merge-base to find
+          # the fork point against the base branch.
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            gawk \
+            libassuan-dev \
+            libbtrfs-dev \
+            libgpgme-dev \
+            libseccomp-dev \
+            libsystemd-dev \
+            libclone-perl \
+            man-db \
+            podman \
+            python3-pip
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Read golangci-lint version from Makefile
+        id: gv
+        run: |
+          v=$(awk -F':=' '/^GOLANGCI_LINT_VERSION/ {gsub(/ /,"",$2); print $2; exit}' Makefile)
+          echo "version=v${v}" >> $GITHUB_OUTPUT
+
+      - uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
+        with:
+          version: ${{ steps.gv.outputs.version }}
+          install-only: true
+
+      - name: Install pre-commit
+        run: pipx install pre-commit
+
+      - name: Validate source
+        run: make validate-source
+
+      - name: Cross Build (Linux, FreeBSD)
+        run: make cross
+
+      - name: Build and validate the swagger API spec
+        # 'make swagger' builds pkg/api/swagger.yaml via the go-swagger tool,
+        # which validates that the spec generates cleanly.
+        run: make swagger
+
+      - name: Check that the PR includes tests
+        # The 'No New Tests' label lets maintainers override this check.
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'No New Tests') }}
+        run: make tests-included
+
+      - name: Validate renovate config
+        run: |
+          diffs=$(git diff --name-only "$DEST_BRANCH" "${PR_HEAD:-HEAD}")
+          # The renovate validator image is large, only pull it when needed.
+          if ! grep -E -q '^\.github/renovate\.json5' <<<"$diffs"; then
+            echo "renovate config unchanged, skipping."
+            exit 0
+          fi
+          echo "Checking renovate config."
+          podman run --rm \
+            -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
+            ghcr.io/renovatebot/renovate:latest \
+            renovate-config-validator
+
+      # IMPORTANT: keep this as the LAST step. Don't add anything after this.
+      # The 'git rebase' below rewrites HEAD and, on failure, leaves the
+      # checkout mid-rebase, so any step running afterwards would see a
+      # mutated/detached repo state.
+      - name: Build each commit
+        # Confirm that every commit in the PR builds on its own (so that
+        # 'git bisect' stays usable) and that no binary grows beyond the
+        # limit enforced by hack/ci/make-and-check-size.sh.
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          # The 'bloat_approved' label lets a repo admin override the binary
+          # size growth check in hack/ci/make-and-check-size.sh.
+          BLOAT_APPROVED: ${{ contains(github.event.pull_request.labels.*.name, 'bloat_approved') }}
+        run: |
+          # git rebase rewrites commits, so it needs a committer identity.
+          git config user.name "CI"
+          git config user.email "ci@podman.io"
+          context_dir=$(mktemp -d --tmpdir make-size-check.XXXXXXX)
+          savedhead=$(git rev-parse HEAD)
+          # Make a copy of the script as we'll be rolling git back.
+          cp -a ./hack/ci/make-and-check-size.sh .
+          # Replay only the PR's own commits: the fork point against the base
+          # branch, not the (possibly advanced) base branch tip.
+          pr_base=$(git merge-base "$DEST_BRANCH" HEAD)
+          # Build the PR base first; this run records the baseline binary
+          # sizes that subsequent (per-commit) runs compare against.
+          git checkout --quiet "$pr_base"
+          ./make-and-check-size.sh "$context_dir"
+          # Back to the PR head, then build (and size-check) each commit.
+          git checkout --quiet "$savedhead"
+          git rebase "$pr_base" -x "./make-and-check-size.sh $context_dir"
+          rm -rf "$context_dir" ./make-and-check-size.sh

.github/workflows/swagger.yml

@@ -0,0 +1,72 @@
+name: Publish swagger
+
+# Build the libpod API spec (pkg/api/swagger.yaml) and publish it to the
+# public GCS bucket consumed by the API reference docs
+# (docs/source/_static/api.html -> https://storage.googleapis.com/libpod-master-releases/swagger-<version>.yaml).
+# Pushes to main publish "swagger-latest.yaml"; tags publish "swagger-<tag>.yaml".
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-swagger:
+    name: Build and publish swagger.yaml
+    runs-on: cncf-ubuntu-8-32-x86
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            gawk \
+            libassuan-dev \
+            libbtrfs-dev \
+            libgpgme-dev \
+            libseccomp-dev \
+            libsystemd-dev \
+            libclone-perl \
+            man-db \
+            podman \
+            python3-pip
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Build swagger.yaml
+        run: make swagger
+
+      - name: Publish swagger.yaml to GCS
+        env:
+          GCPJSON: ${{ secrets.GCPJSON }}
+          GCPNAME: ${{ secrets.GCPNAME }}
+          GCPPROJECT: libpod-218412
+          # Pushes to main publish "latest"; tags publish under their tag name.
+          TO_GCSURI: gs://libpod-master-releases/swagger-${{ github.ref_type == 'tag' && github.ref_name || 'latest' }}.yaml
+          FROM_FILEPATH: /src/pkg/api/swagger.yaml
+          # Uploader image tag, copied from .cirrus.yml IMAGE_SUFFIX.
+          GCSUPLD_FQIN: quay.io/libpod/gcsupld:c20260425t010036z-f43f42d14
+        run: |
+          # Pass secrets through podman's environment (-e VAR) rather than an
+          # env-file so they are never written to disk.
+          podman run --rm --security-opt label=disable \
+            -e GCPJSON -e GCPNAME -e GCPPROJECT -e FROM_FILEPATH -e TO_GCSURI \
+            -v "$GITHUB_WORKSPACE:/src:ro" \
+            --workdir /src \
+            "$GCSUPLD_FQIN"

Makefile

@@ -763,11 +763,7 @@ test-binaries: test/checkseccomp/checkseccomp test/goecho/goecho test/version/ve
 
 .PHONY: tests-included
 tests-included:
-	contrib/cirrus/pr-should-include-tests
-
-.PHONY: test-jira-links-included
-test-jira-links-included:
-	contrib/cirrus/pr-should-link-jira
+	hack/ci/pr-should-include-tests
 
 .PHONY: tests-expect-exit
 tests-expect-exit:
@@ -781,7 +777,7 @@ tests-expect-exit:
 
 .PHONY: pr-removes-fixed-skips
 pr-removes-fixed-skips:
-	contrib/cirrus/pr-removes-fixed-skips
+	hack/ci/pr-removes-fixed-skips
 
 ###
 ### Release/Packaging targets