From ca5a1a551c931ddf375f6a934612c0244af94ab7 Mon Sep 17 00:00:00 2001 From: Tim Zhou Date: Fri, 1 May 2026 12:00:05 -0400 Subject: [PATCH 1/4] ci: migrate PR-blocking checks from Cirrus to GitHub Actions Mirrors validate, doccheck, cross, osx, test_skopeo, and ostree_rs_ext from containers/skopeo's .cirrus.yml into a GH Actions workflow on podman-io/skopeo-sandbox. Signed-off-by: Tim Zhou --- .github/actionlint.yaml | 8 ++ .github/workflows/ci.yml | 172 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 180 insertions(+) create mode 100644 .github/actionlint.yaml create mode 100644 .github/workflows/ci.yml diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 0000000000..8a8916d45c --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,8 @@ +self-hosted-runner: + labels: + - oracle-vm-2cpu-8gb-x86-64 + - oracle-vm-4cpu-16gb-x86-64 + - oracle-vm-8cpu-32gb-x86-64 + - oracle-vm-16cpu-64gb-x86-64 + - oracle-vm-24cpu-96gb-x86-64 + - oracle-vm-32cpu-128gb-x86-64 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..bdf360105b --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,172 @@ +# CI workflow for podman-io/skopeo-sandbox. +# Mirrors the PR-blocking tasks from the old containers/skopeo .cirrus.yml. +# +# Runners: podman-io self-hosted Oracle VM pool. Per-class labels +# (oracle-vm-Ncpu-Mgb-x86-64) target a specific size and arch. + +name: CI + +on: + pull_request: + push: + branches: [main] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + validate: + runs-on: oracle-vm-4cpu-16gb-x86-64 + timeout-minutes: 45 + container: + image: quay.io/libpod/skopeo_cidev:${{ vars.IMAGE_TAG }} + steps: + - uses: actions/checkout@v6 + - name: fix git safe.directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - run: make tools + - run: make validate-local + - name: vendor + tree status + run: | + make vendor + hack/tree_status.sh + + doccheck: + needs: validate + runs-on: oracle-vm-4cpu-16gb-x86-64 + timeout-minutes: 45 + container: + image: quay.io/libpod/fedora_podman:${{ vars.IMAGE_TAG }} + env: + BUILDTAGS: containers_image_openpgp + steps: + - uses: actions/checkout@v6 + - name: fix git safe.directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: remove pre-installed skopeo package + run: dnf remove -y skopeo + - name: build + install + run: | + make bin/skopeo + make install PREFIX=/usr/local + - run: make validate-docs + + cross: + needs: validate + if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" + runs-on: oracle-vm-2cpu-8gb-x86-64 + timeout-minutes: 45 + container: + image: quay.io/libpod/fedora_podman:${{ vars.IMAGE_TAG }} + env: + BUILDTAGS: containers_image_openpgp + steps: + - uses: actions/checkout@v6 + - name: fix git safe.directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - run: make local-cross + + osx: + needs: validate + if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" + runs-on: macos-14 + timeout-minutes: 45 + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v5 + with: + go-version: stable + - name: configure GOBIN (Makefile's `tools` target installs golangci-lint to $GOBIN) + run: | + mkdir -p "$HOME/go/bin" + echo "GOBIN=$HOME/go/bin" >> "$GITHUB_ENV" + echo "$HOME/go/bin" >> "$GITHUB_PATH" + - name: brew install gpgme (CGo dep for github.com/proglottis/gpgme) + run: brew install gpgme + - run: go version + - run: make tools + - run: make validate-local test-unit-local bin/skopeo + - run: ./bin/skopeo -v + + test_skopeo: + needs: validate + if: >- + !contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]') + && !contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:BUILD]') + runs-on: oracle-vm-2cpu-8gb-x86-64 + timeout-minutes: 45 + name: test_skopeo / ${{ matrix.name }} + strategy: + fail-fast: false + matrix: + include: + - name: Skopeo Test + buildtags: "" + image_name: skopeo_cidev + - name: Skopeo Test w/ openpgp + buildtags: containers_image_openpgp + image_name: skopeo_cidev + - name: Skopeo Test w/ Sequoia + buildtags: containers_image_sequoia + # podman-sequoia is now installed in skopeo_cidev for F43+ + # (containers/automation_images@46088a81, 2025-11-21), so the + # Cirrus-era Rawhide-VM detour isn't needed any more. The + # original .cirrus.yml is just stale on this point — see + # automation_images/cache_images/fedora_packaging.sh. + image_name: skopeo_cidev + container: + image: quay.io/libpod/${{ matrix.image_name }}:${{ vars.IMAGE_TAG }} + options: --privileged + env: + BUILDTAGS: ${{ matrix.buildtags }} + steps: + - uses: actions/checkout@v6 + - name: fix git safe.directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - run: make vendor + - name: build + install + run: | + make bin/skopeo + make install PREFIX=/usr/local + - run: make test-unit-local + - run: make test-integration-local + - run: make test-system-local + + ostree_rs_ext: + needs: validate + if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" + runs-on: oracle-vm-4cpu-16gb-x86-64 + timeout-minutes: 45 + container: + image: quay.io/coreos-assembler/fcos-buildroot:testing-devel + steps: + - uses: actions/checkout@v6 + - name: fix git safe.directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: install rustup stable + run: | + dnf remove -y rust + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal + echo "$HOME/.cargo/bin" >> "$GITHUB_PATH" + - name: build + install skopeo + run: | + dnf builddep -y skopeo + make + make install + - name: clone ostree-rs-ext + cargo build + run: | + git clone --depth 1 https://github.com/ostreedev/ostree-rs-ext.git /tmp/ostree-rs-ext + cd /tmp/ostree-rs-ext + cargo test --no-run + - name: cargo test + run: | + cd /tmp/ostree-rs-ext + cargo test -- --nocapture --quiet + + success: + needs: [validate, doccheck, cross, osx, test_skopeo, ostree_rs_ext] + runs-on: oracle-vm-2cpu-8gb-x86-64 + timeout-minutes: 45 + steps: + - run: "true" From 110eafa71c829fe616479eda733300528dddfefa Mon Sep 17 00:00:00 2001 From: Tim Zhou Date: Tue, 12 May 2026 00:02:08 -0400 Subject: [PATCH 2/4] ci: address review feedback on workflow Signed-off-by: Tim Zhou --- .github/workflows/ci.yml | 75 ++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 45 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bdf360105b..f3c75ee7b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,9 +1,3 @@ -# CI workflow for podman-io/skopeo-sandbox. -# Mirrors the PR-blocking tasks from the old containers/skopeo .cirrus.yml. -# -# Runners: podman-io self-hosted Oracle VM pool. Per-class labels -# (oracle-vm-Ncpu-Mgb-x86-64) target a specific size and arch. - name: CI on: @@ -11,6 +5,9 @@ on: push: branches: [main] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -38,8 +35,6 @@ jobs: timeout-minutes: 45 container: image: quay.io/libpod/fedora_podman:${{ vars.IMAGE_TAG }} - env: - BUILDTAGS: containers_image_openpgp steps: - uses: actions/checkout@v6 - name: fix git safe.directory @@ -48,43 +43,40 @@ jobs: run: dnf remove -y skopeo - name: build + install run: | - make bin/skopeo - make install PREFIX=/usr/local - - run: make validate-docs + make BUILDTAGS=containers_image_openpgp bin/skopeo + make BUILDTAGS=containers_image_openpgp install PREFIX=/usr/local + - run: make BUILDTAGS=containers_image_openpgp validate-docs cross: needs: validate if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" - runs-on: oracle-vm-2cpu-8gb-x86-64 + runs-on: ubuntu-latest timeout-minutes: 45 - container: - image: quay.io/libpod/fedora_podman:${{ vars.IMAGE_TAG }} - env: - BUILDTAGS: containers_image_openpgp steps: - uses: actions/checkout@v6 - - name: fix git safe.directory - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - run: make local-cross + - uses: actions/setup-go@v6 + with: + go-version: stable + - run: make BUILDTAGS=containers_image_openpgp local-cross osx: needs: validate if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" - runs-on: macos-14 + runs-on: macos-latest timeout-minutes: 45 steps: - uses: actions/checkout@v6 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: stable - - name: configure GOBIN (Makefile's `tools` target installs golangci-lint to $GOBIN) + - name: configure GOPATH (Makefile resolves GOBIN as $(GOPATH)/bin) run: | - mkdir -p "$HOME/go/bin" - echo "GOBIN=$HOME/go/bin" >> "$GITHUB_ENV" - echo "$HOME/go/bin" >> "$GITHUB_PATH" + GOPATH="$(go env GOPATH)" + mkdir -p "$GOPATH/bin" + echo "GOPATH=$GOPATH" >> "$GITHUB_ENV" + echo "$GOPATH/bin" >> "$GITHUB_PATH" - name: brew install gpgme (CGo dep for github.com/proglottis/gpgme) run: brew install gpgme - - run: go version - run: make tools - run: make validate-local test-unit-local bin/skopeo - run: ./bin/skopeo -v @@ -103,23 +95,13 @@ jobs: include: - name: Skopeo Test buildtags: "" - image_name: skopeo_cidev - name: Skopeo Test w/ openpgp buildtags: containers_image_openpgp - image_name: skopeo_cidev - name: Skopeo Test w/ Sequoia buildtags: containers_image_sequoia - # podman-sequoia is now installed in skopeo_cidev for F43+ - # (containers/automation_images@46088a81, 2025-11-21), so the - # Cirrus-era Rawhide-VM detour isn't needed any more. The - # original .cirrus.yml is just stale on this point — see - # automation_images/cache_images/fedora_packaging.sh. - image_name: skopeo_cidev container: - image: quay.io/libpod/${{ matrix.image_name }}:${{ vars.IMAGE_TAG }} + image: quay.io/libpod/skopeo_cidev:${{ vars.IMAGE_TAG }} options: --privileged - env: - BUILDTAGS: ${{ matrix.buildtags }} steps: - uses: actions/checkout@v6 - name: fix git safe.directory @@ -127,11 +109,11 @@ jobs: - run: make vendor - name: build + install run: | - make bin/skopeo - make install PREFIX=/usr/local - - run: make test-unit-local - - run: make test-integration-local - - run: make test-system-local + make "BUILDTAGS=${{ matrix.buildtags }}" bin/skopeo + make "BUILDTAGS=${{ matrix.buildtags }}" install PREFIX=/usr/local + - run: make "BUILDTAGS=${{ matrix.buildtags }}" test-unit-local + - run: make "BUILDTAGS=${{ matrix.buildtags }}" test-integration-local + - run: make "BUILDTAGS=${{ matrix.buildtags }}" test-system-local ostree_rs_ext: needs: validate @@ -166,7 +148,10 @@ jobs: success: needs: [validate, doccheck, cross, osx, test_skopeo, ostree_rs_ext] - runs-on: oracle-vm-2cpu-8gb-x86-64 - timeout-minutes: 45 + if: always() + runs-on: ubuntu-latest + timeout-minutes: 5 steps: - - run: "true" + - name: check all required jobs succeeded + run: | + echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success" or .value.result == "skipped")' From c3284d259f6f79f66db13048473edf41a00f204c Mon Sep 17 00:00:00 2001 From: Tim Zhou Date: Thu, 28 May 2026 13:26:44 -0400 Subject: [PATCH 3/4] ci: add path-filter, Total Success, drop Cirrus leftovers Signed-off-by: Tim Zhou --- .github/filters.yaml | 29 +++++++++++++ .github/workflows/ci.yml | 90 ++++++++++++++++++++++++++++++++-------- .packit.yaml | 2 +- Makefile | 11 ++--- hack/get_ci_vm.sh | 61 --------------------------- hack/get_fqin.sh | 34 --------------- 6 files changed, 108 insertions(+), 119 deletions(-) create mode 100644 .github/filters.yaml delete mode 100755 hack/get_ci_vm.sh delete mode 100755 hack/get_fqin.sh diff --git a/.github/filters.yaml b/.github/filters.yaml new file mode 100644 index 0000000000..3b4fd7de1f --- /dev/null +++ b/.github/filters.yaml @@ -0,0 +1,29 @@ +# Path filters for .github/workflows/ci.yml, consumed by dorny/paths-filter. +# When a PR touches none of `all` or `code`, the heavier optional jobs +# (cross/osx/ostree_rs_ext) are skipped. validate/doccheck/test_skopeo always +# run regardless. + +# Anything that should invalidate every skip decision. +all: + - '.github/workflows/ci.yml' + - '.github/filters.yaml' + - 'Makefile' + - 'hack/**' + - 'vendor/**' + - 'go.mod' + - 'go.sum' + +# Production Go source. Tests and bats are excluded so a test-only diff +# does not force every "code" gated job to run. +code: + - '**/*.go' + - '!**/*_test.go' + - '!systemtest/**' + - '!integration/**' + +# Docs-only signal kept for symmetry. Not directly gated on; the run rule is +# "all OR code matched", so a pure-docs change naturally skips heavy jobs. +docs: + - 'docs/**' + - 'docs-experimental/**' + - '**/*.md' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3c75ee7b1..bdde287902 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,17 +9,35 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: + path-filter: + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + all: ${{ steps.filter.outputs.all }} + code: ${{ steps.filter.outputs.code }} + docs: ${{ steps.filter.outputs.docs }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 + id: filter + with: + filters: .github/filters.yaml + validate: runs-on: oracle-vm-4cpu-16gb-x86-64 timeout-minutes: 45 container: image: quay.io/libpod/skopeo_cidev:${{ vars.IMAGE_TAG }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: fix git safe.directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - run: make tools @@ -36,7 +54,9 @@ jobs: container: image: quay.io/libpod/fedora_podman:${{ vars.IMAGE_TAG }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: fix git safe.directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: remove pre-installed skopeo package @@ -48,25 +68,37 @@ jobs: - run: make BUILDTAGS=containers_image_openpgp validate-docs cross: - needs: validate - if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" + needs: [validate, path-filter] + if: >- + !contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]') + && (github.event_name != 'pull_request' + || needs.path-filter.outputs.all == 'true' + || needs.path-filter.outputs.code == 'true') runs-on: ubuntu-latest timeout-minutes: 45 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: stable - run: make BUILDTAGS=containers_image_openpgp local-cross osx: - needs: validate - if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" + needs: [validate, path-filter] + if: >- + !contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]') + && (github.event_name != 'pull_request' + || needs.path-filter.outputs.all == 'true' + || needs.path-filter.outputs.code == 'true') runs-on: macos-latest timeout-minutes: 45 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: stable - name: configure GOPATH (Makefile resolves GOBIN as $(GOPATH)/bin) @@ -103,7 +135,9 @@ jobs: image: quay.io/libpod/skopeo_cidev:${{ vars.IMAGE_TAG }} options: --privileged steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: fix git safe.directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - run: make vendor @@ -116,14 +150,20 @@ jobs: - run: make "BUILDTAGS=${{ matrix.buildtags }}" test-system-local ostree_rs_ext: - needs: validate - if: "!contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]')" + needs: [validate, path-filter] + if: >- + !contains(github.event.pull_request.title || github.event.head_commit.message, '[CI:DOCS]') + && (github.event_name != 'pull_request' + || needs.path-filter.outputs.all == 'true' + || needs.path-filter.outputs.code == 'true') runs-on: oracle-vm-4cpu-16gb-x86-64 timeout-minutes: 45 container: image: quay.io/coreos-assembler/fcos-buildroot:testing-devel steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: fix git safe.directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: install rustup stable @@ -146,12 +186,26 @@ jobs: cd /tmp/ostree-rs-ext cargo test -- --nocapture --quiet + # Merge protection is set up for this job name, do not change it. success: - needs: [validate, doccheck, cross, osx, test_skopeo, ostree_rs_ext] + name: "Total Success" + needs: + - path-filter + - validate + - doccheck + - cross + - osx + - test_skopeo + - ostree_rs_ext if: always() runs-on: ubuntu-latest timeout-minutes: 5 steps: - - name: check all required jobs succeeded + - name: Check all required jobs run: | - echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success" or .value.result == "skipped")' + if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]] || \ + [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then + echo "One or more required jobs failed or were cancelled" + exit 1 + fi + echo "All required jobs passed or were skipped" diff --git a/.packit.yaml b/.packit.yaml index 82fcf8cc09..29d4a85580 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -4,7 +4,7 @@ # NOTE: The Packit copr_build tasks help to check if every commit builds on # supported Fedora and CentOS Stream arches. -# They do not block the current Cirrus-based workflow. +# They do not block the GitHub Actions PR workflow. downstream_package_name: skopeo upstream_tag_template: v{version} diff --git a/Makefile b/Makefile index be5a33355d..ecc63c651f 100644 --- a/Makefile +++ b/Makefile @@ -68,10 +68,11 @@ CI ?= # modify local configuration files and services. export SKOPEO_CONTAINER_TESTS ?= $(if $(CI),1,0) -# This is a compromise, we either use a container for this or require -# the local user to have a compatible python3 development environment. -# Define it as a "resolve on use" variable to avoid calling out when possible -SKOPEO_CIDEV_CONTAINER_FQIN ?= $(shell hack/get_fqin.sh) +# Container image used by the test-integration / test-system wrapper targets. +# Set this to a skopeo_cidev image (e.g. quay.io/libpod/skopeo_cidev:) +# when running those targets locally. If unset, the wrapper targets will fail +# loudly with an empty image reference. +SKOPEO_CIDEV_CONTAINER_FQIN ?= CONTAINER_CMD ?= ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" -e CI=$(CI) -e SKOPEO_CONTAINER_TESTS=1 # if this session isn't interactive, then we don't want to allocate a # TTY, which would fail, but if it is interactive, we do want to attach @@ -106,7 +107,7 @@ endif all: bin/skopeo docs codespell: - codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L fpr,uint,iff,od,ERRO -w + codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L fpr,uint,iff,od,ERRO -w help: @echo "Usage: make " diff --git a/hack/get_ci_vm.sh b/hack/get_ci_vm.sh deleted file mode 100755 index 0073bad3da..0000000000 --- a/hack/get_ci_vm.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env bash - -# -# For help and usage information, simply execute the script w/o any arguments. -# -# This script is intended to be run by Red Hat skopeo developers who need -# to debug problems specifically related to Cirrus-CI automated testing. -# It requires that you have been granted prior access to create VMs in -# google-cloud. For non-Red Hat contributors, VMs are available as-needed, -# with supervision upon request. - -set -e - -SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}") -SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH") -REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../") - -# Help detect if we were called by get_ci_vm container -GET_CI_VM="${GET_CI_VM:-0}" -in_get_ci_vm() { - if ((GET_CI_VM==0)); then - echo "Error: $1 is not intended for use in this context" - exit 2 - fi -} - -# get_ci_vm APIv1 container entrypoint calls into this script -# to obtain required repo. specific configuration options. -if [[ "$1" == "--config" ]]; then - in_get_ci_vm "$1" - cat < /dev/stderr - ${GOSRC}/${SCRIPT_BASE}/runner.sh setup -else - # Create and access VM for specified Cirrus-CI task - mkdir -p $HOME/.config/gcloud/ssh - podman run -it --rm \ - --tz=local \ - -e NAME="$USER" \ - -e SRCDIR=/src \ - -e GCLOUD_ZONE="$GCLOUD_ZONE" \ - -e DEBUG="${DEBUG:-0}" \ - -v $REPO_DIRPATH:/src:O \ - -v $HOME/.config/gcloud:/root/.config/gcloud:z \ - -v $HOME/.config/gcloud/ssh:/root/.ssh:z \ - quay.io/libpod/get_ci_vm:latest "$@" -fi diff --git a/hack/get_fqin.sh b/hack/get_fqin.sh deleted file mode 100755 index 8076d10dad..0000000000 --- a/hack/get_fqin.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash - -# This script is intended to be called from the Makefile. It's purpose -# is to automation correspondence between the environment used for local -# development and CI. - -set -e - -SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}") -SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH") -REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../") - -# When running under CI, we already have the necessary information, -# simply provide it to the Makefile. -if [[ -n "$SKOPEO_CIDEV_CONTAINER_FQIN" ]]; then - echo "$SKOPEO_CIDEV_CONTAINER_FQIN" - exit 0 -fi - -if [[ -n $(command -v podman) ]]; then CONTAINER_RUNTIME=podman; fi -CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-docker} - -# Borrow the get_ci_vm container image since it's small, and -# by necessity contains a script that can accurately interpret -# env. var. values from any .cirrus.yml runtime context. -$CONTAINER_RUNTIME run --rm \ - --security-opt label=disable \ - -v $REPO_DIRPATH:/src:ro \ - --entrypoint=/usr/share/automation/bin/cirrus-ci_env.py \ - quay.io/libpod/get_ci_vm:latest \ - --envs="Skopeo Test" /src/.cirrus.yml | \ - grep -E -m1 '^SKOPEO_CIDEV_CONTAINER_FQIN' | \ - awk -F "=" -e '{print $2}' | \ - tr -d \'\" From 8eae7a767179a09f2d26e39c2fda6f95c9c33655 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Fri, 29 May 2026 19:10:11 +0200 Subject: [PATCH 4/4] Define IMAGE_TAG in the workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The POC used a repo settings variable, but that doesn't work for pull requests; and it would be hard to maintain with branches. Sadly, there seems to be no easy facility to define a file-wide constant in GitHub actions, so hard-code three copies. Hopefully Renovate can be set up to update this, then the number of copies won't matter. Signed-off-by: Miloslav Trmač --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bdde287902..0738515239 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,7 +33,7 @@ jobs: runs-on: oracle-vm-4cpu-16gb-x86-64 timeout-minutes: 45 container: - image: quay.io/libpod/skopeo_cidev:${{ vars.IMAGE_TAG }} + image: quay.io/libpod/skopeo_cidev:c20260310t170224z-f43f42d14 # FIXME: Should be Renovate-managed. steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -52,7 +52,7 @@ jobs: runs-on: oracle-vm-4cpu-16gb-x86-64 timeout-minutes: 45 container: - image: quay.io/libpod/fedora_podman:${{ vars.IMAGE_TAG }} + image: quay.io/libpod/skopeo_cidev:c20260310t170224z-f43f42d14 # FIXME: Should be Renovate-managed. steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -132,7 +132,7 @@ jobs: - name: Skopeo Test w/ Sequoia buildtags: containers_image_sequoia container: - image: quay.io/libpod/skopeo_cidev:${{ vars.IMAGE_TAG }} + image: quay.io/libpod/skopeo_cidev:c20260310t170224z-f43f42d14 # FIXME: Should be Renovate-managed. options: --privileged steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2