diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml index 255e1c432b..81e93ffb4c 100644 --- a/.github/workflows/dev-bump.yml +++ b/.github/workflows/dev-bump.yml @@ -22,8 +22,7 @@ jobs: - name: Bump id: bump run: | - ref=${{ github.ref_name }} - version=${ref#v} + version=${GITHUB_REF_NAME#v} if [[ $version == *-rc* ]]; then devbump="${version%-*}-dev" echo "::notice:: is a rc - bumping z down to $devbump" @@ -38,49 +37,52 @@ jobs: echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-${{ steps.bump.outputs.devbump }}" + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-${DEVBUMP}" git checkout -b $bumpbranch git add version/rawversion/version.go - git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}" + git commit --signoff -m "Bump Podman to v${DEVBUMP}" git remote add podmanbot https://github.com/podmanbot/podman git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo ${{ github.repository }} \ - --head bump-${{ steps.bump.outputs.devbump }} \ + --repo "${GITHUB_REPOSITORY}" \ + --head "bump-${DEVBUMP}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}." + echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - name: Open PR if: steps.checkpr.outputs.prexists == 'false' id: pr + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | - bumpbranch="bump-${{ steps.bump.outputs.devbump }}" - ref=${{ github.ref_name }} - base=${ref%.*} + bumpbranch="bump-${DEVBUMP}" + base=${GITHUB_REF_NAME%.*} body=$(printf '```release-note\nNone\n```\n') gh pr create \ - --title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \ + --title "Bump Podman to v${DEVBUMP}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ --base "$base" \ - --repo ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + --repo "${GITHUB_REPOSITORY}" mainbump: name: Bump on main runs-on: ubuntu-latest @@ -99,8 +101,7 @@ jobs: id: check run: | mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go` - ref=${{ github.ref_name }} - releasevers=${ref#v} + releasevers=${GITHUB_REF_NAME#v} if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C then echo "bump=true" >> $GITHUB_OUTPUT @@ -112,8 +113,7 @@ jobs: id: bump if: steps.check.outputs.bump == 'true' run: | - ref=${{ github.ref_name }} - releasevers=${ref#v} + releasevers=${GITHUB_REF_NAME#v} arr=($(echo "$releasevers" | tr . '\n')) arr[1]=$((${arr[1]}+1)) @@ -126,44 +126,48 @@ jobs: echo "devbump=$devbump" >> $GITHUB_OUTPUT - name: Push if: steps.check.outputs.bump == 'true' + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger - # GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}" + # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-main-${DEVBUMP}" git checkout -b $bumpbranch git add version/rawversion/version.go - git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}" + git commit --signoff -m "Bump main to v${DEVBUMP}" git remote add podmanbot https://github.com/podmanbot/podman git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr if: steps.check.outputs.bump == 'true' env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo ${{ github.repository }} \ - --head bump-main-${{ steps.bump.outputs.devbump }} \ + --repo "${GITHUB_REPOSITORY}" \ + --head "bump-main-${DEVBUMP}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}." + echo "SKIPPING: PR already exists to update to ${DEVBUMP}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - name: Open PR if: steps.check.outputs.bump == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + DEVBUMP: ${{ steps.bump.outputs.devbump }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | - bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}" + bumpbranch="bump-main-${DEVBUMP}" body=$(printf '```release-note\nNone\n```\n') gh pr create \ - --title "Bump main to v${{ steps.bump.outputs.devbump }}" \ + --title "Bump main to v${DEVBUMP}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ --base "main" \ - --repo ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + --repo "${GITHUB_REPOSITORY}" diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml index f337654e15..9fede3141b 100644 --- a/.github/workflows/first_contrib_cert_generator.yml +++ b/.github/workflows/first_contrib_cert_generator.yml @@ -65,10 +65,11 @@ jobs: # Step 3: Update the HTML file locally - name: Update HTML file if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} + env: + CONTRIBUTOR_NAME: ${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.pull_request.number }} run: | HTML_FILE="automation-repo/certificate-generator/certificate_generator.html" - CONTRIBUTOR_NAME="${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}" - PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}" MERGE_DATE=$(date -u +"%B %d, %Y") sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; } @@ -120,6 +121,10 @@ jobs: - name: Upload certificate to separate repository if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} uses: actions/github-script@v8 + env: + CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }} + USER_LOGIN: ${{ github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number }} with: github-token: ${{ secrets.CERTIFICATES_REPO_TOKEN }} script: | @@ -157,10 +162,10 @@ jobs: // Create a unique filename with timestamp const timestamp = new Date().toISOString().replace(/[:.]/g, '-'); const contributorName = context.eventName === 'workflow_dispatch' - ? '${{ github.event.inputs.contributor_username }}' - : '${{ github.event.pull_request.user.login }}'; + ? process.env.CONTRIBUTOR_USERNAME + : process.env.USER_LOGIN; const prNumber = context.eventName === 'workflow_dispatch' - ? '${{ github.event.inputs.pr_number }}' + ? process.env.PR_NUMBER : context.issue.number; const filename = `certificates/${contributorName}-${prNumber}-${timestamp}.png`; @@ -219,6 +224,10 @@ jobs: - name: Comment with embedded certificate image if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }} uses: actions/github-script@v8 + env: + CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }} + USER_LOGIN: ${{ github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.inputs.pr_number }} with: script: | try { @@ -240,17 +249,17 @@ jobs: if (context.eventName === 'workflow_dispatch') { // Manual trigger case - const contributorName = '${{ github.event.inputs.contributor_username }}'; - const prNumber = '${{ github.event.inputs.pr_number }}'; + const contributorName = process.env.CONTRIBUTOR_USERNAME; + const prNumber = process.env.PR_NUMBER; body = `📜 Certificate preview generated for @${contributorName} (PR #${prNumber}):\n\n${body}`; } else { // Auto trigger case for first-time contributors - const username = '${{ github.event.pull_request.user.login }}'; + const username = process.env.USER_LOGIN; body = `🎉 Congratulations on your first merged pull request, @${username}! Thank you for your contribution.\n\nHere's a preview of your certificate:\n\n${body}`; } const issueNumber = context.eventName === 'workflow_dispatch' ? - parseInt('${{ github.event.inputs.pr_number }}') : + parseInt(process.env.PR_NUMBER) : context.issue.number; await github.rest.issues.createComment({ diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml index cd4d3ec5eb..58c23b978c 100644 --- a/.github/workflows/mac-pkg.yml +++ b/.github/workflows/mac-pkg.yml @@ -37,33 +37,42 @@ jobs: steps: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.dryrun }}" ]] + if [[ -z "${INPUT_DRYRUN}" ]] then echo "dryrun=false" >> $GITHUB_OUTPUT else - echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT + echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT fi - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}" - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi echo echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Check uploads id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" + URI="https://github.com/containers/podman/releases/download/${VERSION}" ARM_FILE="podman-installer-macos-arm64.pkg" AMD_FILE="podman-installer-macos-amd64.pkg" UNIVERSAL_FILE="podman-installer-macos-universal.pkg" @@ -168,8 +177,9 @@ jobs: steps.check.outputs.builduniversal == 'true' ) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) + (gh release download "${VERSION}" -p "shasums" || exit 0) cat contrib/pkginstaller/out/shasums >> shasums - gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg - gh release upload ${{steps.getversion.outputs.version}} --clobber shasums + gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg + gh release upload "${VERSION}" --clobber shasums diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml index ef57bb744a..41f99ccf61 100644 --- a/.github/workflows/machine-os-pr.yml +++ b/.github/workflows/machine-os-pr.yml @@ -36,9 +36,9 @@ jobs: exit 1 elif [[ $VERSION == *-dev ]] ; then echo "::warning:: SKIPPING: dev bump" - elif [[ ${{github.base_ref}} == "main" ]] ; then + elif [[ "${GITHUB_BASE_REF}" == "main" ]] ; then echo "::warning:: SKIPPING: main branch" - elif [[ ${{github.base_ref}} == *-rhel ]] ; then + elif [[ "${GITHUB_BASE_REF}" == *-rhel ]] ; then echo "::warning:: SKIPPING: rhel branch" else echo "update=true" >> "$GITHUB_OUTPUT" @@ -48,7 +48,7 @@ jobs: - name: Check machine-os-branch if: steps.getversion.outputs.update == 'true' run: | - if ! (curl -s https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches| jq -e --arg branch "${{github.base_ref}}" '.[] | select(.name==$branch)') ; then + if ! curl -s "https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches" | jq -e --arg branch "${GITHUB_BASE_REF}" '.[] | select(.name==$branch)'; then echo "::error:: Release branch does not exist." echo "::error:: Please push $branch to $UPSTREAM_MACHINE_OS, then re-run this task." exit 1 @@ -59,8 +59,9 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} + EVENT_NUMBER: ${{ github.event.number }} run: | - gh pr edit --add-label do-not-merge/wait-machine-os-build ${{github.event.number}} + gh pr edit --add-label do-not-merge/wait-machine-os-build "${EVENT_NUMBER}" - name: Install wait-for-copr if: steps.getversion.outputs.update == 'true' @@ -79,44 +80,53 @@ jobs: - name: Bump version if: steps.getversion.outputs.update == 'true' env: + EVENT_NUMBER: ${{ github.event.number }} VERS: ${{steps.getversion.outputs.version}} run: | update=$(printf 's/export PODMAN_VERSION=".*"/export PODMAN_VERSION="%s"/g\n' "$VERS") sed --sandbox -i -e "$update" podman-rpm-info-vars.sh - sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${{github.event.number}}\"/g" podman-rpm-info-vars.sh + sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${EVENT_NUMBER}\"/g" podman-rpm-info-vars.sh echo "Updated file:" cat podman-rpm-info-vars.sh - name: Wait for COPR build if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} run: | wait-for-copr \ --owner packit \ - --project containers-podman-${{github.event.number}} \ + --project "containers-podman-${EVENT_NUMBER}" \ podman \ ${SHA::9} - name: Push if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} + VERSION: ${{ steps.getversion.outputs.version }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="pr${{github.event.number}}" - git checkout -b $bumpbranch + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="pr${EVENT_NUMBER}" + git checkout -b "$bumpbranch" git add podman-rpm-info-vars.sh - git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}" + git commit --signoff -m "Bump Podman to v${VERSION}" git remote add podmanbot https://github.com/podmanbot/podman-machine-os git push -f podmanbot "$bumpbranch" - name: Check open PRs id: checkpr if: steps.getversion.outputs.update == 'true' + env: + EVENT_NUMBER: ${{ github.event.number }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} run: | prs=$(gh pr list \ - --repo $UPSTREAM_MACHINE_OS \ - --head "pr${{github.event.number}}" \ + --repo "$UPSTREAM_MACHINE_OS" \ + --head "pr${EVENT_NUMBER}" \ --state open \ --json title \ --jq 'length') @@ -125,25 +135,25 @@ jobs: else echo "openpr=true" >> "$GITHUB_OUTPUT" fi - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - name: Open PR if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true' id: pr + env: + EVENT_NUMBER: ${{ github.event.number }} + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - bumpbranch="pr${{github.event.number}}" + bumpbranch="pr${EVENT_NUMBER}" body=$(printf 'Triggered by https://github.com/%s/pull/%s\n\n```release-note\nRelease v%s\n```\n' \ - "$PODMAN_REPO" "${{github.event.number}}" "${{ steps.getversion.outputs.version }}") + "$PODMAN_REPO" "${EVENT_NUMBER}" "${VERSION}") uri=`gh pr create \ - --title "Bump Podman to v${{ steps.getversion.outputs.version }}" \ + --title "Bump Podman to v${VERSION}" \ --body "$body" \ --head "podmanbot:$bumpbranch" \ - --base "${{github.base_ref}}" \ - --repo $UPSTREAM_MACHINE_OS` + --base "${GITHUB_BASE_REF}" \ + --repo "$UPSTREAM_MACHINE_OS"` echo "uri=$uri" >> "$GITHUB_OUTPUT" - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - name: Comment PR link if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true' diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index 1d35e1a4fd..8d3b22ea97 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -28,17 +28,20 @@ jobs: - name: Provide github event JSON for examination run: | echo "::group::Event JSON" - jq --color-output "." "${{ github.event_path }}" + jq --color-output "." "${GITHUB_EVENT_PATH}" echo "::endgroup::" - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION" @@ -58,24 +61,30 @@ jobs: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.dryrun }}" ]] + if [[ -z "${INPUT_DRYRUN}" ]] then echo "dryrun=false" >> $GITHUB_OUTPUT else - echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT + echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT fi - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}" - name: Check uploads id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}" + URI="https://github.com/containers/podman/releases/download/${VERSION}" for artifact in "podman-remote-release-darwin_amd64.zip darwin_amd" \ 'podman-remote-release-darwin_arm64.zip darwin_arm' \ 'podman-remote-release-windows_amd64.zip windows_amd' \ @@ -189,11 +198,12 @@ jobs: steps.actual_dryrun.outputs.dryrun == 'false' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | - (gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0) + (gh release download "${VERSION}" -p "shasums" || exit 0) cat release/shasums >> shasums - gh release upload ${{steps.getversion.outputs.version}} release/*.zip release/*.tar.gz - gh release upload ${{steps.getversion.outputs.version}} --clobber shasums + gh release upload "${VERSION}" release/*.zip release/*.tar.gz + gh release upload "${VERSION}" --clobber shasums # WARNING: This should only be set when 'notification' job should be triggered echo "complete=true" >> $GITHUB_OUTPUT @@ -211,6 +221,7 @@ jobs: - name: Format release email id: format env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ needs.build.outputs.version }} run: | if grep -Eq '.+-rc' <<<"$VERSION" @@ -220,19 +231,19 @@ jobs: echo "mail_subj=Podman ${RC_PREFIX}${VERSION} Released" >> $GITHUB_OUTPUT - cat <email_body.txt + cat < email_body.txt Hi all, Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at - https://github.com/${{ github.repository }}/releases/tag/$VERSION + https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION Release ${RC_PREFIX}Notes: -------------- EOF - echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token - gh release view $VERSION \ - --repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt + echo "${GITHUB_TOKEN}" | gh auth login --with-token + gh release view "$VERSION" \ + --repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt # If job fails, permit operator to observe contents in case helpful. - name: Provide release e-mail contents for examination diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9436edc77e..2b8279aa00 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,12 +26,14 @@ jobs: steps: - name: Determine Version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} run: | - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.ref_name }} + VERSION=${GITHUB_REF_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION" then @@ -48,14 +50,16 @@ jobs: echo "::notice::Building $VERSION" - name: Determine release id: buildonly + env: + INPUT_BUILDONLY: ${{ inputs.buildonly }} run: | # The 'tag' trigger will not have a 'buildonly' input set. Handle # this case in a readable/maintainable way. - if [[ -z "${{ inputs.buildonly }}" ]] + if [[ -z "${INPUT_BUILDONLY}" ]] then BUILDONLY=false else - BUILDONLY=${{ inputs.buildonly }} + BUILDONLY=${INPUT_BUILDONLY} fi echo "buildonly=$BUILDONLY" >> $GITHUB_OUTPUT echo "::notice::This will be build-only: $BUILDONLY" @@ -161,8 +165,10 @@ jobs: steps: - name: Determine version id: getversion + env: + VERSION: ${{needs.check.outputs.version}} run: | - $version = "${{ needs.check.outputs.version }}" + $version = "${env:VERSION}" if ($version[0] -eq "v") { $version = $version.Substring(1) } @@ -181,13 +187,19 @@ jobs: - name: Set up WiX run: dotnet tool install --global wix - name: Setup Signature Tooling + env: + AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }} + AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }} + AZ_APP_ID: ${{ secrets.AZ_APP_ID }} + AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} + AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }} run: | dotnet tool install --global AzureSignTool --version 3.0.0 - echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Pandoc Setup uses: r-lib/actions/setup-pandoc@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4 with: @@ -200,17 +212,23 @@ jobs: # to judge. - name: Build the MSI id: build + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | contrib\win-installer\build.ps1 ` - -Version ${{steps.getversion.outputs.version}} ` - -LocalReleaseDirPath ${{ github.workspace }}\release-artifacts ` - -Architecture ${{ matrix.arch }} + -Version "${env:VERSION}" ` + -LocalReleaseDirPath "${env:GITHUB_WORKSPACE}\release-artifacts" ` + -Architecture "${env:PODMAN_ARCH}" Exit $LASTEXITCODE - name: Build the bundle (legacy) id: build-legacy + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\build.ps1 ${{steps.getversion.outputs.version}} prod ${{ github.workspace }}\release-artifacts + .\build.ps1 "${env:VERSION}" prod "${env:GITHUB_WORKSPACE}\release-artifacts" $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append @@ -219,8 +237,6 @@ jobs: } Pop-Location Exit $code - env: - PODMAN_ARCH: ${{ matrix.arch }} - name: Display structure of built files run: | Push-Location contrib\win-installer @@ -230,14 +246,20 @@ jobs: Get-ChildItem Pop-Location - name: Rename the MSI + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer - Copy-Item -Path podman-${{steps.getversion.outputs.version}}.msi -Destination podman-installer-windows-${{ matrix.arch }}.msi + Copy-Item -Path "podman-${env:VERSION}.msi" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.msi" Pop-Location - name: Rename the bundle (legacy) + env: + PODMAN_ARCH: ${{ matrix.arch }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - Copy-Item -Path podman-${{steps.getversion.outputs.version}}-setup.exe -Destination podman-installer-windows-${{ matrix.arch }}.exe + Copy-Item -Path "podman-${env:VERSION}-setup.exe" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.exe" Pop-Location - name: Upload the MSI uses: actions/upload-artifact@v5 @@ -314,7 +336,7 @@ jobs: title="${title/rc/"RC"}" else # check if this version should not be marked latest - prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${{ github.repository }}/releases/latest") + prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest") prevvers=$(echo "$prevrelease" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed -e "s/^v//") vers=${VERSION#"v"} echo "${prevvers},${vers}" @@ -342,6 +364,7 @@ jobs: - name: Format release email id: format env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION: ${{ needs.check.outputs.version }} run: | if grep -Eq '.+-rc' <<<"$VERSION" @@ -355,15 +378,15 @@ jobs: Hi all, Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at - https://github.com/${{ github.repository }}/releases/tag/$VERSION + https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION Release ${RC_PREFIX}Notes: -------------- EOF - echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token - gh release view $VERSION \ - --repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt + echo "${GITHUB_TOKEN}" | gh auth login --with-token + gh release view "$VERSION" \ + --repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt # If job fails, permit operator to observe contents in case helpful. - name: Provide release e-mail contents for examination diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml index 9a2803999c..d03a7114a3 100644 --- a/.github/workflows/update-podmanio.yml +++ b/.github/workflows/update-podmanio.yml @@ -30,13 +30,15 @@ jobs: steps: - name: Get version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - - if [[ -z "${{ inputs.version }}" ]] + if [[ -z "${INPUT_VERSION}" ]] then - VERSION=${{ github.event.release.tag_name }} + VERSION=${TAG_NAME} else - VERSION=${{ inputs.version }} + VERSION=${INPUT_VERSION} fi # strip out the prefix v if it's there @@ -55,20 +57,21 @@ jobs: - name: Check open PRs if: steps.getversion.outputs.notRC == 'true' id: checkpr + env: + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | prs=$(gh pr list \ --repo containers/podman.io \ - --head bump-podmanv${{ steps.getversion.outputs.version }} \ + --head "bump-podmanv${VERSION}" \ --state open \ --json title \ --jq 'length') if ((prs > 0)); then - echo "SKIPPING: PR already exists to update to v${{ steps.getversion.outputs.version }}." + echo "SKIPPING: PR already exists to update to v${VERSION}." else echo "prexists=false" >> "$GITHUB_OUTPUT" fi - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} - uses: actions/checkout@v6 if: >- @@ -85,13 +88,15 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkpr.outputs.prexists == 'false' id: checkversion + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | # Check if version is actually higher than one on podman.io prevversion=`grep -P "(?<=export const LATEST_VERSION = ')(\d.\d.\d)" -o static/data/global.ts` echo "Version currently on site: ${prevversion}" - echo "Version to update to: ${{ steps.getversion.outputs.version }}" + echo "Version to update to: ${VERSION}" # sort -V -C returns 0 if args are ascending version order - if echo "${prevversion},${{ steps.getversion.outputs.version }}" | tr ',' '\n' | sort -V -C && [[ ${prevversion} != ${{ steps.getversion.outputs.version }} ]] + if echo "${prevversion},${VERSION}" | tr ',' '\n' | sort -V -C && [[ "${prevversion}" != "${version}" ]] then echo "needsUpdate=true" >> $GITHUB_OUTPUT echo "This release is a higher version, so we need to update podman.io" @@ -104,9 +109,11 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkversion.outputs.needsUpdate == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | # Replace the version in static/data/global.ts file - sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts + sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${VERSION}';/g" static/data/global.ts echo "Updated file:" cat static/data/global.ts @@ -115,22 +122,23 @@ jobs: steps.getversion.outputs.notRC == 'true' && steps.checkversion.outputs.needsUpdate == 'true' && steps.checkpr.outputs.prexists == 'false' + env: + GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} + VERSION: ${{ steps.getversion.outputs.version }} run: | # Make committer the user who triggered the action, either through cutting a release or manual trigger # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off - git config --local user.name ${{ github.actor }} - git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - bumpbranch="bump-podmanv${{ steps.getversion.outputs.version }}" + git config --local user.name "${GITHUB_ACTOR}" + git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" + bumpbranch="bump-podmanv${VERSION}" git checkout -b $bumpbranch git add static/data/global.ts - git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}" + git commit --signoff -m "Bump Podman to v${VERSION}" git remote -v git remote add podmanbot https://github.com/podmanbot/podman.io git push podmanbot "+$bumpbranch" gh pr create \ - --title "Bump Podman to v${{ steps.getversion.outputs.version }}" \ - --body "Bump Podman to v${{ steps.getversion.outputs.version }}" \ + --title "Bump Podman to v${VERSION}" \ + --body "Bump Podman to v${VERSION}" \ --head "podmanbot:$bumpbranch" \ --base "main" -R "containers/podman.io" - env: - GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }} diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml index e6c135dfed..9b199a8495 100644 --- a/.github/workflows/upload-win-installer.yml +++ b/.github/workflows/upload-win-installer.yml @@ -27,24 +27,31 @@ jobs: steps: - name: Consolidate dryrun setting to always be true or false id: actual_dryrun + env: + INPUT_DRYRUN: ${{ inputs.dryrun }} run: | # The 'release' trigger will not have a 'dryrun' input set. Handle # this case in a readable/maintainable way. - $inputs_dryrun = "${{ inputs.dryrun }}" + $inputs_dryrun = "${env:INPUT_DRYRUN}" if ($inputs_dryrun.Length -lt 1) { Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append } else { - Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Write-Output "dryrun=${env:INPUT_DRYRUN}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append } - name: Dry Run Status + env: + DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }} run: | - Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" + Write-Output "::notice::This workflow execution will be a dry-run: ${env:DRYRUN}" - name: Determine version id: getversion + env: + INPUT_VERSION: ${{ inputs.version }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | - $version = "${{ inputs.version }}" + $version = "${env:INPUT_VERSION}" if ($version.Length -lt 1) { - $version = "${{ github.event.release.tag_name }}" + $version = "${env:TAG_NAME}" if ($version.Length -lt 1) { Write-Host "::error::Could not determine version!" Exit 1 @@ -66,16 +73,18 @@ jobs: # to judge w/n (i.e. in some extreme case) it should be uploaded to the release page. - name: Check id: check + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\check.ps1 ${{steps.getversion.outputs.version}} + .\check.ps1 "${env:VERSION}" $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append Pop-Location Exit 0 } - Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Write-Output "upload_asset_name=${env:UPLOAD_ASSET_NAME}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append Pop-Location Exit $code # The podman release process requires a cross-compile of the windows binaries be uploaded to @@ -83,8 +92,10 @@ jobs: # non-obvious ways with a non-obvious error message. Address that here. - name: Confirm upload_asset_name is non-empty if: steps.check.outputs.upload_asset_name == '' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | - Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${{steps.getversion.outputs.version}}." + Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${env:VERSION}." Exit 1 - name: Set up Go uses: actions/setup-go@v6 @@ -97,13 +108,19 @@ jobs: run: dotnet tool install --global wix - name: Setup Signature Tooling if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + env: + AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }} + AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }} + AZ_APP_ID: ${{ secrets.AZ_APP_ID }} + AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} + AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }} run: | dotnet tool install --global AzureSignTool --version 3.0.0 - echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Pandoc Setup uses: r-lib/actions/setup-pandoc@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4 with: @@ -111,9 +128,11 @@ jobs: - name: Build id: build if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' + env: + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - .\build.ps1 ${{steps.getversion.outputs.version}} prod + .\build.ps1 "${env:VERSION}" prod $code = $LASTEXITCODE if ($code -eq 2) { Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append @@ -136,14 +155,16 @@ jobs: steps.check.outputs.already-exists != 'true' && steps.build.outputs.artifact-missing != 'true' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + UPLOAD_ASSET_NAME: ${{ steps.check.outputs.upload_asset_name }} + VERSION: ${{ steps.getversion.outputs.version }} run: | Push-Location contrib\win-installer-legacy - $version = "${{ steps.getversion.outputs.version }}" + $version = "${env:VERSION}" if ($version[0] -ne "v") { $version = "v$version" } - gh release upload $version ${{ steps.check.outputs.upload_asset_name }} + gh release upload $version "${env:UPLOAD_ASSET_NAME}" if ($LASTEXITCODE -ne 0) { .\check.ps1 $version if ($LASTEXITCODE -eq 2) {