containers/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2026-02-05 15:45:08 +01:00
Code Issues Releases Wiki Activity

ci: use env vars to avoid template expansion in code contexts

Browse Source 
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection

To avoid this, instead use environment variables to safely store the
values of the template expansions.

Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
This commit is contained in:
Daniel Hast
2025-12-01 08:29:24 -05:00
parent 3f4af378f4
commit 67c050bb8e
8 changed files with 246 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
.github/workflows/dev-bump.yml vendored
View File

@@ -22,8 +22,7 @@ jobs:
- name: Bump
id: bump
run: |
ref=${{ github.ref_name }}
version=${ref#v}
version=${GITHUB_REF_NAME#v}
if [[ $version == *-rc* ]]; then
devbump="${version%-*}-dev"
echo "::notice:: is a rc - bumping z down to $devbump"
@@ -38,49 +37,52 @@ jobs:
echo "devbump=$devbump" >> $GITHUB_OUTPUT
- name: Push
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
run: |
# Make committer the user who triggered the action, either through cutting a release or manual trigger
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name ${{ github.actor }}
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
git config --local user.name "${GITHUB_ACTOR}"
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
bumpbranch="bump-${DEVBUMP}"
git checkout -b $bumpbranch
git add version/rawversion/version.go
git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}"
git commit --signoff -m "Bump Podman to v${DEVBUMP}"
git remote add podmanbot https://github.com/podmanbot/podman
git push -f podmanbot "$bumpbranch"
- name: Check open PRs
id: checkpr
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
prs=$(gh pr list \
--repo ${{ github.repository }} \
--head bump-${{ steps.bump.outputs.devbump }} \
--repo "${GITHUB_REPOSITORY}" \
--head "bump-${DEVBUMP}" \
--state open \
--json title \
--jq 'length')
if ((prs > 0)); then
echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}."
echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}."
else
echo "prexists=false" >> "$GITHUB_OUTPUT"
fi
- name: Open PR
if: steps.checkpr.outputs.prexists == 'false'
id: pr
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
ref=${{ github.ref_name }}
base=${ref%.*}
bumpbranch="bump-${DEVBUMP}"
base=${GITHUB_REF_NAME%.*}
body=$(printf '```release-note\nNone\n```\n')
gh pr create \
--title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \
--title "Bump Podman to v${DEVBUMP}" \
--body "$body" \
--head "podmanbot:$bumpbranch" \
--base "$base" \
--repo ${{ github.repository }}
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
--repo "${GITHUB_REPOSITORY}"
mainbump:
name: Bump on main
runs-on: ubuntu-latest
@@ -99,8 +101,7 @@ jobs:
id: check
run: |
mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go`
ref=${{ github.ref_name }}
releasevers=${ref#v}
releasevers=${GITHUB_REF_NAME#v}
if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C
then
echo "bump=true" >> $GITHUB_OUTPUT
@@ -112,8 +113,7 @@ jobs:
id: bump
if: steps.check.outputs.bump == 'true'
run: |
ref=${{ github.ref_name }}
releasevers=${ref#v}
releasevers=${GITHUB_REF_NAME#v}
arr=($(echo "$releasevers" | tr . '\n'))
arr[1]=$((${arr[1]}+1))
@@ -126,44 +126,48 @@ jobs:
echo "devbump=$devbump" >> $GITHUB_OUTPUT
- name: Push
if: steps.check.outputs.bump == 'true'
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
run: |
# Make committer the user who triggered the action, either through cutting a release or manual trigger
# GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name ${{ github.actor }}
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name "${GITHUB_ACTOR}"
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
bumpbranch="bump-main-${DEVBUMP}"
git checkout -b $bumpbranch
git add version/rawversion/version.go
git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}"
git commit --signoff -m "Bump main to v${DEVBUMP}"
git remote add podmanbot https://github.com/podmanbot/podman
git push -f podmanbot "$bumpbranch"
- name: Check open PRs
id: checkpr
if: steps.check.outputs.bump == 'true'
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
prs=$(gh pr list \
--repo ${{ github.repository }} \
--head bump-main-${{ steps.bump.outputs.devbump }} \
--repo "${GITHUB_REPOSITORY}" \
--head "bump-main-${DEVBUMP}" \
--state open \
--json title \
--jq 'length')
if ((prs > 0)); then
echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}."
echo "SKIPPING: PR already exists to update to ${DEVBUMP}."
else
echo "prexists=false" >> "$GITHUB_OUTPUT"
fi
- name: Open PR
if: steps.check.outputs.bump == 'true' && steps.checkpr.outputs.prexists == 'false'
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
bumpbranch="bump-main-${DEVBUMP}"
body=$(printf '```release-note\nNone\n```\n')
gh pr create \
--title "Bump main to v${{ steps.bump.outputs.devbump }}" \
--title "Bump main to v${DEVBUMP}" \
--body "$body" \
--head "podmanbot:$bumpbranch" \
--base "main" \
--repo ${{ github.repository }}
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
--repo "${GITHUB_REPOSITORY}"

27
.github/workflows/first_contrib_cert_generator.yml vendored
View File

@@ -65,10 +65,11 @@ jobs:
# Step 3: Update the HTML file locally
- name: Update HTML file
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
env:
CONTRIBUTOR_NAME: ${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.pull_request.number }}
run: |
HTML_FILE="automation-repo/certificate-generator/certificate_generator.html"
CONTRIBUTOR_NAME="${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}"
PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}"
MERGE_DATE=$(date -u +"%B %d, %Y")
sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
@@ -120,6 +121,10 @@ jobs:
- name: Upload certificate to separate repository
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
uses: actions/github-script@v8
env:
CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
USER_LOGIN: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
github-token: ${{ secrets.CERTIFICATES_REPO_TOKEN }}
script: |
@@ -157,10 +162,10 @@ jobs:
// Create a unique filename with timestamp
const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
const contributorName = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.contributor_username }}'
: '${{ github.event.pull_request.user.login }}';
? process.env.CONTRIBUTOR_USERNAME
: process.env.USER_LOGIN;
const prNumber = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.pr_number }}'
? process.env.PR_NUMBER
: context.issue.number;
const filename = `certificates/${contributorName}-${prNumber}-${timestamp}.png`;
@@ -219,6 +224,10 @@ jobs:
- name: Comment with embedded certificate image
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
uses: actions/github-script@v8
env:
CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
USER_LOGIN: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
script: |
try {
@@ -240,17 +249,17 @@ jobs:
if (context.eventName === 'workflow_dispatch') {
// Manual trigger case
const contributorName = '${{ github.event.inputs.contributor_username }}';
const prNumber = '${{ github.event.inputs.pr_number }}';
const contributorName = process.env.CONTRIBUTOR_USERNAME;
const prNumber = process.env.PR_NUMBER;
body = `📜 Certificate preview generated for @${contributorName} (PR #${prNumber}):\n\n${body}`;
} else {
// Auto trigger case for first-time contributors
const username = '${{ github.event.pull_request.user.login }}';
const username = process.env.USER_LOGIN;
body = `🎉 Congratulations on your first merged pull request, @${username}! Thank you for your contribution.\n\nHere's a preview of your certificate:\n\n${body}`;
}
const issueNumber = context.eventName === 'workflow_dispatch' ?
parseInt('${{ github.event.inputs.pr_number }}') :
parseInt(process.env.PR_NUMBER) :
context.issue.number;
await github.rest.issues.createComment({

30
.github/workflows/mac-pkg.yml vendored
View File

@@ -37,33 +37,42 @@ jobs:
steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
env:
INPUT_DRYRUN: ${{ inputs.dryrun }}
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${{ inputs.dryrun }}" ]]
if [[ -z "${INPUT_DRYRUN}" ]]
then
echo "dryrun=false" >> $GITHUB_OUTPUT
else
echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
fi
- name: Dry Run Status
env:
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
run: |
echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
- name: Determine Version
id: getversion
env:
INPUT_VERSION: ${{ inputs.version }}
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
if [[ -z "${{ inputs.version }}" ]]
if [[ -z "${INPUT_VERSION}" ]]
then
VERSION=${{ github.event.release.tag_name }}
VERSION=${TAG_NAME}
else
VERSION=${{ inputs.version }}
VERSION=${INPUT_VERSION}
fi
echo
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Check uploads
id: check
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
URI="https://github.com/containers/podman/releases/download/${VERSION}"
ARM_FILE="podman-installer-macos-arm64.pkg"
AMD_FILE="podman-installer-macos-amd64.pkg"
UNIVERSAL_FILE="podman-installer-macos-universal.pkg"
@@ -168,8 +177,9 @@ jobs:
steps.check.outputs.builduniversal == 'true' )
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
(gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
(gh release download "${VERSION}" -p "shasums" || exit 0)
cat contrib/pkginstaller/out/shasums >> shasums
gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg
gh release upload ${{steps.getversion.outputs.version}} --clobber shasums
gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg
gh release upload "${VERSION}" --clobber shasums

54
.github/workflows/machine-os-pr.yml vendored
View File

@@ -36,9 +36,9 @@ jobs:
exit 1
elif [[ $VERSION == *-dev ]] ; then
echo "::warning:: SKIPPING: dev bump"
elif [[ ${{github.base_ref}} == "main" ]] ; then
elif [[ "${GITHUB_BASE_REF}" == "main" ]] ; then
echo "::warning:: SKIPPING: main branch"
elif [[ ${{github.base_ref}} == *-rhel ]] ; then
elif [[ "${GITHUB_BASE_REF}" == *-rhel ]] ; then
echo "::warning:: SKIPPING: rhel branch"
else
echo "update=true" >> "$GITHUB_OUTPUT"
@@ -48,7 +48,7 @@ jobs:
- name: Check machine-os-branch
if: steps.getversion.outputs.update == 'true'
run: |
if ! (curl -s https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches| jq -e --arg branch "${{github.base_ref}}" '.[] | select(.name==$branch)') ; then
if ! curl -s "https://api.github.com/repos/$UPSTREAM_MACHINE_OS/branches" | jq -e --arg branch "${GITHUB_BASE_REF}" '.[] | select(.name==$branch)'; then
echo "::error:: Release branch does not exist."
echo "::error:: Please push $branch to $UPSTREAM_MACHINE_OS, then re-run this task."
exit 1
@@ -59,8 +59,9 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
EVENT_NUMBER: ${{ github.event.number }}
run: |
gh pr edit --add-label do-not-merge/wait-machine-os-build ${{github.event.number}}
gh pr edit --add-label do-not-merge/wait-machine-os-build "${EVENT_NUMBER}"
- name: Install wait-for-copr
if: steps.getversion.outputs.update == 'true'
@@ -79,44 +80,53 @@ jobs:
- name: Bump version
if: steps.getversion.outputs.update == 'true'
env:
EVENT_NUMBER: ${{ github.event.number }}
VERS: ${{steps.getversion.outputs.version}}
run: |
update=$(printf 's/export PODMAN_VERSION=".*"/export PODMAN_VERSION="%s"/g\n' "$VERS")
sed --sandbox -i -e "$update" podman-rpm-info-vars.sh
sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${{github.event.number}}\"/g" podman-rpm-info-vars.sh
sed --sandbox -i -e "s/export PODMAN_PR_NUM=\".*\"/export PODMAN_PR_NUM=\"${EVENT_NUMBER}\"/g" podman-rpm-info-vars.sh
echo "Updated file:"
cat podman-rpm-info-vars.sh
- name: Wait for COPR build
if: steps.getversion.outputs.update == 'true'
env:
EVENT_NUMBER: ${{ github.event.number }}
run: |
wait-for-copr \
--owner packit \
--project containers-podman-${{github.event.number}} \
--project "containers-podman-${EVENT_NUMBER}" \
podman \
${SHA::9}
- name: Push
if: steps.getversion.outputs.update == 'true'
env:
EVENT_NUMBER: ${{ github.event.number }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
# Make committer the user who triggered the action, either through cutting a release or manual trigger
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name ${{ github.actor }}
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
bumpbranch="pr${{github.event.number}}"
git checkout -b $bumpbranch
git config --local user.name "${GITHUB_ACTOR}"
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
bumpbranch="pr${EVENT_NUMBER}"
git checkout -b "$bumpbranch"
git add podman-rpm-info-vars.sh
git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}"
git commit --signoff -m "Bump Podman to v${VERSION}"
git remote add podmanbot https://github.com/podmanbot/podman-machine-os
git push -f podmanbot "$bumpbranch"
- name: Check open PRs
id: checkpr
if: steps.getversion.outputs.update == 'true'
env:
EVENT_NUMBER: ${{ github.event.number }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
prs=$(gh pr list \
--repo $UPSTREAM_MACHINE_OS \
--head "pr${{github.event.number}}" \
--repo "$UPSTREAM_MACHINE_OS" \
--head "pr${EVENT_NUMBER}" \
--state open \
--json title \
--jq 'length')
@@ -125,25 +135,25 @@ jobs:
else
echo "openpr=true" >> "$GITHUB_OUTPUT"
fi
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
- name: Open PR
if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true'
id: pr
env:
EVENT_NUMBER: ${{ github.event.number }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
bumpbranch="pr${{github.event.number}}"
bumpbranch="pr${EVENT_NUMBER}"
body=$(printf 'Triggered by https://github.com/%s/pull/%s\n\n```release-note\nRelease v%s\n```\n' \
"$PODMAN_REPO" "${{github.event.number}}" "${{ steps.getversion.outputs.version }}")
"$PODMAN_REPO" "${EVENT_NUMBER}" "${VERSION}")
uri=`gh pr create \
--title "Bump Podman to v${{ steps.getversion.outputs.version }}" \
--title "Bump Podman to v${VERSION}" \
--body "$body" \
--head "podmanbot:$bumpbranch" \
--base "${{github.base_ref}}" \
--repo $UPSTREAM_MACHINE_OS`
--base "${GITHUB_BASE_REF}" \
--repo "$UPSTREAM_MACHINE_OS"`
echo "uri=$uri" >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
- name: Comment PR link
if: steps.getversion.outputs.update == 'true' && steps.checkpr.outputs.openpr == 'true'

43
.github/workflows/release-artifacts.yml vendored
View File

@@ -28,17 +28,20 @@ jobs:
- name: Provide github event JSON for examination
run: |
echo "::group::Event JSON"
jq --color-output "." "${{ github.event_path }}"
jq --color-output "." "${GITHUB_EVENT_PATH}"
echo "::endgroup::"
- name: Determine Version
id: getversion
env:
INPUT_VERSION: ${{ inputs.version }}
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
if [[ -z "${{ inputs.version }}" ]]
if [[ -z "${INPUT_VERSION}" ]]
then
VERSION=${{ github.event.release.tag_name }}
VERSION=${TAG_NAME}
else
VERSION=${{ inputs.version }}
VERSION=${INPUT_VERSION}
fi
if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION"
@@ -58,24 +61,30 @@ jobs:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
env:
INPUT_DRYRUN: ${{ inputs.dryrun }}
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${{ inputs.dryrun }}" ]]
if [[ -z "${INPUT_DRYRUN}" ]]
then
echo "dryrun=false" >> $GITHUB_OUTPUT
else
echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
fi
- name: Dry Run Status
env:
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
run: |
echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
- name: Check uploads
id: check
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
URI="https://github.com/containers/podman/releases/download/${VERSION}"
for artifact in "podman-remote-release-darwin_amd64.zip darwin_amd" \
'podman-remote-release-darwin_arm64.zip darwin_arm' \
'podman-remote-release-windows_amd64.zip windows_amd' \
@@ -189,11 +198,12 @@ jobs:
steps.actual_dryrun.outputs.dryrun == 'false'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
(gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
(gh release download "${VERSION}" -p "shasums" || exit 0)
cat release/shasums >> shasums
gh release upload ${{steps.getversion.outputs.version}} release/*.zip release/*.tar.gz
gh release upload ${{steps.getversion.outputs.version}} --clobber shasums
gh release upload "${VERSION}" release/*.zip release/*.tar.gz
gh release upload "${VERSION}" --clobber shasums
# WARNING: This should only be set when 'notification' job should be triggered
echo "complete=true" >> $GITHUB_OUTPUT
@@ -211,6 +221,7 @@ jobs:
- name: Format release email
id: format
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ needs.build.outputs.version }}
run: |
if grep -Eq '.+-rc' <<<"$VERSION"
@@ -220,19 +231,19 @@ jobs:
echo "mail_subj=Podman ${RC_PREFIX}${VERSION} Released" >> $GITHUB_OUTPUT
cat <<EOF>email_body.txt
cat <<EOF > email_body.txt
Hi all,
Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at
https://github.com/${{ github.repository }}/releases/tag/$VERSION
https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION
Release ${RC_PREFIX}Notes:
--------------
EOF
echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token
gh release view $VERSION \
--repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt
echo "${GITHUB_TOKEN}" | gh auth login --with-token
gh release view "$VERSION" \
--repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt
# If job fails, permit operator to observe contents in case helpful.
- name: Provide release e-mail contents for examination

71
.github/workflows/release.yml vendored
View File

@@ -26,12 +26,14 @@ jobs:
steps:
- name: Determine Version
id: getversion
env:
INPUT_VERSION: ${{ inputs.version }}
run: |
if [[ -z "${{ inputs.version }}" ]]
if [[ -z "${INPUT_VERSION}" ]]
then
VERSION=${{ github.ref_name }}
VERSION=${GITHUB_REF_NAME}
else
VERSION=${{ inputs.version }}
VERSION=${INPUT_VERSION}
fi
if ! grep -Eq 'v[0-9]+(\.[0-9]+(\.[0-9]+(-.+)?)?)?$' <<<"$VERSION"
then
@@ -48,14 +50,16 @@ jobs:
echo "::notice::Building $VERSION"
- name: Determine release
id: buildonly
env:
INPUT_BUILDONLY: ${{ inputs.buildonly }}
run: |
# The 'tag' trigger will not have a 'buildonly' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${{ inputs.buildonly }}" ]]
if [[ -z "${INPUT_BUILDONLY}" ]]
then
BUILDONLY=false
else
BUILDONLY=${{ inputs.buildonly }}
BUILDONLY=${INPUT_BUILDONLY}
fi
echo "buildonly=$BUILDONLY" >> $GITHUB_OUTPUT
echo "::notice::This will be build-only: $BUILDONLY"
@@ -161,8 +165,10 @@ jobs:
steps:
- name: Determine version
id: getversion
env:
VERSION: ${{needs.check.outputs.version}}
run: |
$version = "${{ needs.check.outputs.version }}"
$version = "${env:VERSION}"
if ($version[0] -eq "v") {
$version = $version.Substring(1)
}
@@ -181,13 +187,19 @@ jobs:
- name: Set up WiX
run: dotnet tool install --global wix
- name: Setup Signature Tooling
env:
AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }}
AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }}
AZ_APP_ID: ${{ secrets.AZ_APP_ID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
run: |
dotnet tool install --global AzureSignTool --version 3.0.0
echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append
- name: Pandoc Setup
uses: r-lib/actions/setup-pandoc@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4
with:
@@ -200,17 +212,23 @@ jobs:
# to judge.
- name: Build the MSI
id: build
env:
PODMAN_ARCH: ${{ matrix.arch }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
contrib\win-installer\build.ps1 `
-Version ${{steps.getversion.outputs.version}} `
-LocalReleaseDirPath ${{ github.workspace }}\release-artifacts `
-Architecture ${{ matrix.arch }}
-Version "${env:VERSION}" `
-LocalReleaseDirPath "${env:GITHUB_WORKSPACE}\release-artifacts" `
-Architecture "${env:PODMAN_ARCH}"
Exit $LASTEXITCODE
- name: Build the bundle (legacy)
id: build-legacy
env:
PODMAN_ARCH: ${{ matrix.arch }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
Push-Location contrib\win-installer-legacy
.\build.ps1 ${{steps.getversion.outputs.version}} prod ${{ github.workspace }}\release-artifacts
.\build.ps1 "${env:VERSION}" prod "${env:GITHUB_WORKSPACE}\release-artifacts"
$code = $LASTEXITCODE
if ($code -eq 2) {
Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
@@ -219,8 +237,6 @@ jobs:
}
Pop-Location
Exit $code
env:
PODMAN_ARCH: ${{ matrix.arch }}
- name: Display structure of built files
run: |
Push-Location contrib\win-installer
@@ -230,14 +246,20 @@ jobs:
Get-ChildItem
Pop-Location
- name: Rename the MSI
env:
PODMAN_ARCH: ${{ matrix.arch }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
Push-Location contrib\win-installer
Copy-Item -Path podman-${{steps.getversion.outputs.version}}.msi -Destination podman-installer-windows-${{ matrix.arch }}.msi
Copy-Item -Path "podman-${env:VERSION}.msi" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.msi"
Pop-Location
- name: Rename the bundle (legacy)
env:
PODMAN_ARCH: ${{ matrix.arch }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
Push-Location contrib\win-installer-legacy
Copy-Item -Path podman-${{steps.getversion.outputs.version}}-setup.exe -Destination podman-installer-windows-${{ matrix.arch }}.exe
Copy-Item -Path "podman-${env:VERSION}-setup.exe" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.exe"
Pop-Location
- name: Upload the MSI
uses: actions/upload-artifact@v5
@@ -314,7 +336,7 @@ jobs:
title="${title/rc/"RC"}"
else
# check if this version should not be marked latest
prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${{ github.repository }}/releases/latest")
prevrelease=$(curl --retry 3 --silent -m 10 --connect-timeout 5 "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest")
prevvers=$(echo "$prevrelease" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed -e "s/^v//")
vers=${VERSION#"v"}
echo "${prevvers},${vers}"
@@ -342,6 +364,7 @@ jobs:
- name: Format release email
id: format
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ needs.check.outputs.version }}
run: |
if grep -Eq '.+-rc' <<<"$VERSION"
@@ -355,15 +378,15 @@ jobs:
Hi all,
Podman ${RC_PREFIX}${VERSION} is now available. You may view the full details at
https://github.com/${{ github.repository }}/releases/tag/$VERSION
https://github.com/${GITHUB_REPOSITORY}/releases/tag/$VERSION
Release ${RC_PREFIX}Notes:
--------------
EOF
echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token
gh release view $VERSION \
--repo ${{ github.repository }} --json=body --jq '.body' >> email_body.txt
echo "${GITHUB_TOKEN}" | gh auth login --with-token
gh release view "$VERSION" \
--repo "${GITHUB_REPOSITORY}" --json=body --jq '.body' >> email_body.txt
# If job fails, permit operator to observe contents in case helpful.
- name: Provide release e-mail contents for examination

46
.github/workflows/update-podmanio.yml vendored
View File

@@ -30,13 +30,15 @@ jobs:
steps:
- name: Get version
id: getversion
env:
INPUT_VERSION: ${{ inputs.version }}
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
if [[ -z "${{ inputs.version }}" ]]
if [[ -z "${INPUT_VERSION}" ]]
then
VERSION=${{ github.event.release.tag_name }}
VERSION=${TAG_NAME}
else
VERSION=${{ inputs.version }}
VERSION=${INPUT_VERSION}
fi
# strip out the prefix v if it's there
@@ -55,20 +57,21 @@ jobs:
- name: Check open PRs
if: steps.getversion.outputs.notRC == 'true'
id: checkpr
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
prs=$(gh pr list \
--repo containers/podman.io \
--head bump-podmanv${{ steps.getversion.outputs.version }} \
--head "bump-podmanv${VERSION}" \
--state open \
--json title \
--jq 'length')
if ((prs > 0)); then
echo "SKIPPING: PR already exists to update to v${{ steps.getversion.outputs.version }}."
echo "SKIPPING: PR already exists to update to v${VERSION}."
else
echo "prexists=false" >> "$GITHUB_OUTPUT"
fi
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
- uses: actions/checkout@v6
if: >-
@@ -85,13 +88,15 @@ jobs:
steps.getversion.outputs.notRC == 'true' &&
steps.checkpr.outputs.prexists == 'false'
id: checkversion
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
# Check if version is actually higher than one on podman.io
prevversion=`grep -P "(?<=export const LATEST_VERSION = ')(\d.\d.\d)" -o static/data/global.ts`
echo "Version currently on site: ${prevversion}"
echo "Version to update to: ${{ steps.getversion.outputs.version }}"
echo "Version to update to: ${VERSION}"
# sort -V -C returns 0 if args are ascending version order
if echo "${prevversion},${{ steps.getversion.outputs.version }}" | tr ',' '\n' | sort -V -C && [[ ${prevversion} != ${{ steps.getversion.outputs.version }} ]]
if echo "${prevversion},${VERSION}" | tr ',' '\n' | sort -V -C && [[ "${prevversion}" != "${version}" ]]
then
echo "needsUpdate=true" >> $GITHUB_OUTPUT
echo "This release is a higher version, so we need to update podman.io"
@@ -104,9 +109,11 @@ jobs:
steps.getversion.outputs.notRC == 'true' &&
steps.checkversion.outputs.needsUpdate == 'true' &&
steps.checkpr.outputs.prexists == 'false'
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
# Replace the version in static/data/global.ts file
sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${{ steps.getversion.outputs.version }}';/g" static/data/global.ts
sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${VERSION}';/g" static/data/global.ts
echo "Updated file:"
cat static/data/global.ts
@@ -115,22 +122,23 @@ jobs:
steps.getversion.outputs.notRC == 'true' &&
steps.checkversion.outputs.needsUpdate == 'true' &&
steps.checkpr.outputs.prexists == 'false'
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
# Make committer the user who triggered the action, either through cutting a release or manual trigger
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name ${{ github.actor }}
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
bumpbranch="bump-podmanv${{ steps.getversion.outputs.version }}"
git config --local user.name "${GITHUB_ACTOR}"
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
bumpbranch="bump-podmanv${VERSION}"
git checkout -b $bumpbranch
git add static/data/global.ts
git commit --signoff -m "Bump Podman to v${{ steps.getversion.outputs.version }}"
git commit --signoff -m "Bump Podman to v${VERSION}"
git remote -v
git remote add podmanbot https://github.com/podmanbot/podman.io
git push podmanbot "+$bumpbranch"
gh pr create \
--title "Bump Podman to v${{ steps.getversion.outputs.version }}" \
--body "Bump Podman to v${{ steps.getversion.outputs.version }}" \
--title "Bump Podman to v${VERSION}" \
--body "Bump Podman to v${VERSION}" \
--head "podmanbot:$bumpbranch" \
--base "main" -R "containers/podman.io"
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}

55
.github/workflows/upload-win-installer.yml vendored
View File

@@ -27,24 +27,31 @@ jobs:
steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
env:
INPUT_DRYRUN: ${{ inputs.dryrun }}
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
$inputs_dryrun = "${{ inputs.dryrun }}"
$inputs_dryrun = "${env:INPUT_DRYRUN}"
if ($inputs_dryrun.Length -lt 1) {
Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
} else {
Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Write-Output "dryrun=${env:INPUT_DRYRUN}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
}
- name: Dry Run Status
env:
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
run: |
Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
Write-Output "::notice::This workflow execution will be a dry-run: ${env:DRYRUN}"
- name: Determine version
id: getversion
env:
INPUT_VERSION: ${{ inputs.version }}
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
$version = "${{ inputs.version }}"
$version = "${env:INPUT_VERSION}"
if ($version.Length -lt 1) {
$version = "${{ github.event.release.tag_name }}"
$version = "${env:TAG_NAME}"
if ($version.Length -lt 1) {
Write-Host "::error::Could not determine version!"
Exit 1
@@ -66,16 +73,18 @@ jobs:
# to judge w/n (i.e. in some extreme case) it should be uploaded to the release page.
- name: Check
id: check
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
Push-Location contrib\win-installer-legacy
.\check.ps1 ${{steps.getversion.outputs.version}}
.\check.ps1 "${env:VERSION}"
$code = $LASTEXITCODE
if ($code -eq 2) {
Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location
Exit 0
}
Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Write-Output "upload_asset_name=${env:UPLOAD_ASSET_NAME}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location
Exit $code
# The podman release process requires a cross-compile of the windows binaries be uploaded to
@@ -83,8 +92,10 @@ jobs:
# non-obvious ways with a non-obvious error message. Address that here.
- name: Confirm upload_asset_name is non-empty
if: steps.check.outputs.upload_asset_name == ''
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${{steps.getversion.outputs.version}}."
Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${env:VERSION}."
Exit 1
- name: Set up Go
uses: actions/setup-go@v6
@@ -97,13 +108,19 @@ jobs:
run: dotnet tool install --global wix
- name: Setup Signature Tooling
if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
env:
AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }}
AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }}
AZ_APP_ID: ${{ secrets.AZ_APP_ID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
run: |
dotnet tool install --global AzureSignTool --version 3.0.0
echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append
- name: Pandoc Setup
uses: r-lib/actions/setup-pandoc@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4
with:
@@ -111,9 +128,11 @@ jobs:
- name: Build
id: build
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
Push-Location contrib\win-installer-legacy
.\build.ps1 ${{steps.getversion.outputs.version}} prod
.\build.ps1 "${env:VERSION}" prod
$code = $LASTEXITCODE
if ($code -eq 2) {
Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
@@ -136,14 +155,16 @@ jobs:
steps.check.outputs.already-exists != 'true' &&
steps.build.outputs.artifact-missing != 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPLOAD_ASSET_NAME: ${{ steps.check.outputs.upload_asset_name }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
Push-Location contrib\win-installer-legacy
$version = "${{ steps.getversion.outputs.version }}"
$version = "${env:VERSION}"
if ($version[0] -ne "v") {
$version = "v$version"
}
gh release upload $version ${{ steps.check.outputs.upload_asset_name }}
gh release upload $version "${env:UPLOAD_ASSET_NAME}"
if ($LASTEXITCODE -ne 0) {
.\check.ps1 $version
if ($LASTEXITCODE -eq 2) {