This PR removes support for Intel Apple Macs. The removal includes
impacts to code, tests, Makefile, builds, release builds, and so forth.
Fixes Jira: RUN-3621
Signed-off-by: Brent Baude <bbaude@redhat.com>
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Explicitly set `persist-credentials: true` for uses of
`actions/checkout` where it's needed (when the job does git operations
using the stored credentials) and `persist-credentials: false` where the
stored credentials are not later used.
This reduces the risk of cached credentials accidentally being leaked
via artifacts.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Also remove some unnecessary permissions:
* The notification job in release-artifacts.yml only needs to read repo
contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
only need to read repo contents. "Update podman.io" only needs to
write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
only writing repo contents and pull requests.
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
Automatically generate our GitHub release.
This GitHub action is traggered on a tag push, or manually. After a the trigger, all artifacts are built, including linux, mac, and windows installers. After everything is built, the release is automatically generated on our GitHub, and an email notification is sent out.
Our old actions are marked deprecated, and now can only be triggered manually. Leave them as-is otherwise, as a backup, so we have a tried-and-tested way of generating images, just in case this new action goes wrong.
Signed-off-by: Ashley Cui <acui@redhat.com>
This change will minimize renovate PR's.
Checkout is an action maintained by GitHub, so using the latest v4 action shouldn't have stability consequences.
Signed-off-by: Ashley Cui <acui@redhat.com>
This may be helpful in case SHA comparison is needed w/ files elsewhere.
For example, the files uploaded to a github release page.
Signed-off-by: Chris Evich <cevich@redhat.com>
These are visible when running either job manually. Fix the windows
workflow by including a `v` prefix to an obviously fictitious version
number. For consistency, update the mac workflow text to match.
Signed-off-by: Chris Evich <cevich@redhat.com>
Neither `release` nor `workflow_dispatch` triggers may be tested inside
a PR context. The workflow steps always run from what's already
committed to `main`. Rather than waiting for a release to discover
some unforeseen workflow problem, allow manual runs to optionally skip
the release upload step (by default).
Also, update the windows workflow to store an artifact of the signed
build, and migrate away from the deprecated "set-output" command.
Signed-off-by: Chris Evich <cevich@redhat.com>
Having hard-coded versions burried under a hidden directory is ripe for
maintenance headaches. Use the latest 'stable' version, since this will
be "close enough" to what we test in CI.
Ref: https://github.com/containers/podman/discussions/19404
Signed-off-by: Chris Evich <cevich@redhat.com>
Create a new GitHub Action that builds and signs the Mac pkginstaller. The action also uploads the installers to the release, and updates the shasums file.
This action is triggered on release creation, but it can also be triggered manually via a workflow dispatch.
Signed-off-by: Ashley Cui <acui@redhat.com>
