Merge branch 'containers:main' into main

lsm5 · Jul 4, 2024 · 5587b92 · 5587b92
2 parents b87be15 + a1edfef
commit 5587b92
Show file tree

Hide file tree

Showing 3,217 changed files with 329,874 additions and 76,138 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml
@@ -44,7 +44,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             # This is where the scripts live
-            - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+            - uses: actions/checkout@v4
               with:
                   repository: containers/podman
                   ref: 'main'
@@ -61,7 +61,7 @@ jobs:
             - if: steps.cron.outputs.failures > 0
               name: Send failure notification e-mail
               # Ref: https://github.com/dawidd6/action-send-mail
-              uses: dawidd6/action-send-mail@v3.11.0
+              uses: dawidd6/action-send-mail@v3.12.0
               with:
                 server_address: ${{secrets.ACTION_MAIL_SERVER}}
                 server_port: 465
@@ -80,7 +80,7 @@ jobs:
 
             - if: failure()
               name: Send error notification e-mail
-              uses: dawidd6/action-send-mail@v3.11.0
+              uses: dawidd6/action-send-mail@v3.12.0
               with:
                 server_address: ${{secrets.ACTION_MAIL_SERVER}}
                 server_port: 465

diff --git a/.github/workflows/discussion_lock.yml b/.github/workflows/discussion_lock.yml
diff --git a/.github/workflows/issue_pr_lock.yml b/.github/workflows/issue_pr_lock.yml
@@ -0,0 +1,85 @@
+---
+
+# WARNING ALERT DANGER CAUTION ATTENTION: This file is re-used from the
+# `main` branch, by workflows in (at least) the Buildah and Skopeo repos.
+# Please think twice before making large changes, renaming, or moving the file.
+
+# Format ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+
+name: "Lock closed issues and PRs"
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  # Allow re-use of this workflow by other repositories
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  workflow_call:
+    secrets:
+      STALE_LOCKING_APP_PRIVATE_KEY:
+        required: true
+      ACTION_MAIL_SERVER:
+        required: true
+      ACTION_MAIL_USERNAME:
+        required: true
+      ACTION_MAIL_PASSWORD:
+        required: true
+      ACTION_MAIL_SENDER:
+        required: true
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+concurrency:
+  group: lock
+
+env:
+  # Number of days before a closed issue/PR is be comment-locked.
+  # Note: dessant/lock-threads will only process a max. of
+  # 50 issues/PRs at a time.
+  CLOSED_DAYS: 90
+  # Pre-created issue/PR label to add (preferably a bright color).
+  # This is intended to direct a would-be commenter's actions.
+  LOCKED_LABEL: 'locked - please file new issue/PR'
+
+jobs:
+  manage_locking:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      # Use dedicated github app to workaround API rate limiting
+      # Ref: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
+      - name: Obtain Stale Locking App token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          # N/B: These are both defined at the containers-org level
+          app-id: ${{ vars.STALE_LOCKING_APP_ID }}
+          private-key: ${{ secrets.STALE_LOCKING_APP_PRIVATE_KEY }}
+
+      # Ref: https://github.com/dessant/lock-threads#usage
+      - uses: dessant/lock-threads@v5
+        with:
+          github-token: '${{ steps.generate-token.outputs.token }}'
+          process-only: 'issues, prs'
+          issue-inactive-days: '${{env.CLOSED_DAYS}}'
+          pr-inactive-days: '${{env.CLOSED_DAYS}}'
+          add-issue-labels: '${{env.LOCKED_LABEL}}'
+          add-pr-labels: '${{env.LOCKED_LABEL}}'
+          pr-lock-reason: 'resolved'
+          log-output: true
+      - if: failure()
+        name: Send job failure notification e-mail
+        uses: dawidd6/[email protected]
+        with:
+          server_address: ${{secrets.ACTION_MAIL_SERVER}}
+          server_port: 465
+          username: ${{secrets.ACTION_MAIL_USERNAME}}
+          password: ${{secrets.ACTION_MAIL_PASSWORD}}
+          subject: Github workflow error on ${{github.repository}}
+          to: [email protected]
+          from: ${{secrets.ACTION_MAIL_SENDER}}
+          body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml
@@ -67,6 +67,7 @@ jobs:
         URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
         ARM_FILE="podman-installer-macos-arm64.pkg"
         AMD_FILE="podman-installer-macos-amd64.pkg"
+        UNIVERSAL_FILE="podman-installer-macos-universal.pkg"
 
         status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
         if [[ "$status" == "404" ]] ; then
@@ -83,19 +84,29 @@ jobs:
           echo "::warning::AMD installer already exists, skipping"
           echo "buildamd=false" >> $GITHUB_OUTPUT
         fi
+
+        status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${UNIVERSAL_FILE}")
+        if [[ "$status" == "404" ]] ; then
+          echo "builduniversal=true" >> $GITHUB_OUTPUT
+        else
+          echo "::warning::Universal installer already exists, skipping"
+          echo "builduniversal=false" >> $GITHUB_OUTPUT
+        fi
     - name: Checkout Version
       if: >-
         steps.check.outputs.buildamd == 'true' ||
         steps.check.outputs.buildarm == 'true' ||
+        steps.check.outputs.builduniversal == 'true' ||
         steps.actual_dryrun.outputs.dryrun == 'true'
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      uses: actions/checkout@v4
       with:
         ref: ${{steps.getversion.outputs.version}}
     - name: Set up Go
       # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
       if: >-
         steps.check.outputs.buildamd == 'true' ||
         steps.check.outputs.buildarm == 'true' ||
+        steps.check.outputs.builduniversal == 'true' ||
         steps.actual_dryrun.outputs.dryrun == 'true'
       uses: actions/setup-go@v5
       with:
@@ -104,6 +115,7 @@ jobs:
       if: >-
         steps.check.outputs.buildamd == 'true' ||
         steps.check.outputs.buildarm == 'true' ||
+        steps.check.outputs.builduniversal == 'true' ||
         steps.actual_dryrun.outputs.dryrun == 'true'
       run: |
         echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
@@ -129,10 +141,17 @@ jobs:
       run: |
         make ARCH=amd64 notarize &> /dev/null
         cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
+    - name: Build and Sign Universal
+      if: steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
+      working-directory: contrib/pkginstaller
+      run: |
+        make ARCH=universal notarize &> /dev/null
+        cd out && shasum -a 256 podman-installer-macos-universal.pkg >> shasums
     - name: Artifact
       if: >-
         steps.check.outputs.buildamd == 'true' ||
         steps.check.outputs.buildarm == 'true' ||
+        steps.check.outputs.builduniversal == 'true' ||
         steps.actual_dryrun.outputs.dryrun == 'true'
       uses: actions/upload-artifact@v4
       with:
@@ -144,7 +163,8 @@ jobs:
       if: >-
         steps.actual_dryrun.outputs.dryrun == 'false' &&
         (steps.check.outputs.buildamd == 'true' ||
-         steps.check.outputs.buildarm == 'true')
+         steps.check.outputs.buildarm == 'true'||
+         steps.check.outputs.builduniversal == 'true' )
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |