| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Github-actions for large/complex tasks is hard to read and maintain.
Reimplement the multi-arch image build workflow into a set of bash
scripts that use all native contrainer-org tooling. This requires
a special VM image setup with emulation to build foreign architectures.
It also requires renaming the `helloimage` directory, because the build
script uses the directory name in the image FQIN.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
>Pin actions to a full length commit SHA
>Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Also dependabot supports upgrades based on SHA.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
This mirrors changes from
https://github.com/containers/buildah/pull/3381
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This duplicates the change from
https://github.com/containers/skopeo/pull/1379
Since this workflow is duplicated across three repositories, maintaining
changes becomes onerous if the item contents vary between
implementations in any way. Improve this situation by encoding the
repository-specific details into env. vars. then referencing those vars
throughout. This way, a meaningful diff can be worked with to compare
the contents across repositories.
Also included are abstractions for the specific command used to obtain
the project version, and needed details for filtering the output. Both
of these vary across the Buildah, Skopeo, and Podman repos.
NOTE: This change requires the names of two github action secrets
to be updated: PODMAN_QUAY_USERNAME -> REPONAME_QUAY_USERNAME
(and *PASSWORD).
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A suspected recent change in docker (in github-actions Ubuntu
environment) results in a error:
```
cannot clone: Operation not permitted
Error: cannot re-exec process
```
Fix this by using podman to execute the container instead of docker.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Besides adding ***BIG FAT WARNING*** this commit updates the
containers-repo. logic to only (and properly) handle the `stable` image
(both version and `latest` tags). This change was already discussed at
length with @TomSweeneyRedHat.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug introduced by #10150
Also, in case of failure of one matrix-leg, do not terminate execution
of all others. There are many reasons why an item could fail (i.e.
temporary networking problem). Since the job runs periodically,
we can simply allow the subsequent run to cover for any missed images
pushes due to sporadic job failures.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
| |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the order of image documentation to be from most to least stable.
Similarly, avoid depending on execution of upstream podman, when
building/pushing. It's easily possible for this build to function but
execution to fail due to some partially implemented feature.
Also, ensure images tagged `latest` are pushed for every matrix
item. For 'upstream' and 'testing', this replaces use of the
'master' tag.
Lastly, update workflow comments and split the 'podman' and 'containers'
FQIN steps and outputs to improve readability.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The intention is to only push an image if there is ***NOT*** an existing
tag. The original logic for this condition was inverted.
Also, improve radability of the `{container,podman}_push=true`
statements.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fix not setting `$VERSION` before reference
* Reduce need for "syntax-hilighting workaround` comment.
Simplify context-expressions -> simple env. var. referenmces
* Fix pushing quay.io/containers/podman:master twice
('upstream' and 'testing' matrix items)
* Throw error on unknown/unsupported matrix items
* Improve readability of setting multi-line `$LABELS` value.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|
|
This borrows very heavily from the work done for buildah by @barthy1 -
Yulia Gaponenko <yulia.gaponenko1@de.ibm.com>. Some changes to code and
comments made for clarity and specificity.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
