Restructure GHA workflows

Signed-off-by: apostasie <spam_blackhole@farcloser.world>

Author: apostasie

.github/workflows/job-test-dependencies.yml

@@ -0,0 +1,54 @@
+# This job pre-heats the cache for the test image by building all dependencies
+name: build-dependencies
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+      containerd-version:
+        required: false
+        default: ''
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  # This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA
+  build-dependencies:
+    # Note: for whatever reason, you cannot access env.RUNNER_ARCH here
+    name: "${{ contains(inputs.runner, 'arm') && 'arm64' || 'amd64' }}${{ inputs.containerd-version && format(' | {0}', inputs.containerd-version) || ''}}"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+
+      - name: "Run: build dependencies for the integration test environment image"
+        run: |
+          # Cache is sharded per-architecture
+          arch=${{ env.RUNNER_ARCH == 'ARM64' && 'arm64' || 'amd64' }}
+          docker buildx create --name with-gha --use
+          # Honor old containerd if requested
+          args=()
+          if [ "${{ inputs.containerd-version }}" != "" ]; then
+            args=(--build-arg CONTAINERD_VERSION=${{ inputs.containerd-version }})
+          fi
+          docker buildx build \
+            --cache-to type=gha,compression=zstd,mode=max,scope=test-integration-dependencies-"$arch" \
+            --cache-from type=gha,scope=test-integration-dependencies-"$arch" \
+            --target build-dependencies "${args[@]}" .

.github/workflows/job-test-in-lima.yml

@@ -0,0 +1,119 @@
+# Currently, Lima job test only for EL8, though in the future it could be used to also test FreeBSD
+# EL8 is used for testing compatibility with cgroup v1.
+# Do not upgrade this to EL9 (cgroup v2).
+name: test-in-lima
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+
+jobs:
+  test:
+    name: "${{ matrix.mode }} (cgroup v1)"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    strategy:
+      fail-fast: false
+      matrix:
+        mode: ["rootful", "rootless"]
+    env:
+      MODE: ${{ matrix.mode }}
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: lima"
+        uses: lima-vm/lima-actions/setup@be564a1408f84557d067b099a475652288074b2e  # v1.0.0
+        id: lima-actions-setup
+
+      - name: "Init: Cache"
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
+        with:
+          path: ~/.cache/lima
+          key: lima-${{ steps.lima-actions-setup.outputs.version }}
+
+      - name: "Init: start the guest VM"
+        run: |
+          set -eux
+          # containerd=none is set because the built-in containerd support conflicts with Docker
+          limactl start \
+            --name=default \
+            --cpus=4 \
+            --memory=12 \
+            --containerd=none \
+            --set '.mounts=null | .portForwards=[{"guestSocket":"/var/run/docker.sock","hostSocket":"{{.Dir}}/sock/docker.sock"}]' \
+            template://almalinux-8
+
+      # FIXME: the tests should be directly executed in the VM without nesting Docker inside it
+      # https://github.com/containerd/nerdctl/issues/3858
+      - name: "Init: install dockerd in the guest VM"
+        run: |
+          set -eux
+          lima sudo mkdir -p /etc/systemd/system/docker.socket.d
+          cat <<-EOF | lima sudo tee /etc/systemd/system/docker.socket.d/override.conf
+          [Socket]
+          SocketUser=$(whoami)
+          EOF
+          lima sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
+          lima sudo dnf -q -y install docker-ce --nobest
+          lima sudo systemctl enable --now docker
+
+      - name: "Init: configure the host to use dockerd in the guest VM"
+        run: |
+          set -eux
+          sudo systemctl disable --now docker.service docker.socket
+          export DOCKER_HOST="unix://$(limactl ls --format '{{.Dir}}/sock/docker.sock' default)"
+          echo "DOCKER_HOST=${DOCKER_HOST}" >>$GITHUB_ENV
+          docker info
+          docker version
+
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+
+      - name: "Init: prepare integration tests"
+        run: |
+          set -eux
+
+          sudo losetup -Dv
+          sudo losetup -lv
+
+          TARGET=test-integration
+          [ "$MODE" = "rootless" ] && TARGET=test-integration-rootless
+          docker buildx create --name with-gha --use
+          docker buildx build \
+            --output=type=docker \
+            --cache-from type=gha,scope=test-integration-dependencies-amd64 \
+            -t test-integration --target "${TARGET}" \
+            .
+
+      - name: "Run integration tests"
+        # Presumably, something is broken with the way docker exposes /dev to the container, as it appears to only
+        # randomly work. Mounting /dev does workaround the issue.
+        # This might be due to the old kernel shipped with Alma (4.18), or something else between centos/docker.
+        run: |
+          set -eux
+          if [ "$MODE" = "rootless" ]; then
+            echo "rootless"
+            docker run -t -v /dev:/dev --rm --privileged test-integration /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=false
+          else
+            echo "rootful"
+            docker run -t -v /dev:/dev --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=false
+          fi
+      - name: "Run: integration tests (flaky)"
+        run: |
+          set -eux
+          if [ "$MODE" = "rootless" ]; then
+            echo "rootless"
+            docker run -t -v /dev:/dev --rm --privileged test-integration /test-integration-rootless.sh ./hack/test-integration.sh -test.only-flaky=true
+          else
+            echo "rootful"
+            docker run -t -v /dev:/dev --rm --privileged test-integration ./hack/test-integration.sh -test.only-flaky=true
+          fi

.github/workflows/job-test-in-vagrant.yml

@@ -0,0 +1,58 @@
+# Right now, this is testing solely FreeBSD, but could be used to test other targets.
+# Alternatively, this might get replaced entirely by Lima eventually.
+name: test-in-vagrant
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner:
+        required: true
+        type: string
+
+jobs:
+  test:
+    name: "14"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: setup cache"
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
+        with:
+          path: /root/.vagrant.d
+          key: vagrant
+
+      - name: "Init: set up vagrant"
+        run: |
+          # from https://github.com/containerd/containerd/blob/v2.0.2/.github/workflows/ci.yml#L583-L596
+          # which is based on https://github.com/opencontainers/runc/blob/v1.1.8/.cirrus.yml#L41-L49
+          curl -fsSL --proto '=https' --tlsv1.2 https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+          sudo sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
+          sudo apt-get update -qq
+          sudo apt-get install -qq libvirt-daemon libvirt-daemon-system vagrant ovmf
+          # https://github.com/vagrant-libvirt/vagrant-libvirt/issues/1725#issuecomment-1454058646
+          sudo cp /usr/share/OVMF/OVMF_VARS_4M.fd /var/lib/libvirt/qemu/nvram/
+          sudo systemctl enable --now libvirtd
+          sudo apt-get build-dep -qq ruby-libvirt
+          sudo apt-get install -qq --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
+          # Disable strict dependency enforcement to bypass gem version conflicts during the installation of the vagrant-libvirt plugin.
+          sudo env VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install vagrant-libvirt
+
+      - name: "Init: boot VM"
+        run: |
+          ln -sf Vagrantfile.freebsd Vagrantfile
+          sudo vagrant up --no-tty
+
+      - name: "Run: test-unit"
+        run: sudo vagrant up --provision-with=test-unit
+
+      - name: "Run: test-integration"
+        run: sudo vagrant up --provision-with=test-integration