Restructure GHA workflows

Signed-off-by: apostasie <spam_blackhole@farcloser.world>

Author: apostasie

.github/workflows/environment.yml

@@ -0,0 +1,74 @@
+name: Shared environment
+
+on:
+  workflow_call:
+    outputs:
+      GO_OLD:
+        description: "oldest tested golang version"
+        value: "1.23"
+      GO_STABLE:
+        description: "main supported golang version"
+        value: "1.24"
+      GO_CANARY:
+        description: "canary golang version"
+        value: canary
+      RUNNER_WINDOWS_OLD:
+        description: "windows old runner"
+        value: windows-2019
+      RUNNER_WINDOWS_STABLE:
+        description: "windows stable runner"
+        value: windows-2022
+      RUNNER_WINDOWS_CANARY:
+        description: "windows canary runner"
+        value: windows-2025
+      RUNNER_LINUX_OLD:
+        description: "linux old runner"
+        value: ubuntu-22.04
+      RUNNER_LINUX_STABLE:
+        description: "linux stable runner"
+        value: ubuntu-24.04
+      RUNNER_LINUX_AMD64_STABLE:
+        description: "linux amd64 stable runner"
+        value: ubuntu-24.04
+      RUNNER_LINUX_ARM64_STABLE:
+        description: "linux arm64 stable runner"
+        value: ubuntu-24.04-arm
+      RUNNER_LINUX_CANARY:
+        description: "linux canary runner"
+        value: ubuntu-24.04
+      RUNNER_MACOS_OLD:
+        description: "macos old runner"
+        value: macos-13
+      RUNNER_MACOS_STABLE:
+        description: "macos stable runner"
+        value: macos-14
+      RUNNER_MACOS_CANARY:
+        description: "macos canary runner"
+        value: macos-15
+      TIMEOUT_SHORT:
+        description: "short timeout"
+        value: "10"
+      TIMEOUT_LONG:
+        description: "long timeout"
+        value: "40"
+      GITHUB_TOKEN:
+        description: "Github token"
+        value: ""
+      WINDOWS_CONTAINERD_VERSION:
+        description: "containerd version for windows"
+        value: "v2.0.4"
+      WINDOWS_WINCNI_VERSION:
+        description: "wincni version"
+        value: "v0.3.1"
+      WINDOWS_BUILDKIT_VERSION:
+        description: "buildkit version"
+        value: "v0.20.2"
+
+jobs:
+  blank:
+    name: "environment"
+    runs-on: ubuntu-24.04
+    steps:
+      - run: |
+          echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> "$GITHUB_ENV"
+          echo "Environment setup complete"

.github/workflows/job-build-dependencies.yml

@@ -0,0 +1,63 @@
+# This job pre-heats the cache for the test image by building all dependencies
+name: build-dependencies
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner-for-linux-amd:
+        required: true
+        type: string
+      runner-for-linux-arm:
+        required: true
+        type: string
+      containerd-version-stable:
+        required: true
+        type: string
+      containerd-version-old:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  # This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA
+  build-dependencies:
+    name: "${{ matrix.containerd }} | ${{ matrix.runner == inputs.runner-for-linux-arm && 'arm64' || 'amd64' }}"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Build for arm & amd, current containerd
+        runner: ["${{ inputs.runner-for-linux-amd }}", "${{ inputs.runner-for-linux-arm }}"]
+        containerd: ${{ inputs.containerd-version-stable }}
+        # Additionally build for old containerd on amd
+        include:
+          - runner: ${{ inputs.runner-for-linux-amd }}
+            containerd: ${{ inputs.containerd-version-old }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+
+      - name: "Run: build dependencies for the integration test environment image"
+        run: |
+          arch=${{ matrix.runner == inputs.runner-for-linux-arm && 'arm64' || 'amd64' }}
+          docker buildx create --name with-gha --use
+          docker buildx build \
+            --cache-to type=gha,compression=zstd,mode=max,scope=test-integration-dependencies-"$arch" \
+            --cache-from type=gha,scope=test-integration-dependencies-"$arch" \
+            --target build-dependencies --build-arg CONTAINERD_VERSION=${{ matrix.containerd }} .

.github/workflows/job-build.yml

@@ -0,0 +1,81 @@
+# This job just builds nerdctl for the golang versions we support (as a smoke test)
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version-stable:
+        required: true
+        type: string
+      go-version-old:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  build:
+    name: ${{ format('go {0}', matrix.canary && 'canary' || matrix.go ) }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Build for both old and stable go
+        go: ["${{ inputs.go-version-old }}", "${{ inputs.go-version-stable }}"]
+        canary: [false]
+        # Additionally build for canary
+        includes:
+          - go: ${{ inputs.go-version-stable }}
+            canary: true
+
+    env:
+      GO_VERSION: ${{ matrix.go }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ matrix.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          latest_go="$(. ./hack/github/go-canary.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            echo "::warning title=No canary go::There is currently no canary go version to test. Steps will not run."
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run: make binaries"
+        run: |
+          # We officially support these
+          GOOS=linux make binaries
+          GOOS=windows make binaries
+          GOOS=freebsd make binaries
+          GOOS=darwin make binaries
+          GOARCH=arm GOARM=7 make binaries
+
+          # These architectures are not released, but we still verify that we can at least compile
+          GOARCH=arm GOARM=6 make binaries
+          GOARCH=ppc64le make binaries
+          GOARCH=riscv64 make binaries
+          GOARCH=s390x make binaries

.github/workflows/job-lint-go.yml

@@ -0,0 +1,94 @@
+# This job runs golangci-lint
+# Note that technically, `make lint-go-all` would run the linter for all targets, and could be called once, on a single instance.
+# The point of running it on a matrix instead, each GOOS separately, is to verify that the tooling itself is working on the target OS.
+name: lint-go
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner-for-linux:
+        required: true
+        type: string
+      runner-for-freebsd:
+        required: true
+        type: string
+      runner-for-macos:
+        required: true
+        type: string
+      runner-for-windows:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  lint-go:
+    name: ${{ format('{0}{1}', matrix.goos, matrix.canary && ' | canary' || '') }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ${{ inputs.runner-for-linux }}
+            goos: linux
+            canary: false
+          - runner: ${{ inputs.runner-for-linux }}
+            goos: linux
+            canary: true
+          - runner: ${{ inputs.runner-for-freebsd }}
+            goos: freebsd
+            canary: false
+          - runner: ${{ inputs.runner-for-macos }}
+            goos: darwin
+            canary: false
+          - runner: ${{ inputs.runner-for-windows }}
+            goos: windows
+            canary: false
+
+    env:
+      GO_VERSION: ${{ inputs.go-version }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ matrix.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          latest_go="$(. ./hack/github/go-canary.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            echo "::warning title=No canary go::There is currently no canary go version to test. Steps will not run."
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install dev-tools"
+        run: |
+          echo "::group:: make install-dev-tools"
+          make install-dev-tools
+          echo "::endgroup::"
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run"
+        run: |
+          NO_COLOR=true GOOS="${{ matrix.goos }}" make lint-go

.github/workflows/job-lint-other.yml

@@ -0,0 +1,51 @@
+# This job runs any subsidiary linter not part of golangci (shell, yaml, etc)
+name: lint-other
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  lint-other:
+    name: "yaml | shell"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ inputs.go-version }}
+          check-latest: true
+
+      - name: "Init: install dev-tools"
+        run: |
+          make install-dev-tools
+
+      - name: "Run: yaml"
+        run: |
+          make lint-yaml
+
+      - name: "Run: shell"
+        run: |
+          make lint-shell