Restructure GHA workflows

Signed-off-by: apostasie <spam_blackhole@farcloser.world>

Author: apostasie

.github/workflows/job-build-dependencies.yml

@@ -0,0 +1,65 @@
+# This job pre-heats the cache for the test image by building all dependencies
+name: build-dependencies
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner-for-linux-amd:
+        required: true
+        type: string
+      runner-for-linux-arm:
+        required: true
+        type: string
+      containerd-version-old:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  # This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA
+  build-dependencies:
+    name: "${{ matrix.runner == inputs.runner-for-linux-arm && 'arm64' || 'amd64' }}${{ matrix.old-containerd && format(' | {0}', inputs.containerd-version-old) || ''}}"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Build for arm & amd, current containerd
+          - runner: ${{ inputs.runner-for-linux-amd }}
+          - runner: ${{ inputs.runner-for-linux-arm }}
+          # Additionally build for old containerd on amd
+          - runner: ${{ inputs.runner-for-linux-amd }}
+            old-containerd: true
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+
+      - name: "Run: build dependencies for the integration test environment image"
+        run: |
+          # Cache is sharded per-architecture
+          arch=${{ matrix.runner == inputs.runner-for-linux-arm && 'arm64' || 'amd64' }}
+          docker buildx create --name with-gha --use
+          # Honor old containerd if requested
+          args=()
+          if [ "${{ matrix.old-containerd }}" == true ]; then
+            args=(--build-arg CONTAINERD_VERSION=${{ inputs.containerd-version-old }})
+          fi
+          docker buildx build \
+            --cache-to type=gha,compression=zstd,mode=max,scope=test-integration-dependencies-"$arch" \
+            --cache-from type=gha,scope=test-integration-dependencies-"$arch" \
+            --target build-dependencies "${args[@]}" .

.github/workflows/job-build.yml

@@ -0,0 +1,82 @@
+# This job just builds nerdctl for the golang versions we support (as a smoke test)
+name: build-for-go
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version-old:
+        required: true
+        type: string
+      go-version-stable:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  build-all-targets:
+    name: ${{ format('go {0}', matrix.canary && 'canary' || matrix.go ) }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ inputs.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Build for both old and stable go
+          - go: ${{ inputs.go-version-stable }}
+            canary: false
+          - go: ${{ inputs.go-version-old }}
+            canary: false
+          # Additionally build for canary
+          - canary: true
+
+    env:
+      GO_VERSION: ${{ matrix.go }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ matrix.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          latest_go="$(. ./hack/provisioning/version/fetcher.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            echo "::warning title=No canary go::There is currently no canary go version to test. Steps will not run."
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run: make binaries"
+        run: |
+          # We officially support these
+          GOOS=linux make binaries
+          GOOS=windows make binaries
+          GOOS=freebsd make binaries
+          GOOS=darwin make binaries
+          GOARCH=arm GOARM=7 make binaries
+
+          # These architectures are not released, but we still verify that we can at least compile
+          GOARCH=arm GOARM=6 make binaries
+          GOARCH=ppc64le make binaries
+          GOARCH=riscv64 make binaries
+          GOARCH=s390x make binaries

.github/workflows/job-lint-go.yml

@@ -0,0 +1,100 @@
+# This job runs golangci-lint
+# Note that technically, `make lint-go-all` would run the linter for all targets, and could be called once, on a single instance.
+# The point of running it on a matrix instead, each GOOS separately, is to verify that the tooling itself is working on the target OS.
+name: lint-go
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner-for-linux:
+        required: true
+        type: string
+      runner-for-freebsd:
+        required: true
+        type: string
+      runner-for-macos:
+        required: true
+        type: string
+      runner-for-windows:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  lint-go:
+    name: ${{ format('{0}{1}', matrix.goos, matrix.canary && ' (go canary)' || '') }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ${{ inputs.runner-for-linux }}
+            goos: linux
+            canary: false
+          - runner: ${{ inputs.runner-for-freebsd }}
+            goos: freebsd
+            canary: false
+          - runner: ${{ inputs.runner-for-macos }}
+            goos: darwin
+            canary: false
+          - runner: ${{ inputs.runner-for-windows }}
+            goos: windows
+            canary: false
+          # Additionally lint linux for canary
+          - runner: ${{ inputs.runner-for-linux }}
+            goos: linux
+            canary: true
+
+    env:
+      GO_VERSION: ${{ inputs.go-version }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ matrix.canary }}
+        name: "Init (canary): retrieve GO_VERSION"
+        run: |
+          latest_go="$(. ./hack/provisioning/version/fetcher.sh; go::canary::for::go-setup)"
+          printf "GO_VERSION=%s\n" "$latest_go" >> "$GITHUB_ENV"
+          [ "$latest_go" != "" ] || \
+            echo "::warning title=No canary go::There is currently no canary go version to test. Steps will not run."
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Init: install dev-tools"
+        run: |
+          echo "::group:: make install-dev-tools"
+          make install-dev-tools
+          echo "::endgroup::"
+
+      - if: ${{ env.GO_VERSION != '' }}
+        name: "Run"
+        run: |
+          # On canary, lint for all supported targets
+          if [ "${{ matrix.canary }}" != "" ]; then
+            NO_COLOR=true GOOS="${{ matrix.goos }}" make lint-go-all
+          else
+            NO_COLOR=true GOOS="${{ matrix.goos }}" make lint-go
+          fi

.github/workflows/job-lint-other.yml

@@ -0,0 +1,53 @@
+# This job runs any subsidiary linter not part of golangci (shell, yaml, etc)
+name: lint-other
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  lint-other:
+    name: "yaml | shell"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ inputs.go-version }}
+          check-latest: true
+
+      - name: "Init: install dev-tools"
+        run: |
+          echo "::group:: make install-dev-tools"
+          make install-dev-tools
+          echo "::endgroup::"
+
+      - name: "Run: yaml"
+        run: |
+          make lint-yaml
+
+      - name: "Run: shell"
+        run: |
+          make lint-shell

.github/workflows/job-lint-project.yml

@@ -0,0 +1,56 @@
+# This job runs containerd shared project-checks, that verifies licenses, headers, and commits.
+# To run locally, you may just use `make lint` instead, that does the same thing
+# (albeit `make lint` uses more modern versions).
+name: project-checks
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+env:
+  GOTOOLCHAIN: local
+
+jobs:
+  project:
+    name: "commits, licenses..."
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 100
+          path: src/github.com/containerd/nerdctl
+
+      - name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ inputs.go-version }}
+          check-latest: true
+          cache-dependency-path: src/github.com/containerd/nerdctl
+
+      - name: "Run"
+        uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4  # v1.2.2
+        with:
+          working-directory: src/github.com/containerd/nerdctl
+          repo-access-token: ${{ secrets.GITHUB_TOKEN }}
+          # go-licenses-ignore is set because go-licenses cannot detect the license of the following package:
+          # * go-base36: Apache-2.0 OR MIT (https://github.com/multiformats/go-base36/blob/master/LICENSE.md)
+          #
+          # The list of the CNCF-approved licenses can be found here:
+          # https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
+          go-licenses-ignore: |
+            github.com/multiformats/go-base36