Restructure GHA workflows

Signed-off-by: apostasie <spam_blackhole@farcloser.world>

Author: apostasie

.github/workflows/environment.yml

@@ -0,0 +1,74 @@
+name: Shared environment
+
+on:
+  workflow_call:
+    outputs:
+      GO_OLD:
+        description: "oldest tested golang version"
+        value: "1.23"
+      GO_STABLE:
+        description: "main supported golang version"
+        value: "1.24"
+      GO_CANARY:
+        description: "canary golang version"
+        value: canary
+      RUNNER_WINDOWS_OLD:
+        description: "windows old runner"
+        value: windows-2019
+      RUNNER_WINDOWS_STABLE:
+        description: "windows stable runner"
+        value: windows-2022
+      RUNNER_WINDOWS_CANARY:
+        description: "windows canary runner"
+        value: windows-2025
+      RUNNER_LINUX_OLD:
+        description: "linux old runner"
+        value: ubuntu-22.04
+      RUNNER_LINUX_STABLE:
+        description: "linux stable runner"
+        value: ubuntu-24.04
+      RUNNER_LINUX_AMD64_STABLE:
+        description: "linux amd64 stable runner"
+        value: ubuntu-24.04
+      RUNNER_LINUX_ARM64_STABLE:
+        description: "linux arm64 stable runner"
+        value: ubuntu-24.04-arm
+      RUNNER_LINUX_CANARY:
+        description: "linux canary runner"
+        value: ubuntu-24.04
+      RUNNER_MACOS_OLD:
+        description: "macos old runner"
+        value: macos-13
+      RUNNER_MACOS_STABLE:
+        description: "macos stable runner"
+        value: macos-14
+      RUNNER_MACOS_CANARY:
+        description: "macos canary runner"
+        value: macos-15
+      TIMEOUT_SHORT:
+        description: "short timeout"
+        value: "10"
+      TIMEOUT_LONG:
+        description: "long timeout"
+        value: "40"
+      GITHUB_TOKEN:
+        description: "Github token"
+        value: ""
+      WINDOWS_CONTAINERD_VERSION:
+        description: "containerd version for windows"
+        value: "v2.0.4"
+      WINDOWS_WINCNI_VERSION:
+        description: "wincni version"
+        value: "v0.3.1"
+      WINDOWS_BUILDKIT_VERSION:
+        description: "buildkit version"
+        value: "v0.20.2"
+
+jobs:
+  blank:
+    name: "environment"
+    runs-on: ubuntu-24.04
+    steps:
+      - run: |
+          echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> "$GITHUB_ENV"
+          echo "Environment setup complete"

.github/workflows/job-build-dependencies.yml

@@ -0,0 +1,54 @@
+name: build-dependencies
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      runner-for-linux:
+        required: true
+        type: string
+      runner-for-linux-arm:
+        required: true
+        type: string
+      containerd-version-current:
+        required: true
+        type: string
+      containerd-version-old:
+        required: true
+        type: string
+
+jobs:
+  # This job builds the dependency target of the test docker image for all supported architectures and cache it in GHA
+  build-dependencies:
+    name: "dependencies |  ${{ matrix.containerd }} | ${{ matrix.arch }}"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ${{ inputs.runner-for-linux }}
+            containerd: ${{ inputs.containerd-version-old }}
+            arch: amd64
+          - runner: ${{ inputs.runner-for-linux }}
+            containerd: ${{ inputs.containerd-version-current }}
+            arch: amd64
+          - runner: ${{ inputs.runner-for-linux-arm }}
+            containerd: ${{ inputs.containerd-version-current }}
+            arch: arm64
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+      - name: "Init: expose GitHub Runtime variables for gha"
+        uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
+      - name: "Run: build dependencies for the integration test environment image"
+        run: |
+          docker buildx create --name with-gha --use
+          docker buildx build \
+            --cache-to type=gha,compression=zstd,mode=max,scope=test-integration-dependencies-${{ matrix.arch }} \
+            --cache-from type=gha,scope=test-integration-dependencies-${{ matrix.arch }} \
+            --target build-dependencies --build-arg CONTAINERD_VERSION=${{ matrix.containerd }} .

.github/workflows/job-build.yml

@@ -0,0 +1,60 @@
+# This job just builds nerdctl for the golang versions we support (as a smoke test)
+name: build
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version-stable:
+        required: true
+        type: string
+      go-version-old:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+jobs:
+  build:
+    name: ${{ format('go {0}', matrix.canary && 'canary' || matrix.go ) }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    defaults:
+      run:
+        shell: bash
+
+    strategy:
+      fail-fast: false
+      matrix:
+        go: ["${{ inputs.go-version-old }}", "${{ inputs.go-version-stable }}"]
+        canary: false
+        includes:
+          go: ${{ inputs.go-version }}
+          canary: true
+
+    env:
+      GO_VERSION: ${{ matrix.go }}
+
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - if: ${{ matrix.canary == true }}
+        name: "Init: retrieve canary GO_VERSION"
+        run: |
+          . ./hack/github/golang.sh
+          printf "GO_VERSION=%s\n" "$(go::canary::for::go-setup)" >> "$GITHUB_ENV"
+
+      - name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: "Run: make binaries"
+        run: GO_VERSION="$(echo ${{ env.GO_VERSION }} | sed -e s/.x//)" make binaries

.github/workflows/job-lint-go.yml

@@ -0,0 +1,72 @@
+name: lint-go
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner-for-linux:
+        required: true
+        type: string
+      runner-for-freebsd:
+        required: true
+        type: string
+      runner-for-macos:
+        required: true
+        type: string
+      runner-for-windows:
+        required: true
+        type: string
+
+jobs:
+  # Note: technically, `make lint-go-all` would run the linter for all targets, and could be called once, on a single instance.
+  # The point of running it on a matrix instead, each GOOS separately, is to verify that the tooling itself is working on the target OS.
+  lint-go:
+    name: ${{ format('{0}{1}', matrix.goos, matrix.canary == true && ' | canary' || '') }}
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: "${{ matrix.runner }}"
+    defaults:
+      run:
+        shell: bash
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ${{ inputs.runner-for-linux }}
+            goos: linux
+          - runner: ${{ inputs.runner-for-freebsd }}
+            goos: freebsd
+          - runner: ${{ inputs.runner-for-macos }}
+            goos: darwin
+          - runner: ${{ inputs.runner-for-windows }}
+            goos: windows
+          - runner: ${{ inputs.runner-for-linux }}
+            goos: linux
+            # This allows the canary script to select any upcoming golang alpha/beta/RC
+            canary: true
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+      - if: ${{ matrix.canary == true }}
+        name: "Init: retrieve canary GO_VERSION"
+        run: |
+          # If canary is specified, get the latest available golang pre-release instead of the major version
+          . ./hack/build-integration-canary.sh
+          canary::golang::latest
+      - name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ inputs.go-version }}
+          check-latest: true
+      - name: "Init: install dev-tools"
+        run: |
+          make install-dev-tools
+      - name: "Run"
+        run: |
+          NO_COLOR=true GOOS="${{ matrix.goos }}" make lint-go

.github/workflows/job-lint-other.yml

@@ -0,0 +1,40 @@
+name: lint-other
+
+on:
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
+
+jobs:
+  lint-other:
+    name: "yaml | shell"
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+      - name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version: ${{ inputs.go-version }}
+          check-latest: true
+      - name: "Init: install dev-tools"
+        run: |
+          make install-dev-tools
+      - name: "Run: yaml"
+        run: make lint-yaml
+      - name: "Run: shell"
+        run: make lint-shell

.github/workflows/project.yml .github/workflows/job-lint-project.yml.github/workflows/project.yml renamed to .github/workflows/job-lint-project.yml

@@ -1,30 +1,40 @@
-name: project
+name: project-checks
 
 on:
-  push:
-    branches:
-      - main
-      - 'release/**'
-  pull_request:
-
-env:
-  GOTOOLCHAIN: local
+  workflow_call:
+    inputs:
+      timeout:
+        required: true
+        type: number
+      go-version:
+        required: true
+        type: string
+      runner:
+        required: true
+        type: string
 
 jobs:
   project:
-    name: checks
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20
+    name: "commits, licenses..."
+    timeout-minutes: ${{ inputs.timeout }}
+    runs-on: ${{ inputs.runner }}
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - name: "Init: checkout"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
-          path: src/github.com/containerd/nerdctl
           fetch-depth: 100
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+          path: src/github.com/containerd/nerdctl
+      - name: "Init: install go"
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ inputs.go-version }}
+          check-latest: true
           cache-dependency-path: src/github.com/containerd/nerdctl
-      - uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4  # v1.2.2
+      - name: "Run"
+        uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4  # v1.2.2
         with:
           working-directory: src/github.com/containerd/nerdctl
           repo-access-token: ${{ secrets.GITHUB_TOKEN }}