Skip to content

[v5.8] some more CI related backports #28885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Luap99 wants to merge 5 commits into
base: v5.8
Choose a base branch
from
Open

[v5.8] some more CI related backports #28885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7179dc6
Update gh org from which releases are pulled in pswh scripts
l0rd Jun 5, 2026
d97883b
ci: use --sandbox for dynamically generated sed scripts
HastD Dec 1, 2025
925107a
ci: use env vars to avoid template expansion in code contexts
HastD Dec 1, 2025
50c105a
Release automation: update org location
ashley-cui Jun 5, 2026
645c4f3
ci: fix validate-source checks vs stale labels
kolyshkin Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ jobs:
validate-source:
name: Validate source code changes
runs-on: cncf-ubuntu-8-32-x86
permissions:
pull-requests: read # For hack/ci/pr-should-include-tests to query PR labels.
env:
# Base commit of this PR; used by the Makefile and the helper scripts to
# compute the commit range (git merge-base $DEST_BRANCH HEAD).
Expand Down Expand Up @@ -126,8 +128,9 @@ jobs:
run: make swagger

- name: Check that the PR includes tests
# The 'No New Tests' label lets maintainers override this check.
if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'No New Tests') }}
env:
# For hack/ci/pr-should-include-tests to query PR labels.
GITHUB_TOKEN: ${{ github.token }}
run: make tests-included

- name: Validate renovate config
Expand All @@ -154,9 +157,8 @@ jobs:
# limit enforced by hack/ci/make-and-check-size.sh.
if: ${{ github.event_name == 'pull_request' }}
env:
# The 'bloat_approved' label lets a repo admin override the binary
# size growth check in hack/ci/make-and-check-size.sh.
BLOAT_APPROVED: ${{ contains(github.event.pull_request.labels.*.name, 'bloat_approved') }}
# For hack/ci/make-and-check-size.sh to query PR labels.
GITHUB_TOKEN: ${{ github.token }}
run: |
# git rebase rewrites commits, so it needs a committer identity.
git config user.name "CI"
Expand Down
74 changes: 39 additions & 35 deletions .github/workflows/dev-bump.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,7 @@ jobs:
- name: Bump
id: bump
run: |
ref=${{ github.ref_name }}
version=${ref#v}
version=${GITHUB_REF_NAME#v}
if [[ $version == *-rc* ]]; then
devbump="${version%-*}-dev"
echo "::notice:: is a rc - bumping z down to $devbump"
Expand All @@ -27,53 +26,56 @@ jobs:
echo "::notice:: bumping z up to $devbump"
fi

sed -i "s/const RawVersion = ".*"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go

echo "devbump=$devbump" >> $GITHUB_OUTPUT
- name: Push
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
run: |
# Make committer the user who triggered the action, either through cutting a release or manual trigger
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name ${{ github.actor }}
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
git config --local user.name "${GITHUB_ACTOR}"
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
bumpbranch="bump-${DEVBUMP}"
git checkout -b $bumpbranch
git add version/rawversion/version.go
git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}"
git commit --signoff -m "Bump Podman to v${DEVBUMP}"
git remote add podmanbot https://github.com/podmanbot/podman
git push -f podmanbot "$bumpbranch"
- name: Check open PRs
id: checkpr
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
prs=$(gh pr list \
--repo ${{ github.repository }} \
--head bump-${{ steps.bump.outputs.devbump }} \
--repo "${GITHUB_REPOSITORY}" \
--head "bump-${DEVBUMP}" \
--state open \
--json title \
--jq 'length')
if ((prs > 0)); then
echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}."
echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}."
else
echo "prexists=false" >> "$GITHUB_OUTPUT"
fi
- name: Open PR
if: steps.checkpr.outputs.prexists == 'false'
id: pr
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
ref=${{ github.ref_name }}
base=${ref%.*}
bumpbranch="bump-${DEVBUMP}"
base=${GITHUB_REF_NAME%.*}
body=$(printf '```release-note\nNone\n```\n')
gh pr create \
--title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \
--title "Bump Podman to v${DEVBUMP}" \
--body "$body" \
--head "podmanbot:$bumpbranch" \
--base "$base" \
--repo ${{ github.repository }}
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
--repo "${GITHUB_REPOSITORY}"
mainbump:
name: Bump on main
runs-on: ubuntu-latest
Expand All @@ -88,8 +90,7 @@ jobs:
id: check
run: |
mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go`
ref=${{ github.ref_name }}
releasevers=${ref#v}
releasevers=${GITHUB_REF_NAME#v}
if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C
then
echo "bump=true" >> $GITHUB_OUTPUT
Expand All @@ -101,58 +102,61 @@ jobs:
id: bump
if: steps.check.outputs.bump == 'true'
run: |
ref=${{ github.ref_name }}
releasevers=${ref#v}
releasevers=${GITHUB_REF_NAME#v}

arr=($(echo "$releasevers" | tr . '\n'))
arr[1]=$((${arr[1]}+1))
arr[2]=0
devbump="$(IFS=. ; echo "${arr[*]}")-dev"
echo "::notice:: Bumping main to: $devbump"

sed -i "s/const RawVersion = \".*\"/const RawVersion = \"$devbump\"/g" version/rawversion/version.go
sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go

echo "devbump=$devbump" >> $GITHUB_OUTPUT
- name: Push
if: steps.check.outputs.bump == 'true'
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
run: |
# Make committer the user who triggered the action, either through cutting a release or manual trigger
# GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name ${{ github.actor }}
git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
git config --local user.name "${GITHUB_ACTOR}"
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
bumpbranch="bump-main-${DEVBUMP}"
git checkout -b $bumpbranch
git add version/rawversion/version.go
git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}"
git commit --signoff -m "Bump main to v${DEVBUMP}"
git remote add podmanbot https://github.com/podmanbot/podman
git push -f podmanbot "$bumpbranch"
- name: Check open PRs
id: checkpr
if: steps.check.outputs.bump == 'true'
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
prs=$(gh pr list \
--repo ${{ github.repository }} \
--head bump-main-${{ steps.bump.outputs.devbump }} \
--repo "${GITHUB_REPOSITORY}" \
--head "bump-main-${DEVBUMP}" \
--state open \
--json title \
--jq 'length')
if ((prs > 0)); then
echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}."
echo "SKIPPING: PR already exists to update to ${DEVBUMP}."
else
echo "prexists=false" >> "$GITHUB_OUTPUT"
fi
- name: Open PR
if: steps.check.outputs.bump == 'true' && steps.checkpr.outputs.prexists == 'false'
env:
DEVBUMP: ${{ steps.bump.outputs.devbump }}
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
run: |
bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
bumpbranch="bump-main-${DEVBUMP}"
body=$(printf '```release-note\nNone\n```\n')
gh pr create \
--title "Bump main to v${{ steps.bump.outputs.devbump }}" \
--title "Bump main to v${DEVBUMP}" \
--body "$body" \
--head "podmanbot:$bumpbranch" \
--base "main" \
--repo ${{ github.repository }}
env:
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
--repo "${GITHUB_REPOSITORY}"
33 changes: 21 additions & 12 deletions .github/workflows/first_contrib_cert_generator.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,15 +64,16 @@ jobs:
# Step 3: Update the HTML file locally
- name: Update HTML file
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
env:
CONTRIBUTOR_NAME: ${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.inputs.pr_number || github.event.pull_request.number }}
run: |
HTML_FILE="automation-repo/certificate-generator/certificate_generator.html"
CONTRIBUTOR_NAME="${{ github.event.inputs.contributor_username || github.event.pull_request.user.login }}"
PR_NUMBER="${{ github.event.inputs.pr_number || github.event.pull_request.number }}"
MERGE_DATE=$(date -u +"%B %d, %Y")

sed -i "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
sed -i "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
sed -i "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }
sed --sandbox -i -e "/id=\"contributorName\"/s/value=\"[^\"]*\"/value=\"${CONTRIBUTOR_NAME}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update contributor name."; exit 1; }
sed --sandbox -i -e "/id=\"prNumber\"/s/value=\"[^\"]*\"/value=\"#${PR_NUMBER}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update PR number."; exit 1; }
sed --sandbox -i -e "/id=\"mergeDate\"/s/value=\"[^\"]*\"/value=\"${MERGE_DATE}\"/" ${HTML_FILE} || { echo "ERROR: Failed to update merge date."; exit 1; }

# Step 4: Setup Node.js environment
- name: Setup Node.js
Expand Down Expand Up @@ -119,6 +120,10 @@ jobs:
- name: Upload certificate to separate repository
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
uses: actions/github-script@v8
env:
CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
USER_LOGIN: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
github-token: ${{ secrets.CERTIFICATES_REPO_TOKEN }}
script: |
Expand Down Expand Up @@ -156,10 +161,10 @@ jobs:
// Create a unique filename with timestamp
const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
const contributorName = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.contributor_username }}'
: '${{ github.event.pull_request.user.login }}';
? process.env.CONTRIBUTOR_USERNAME
: process.env.USER_LOGIN;
const prNumber = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.pr_number }}'
? process.env.PR_NUMBER
: context.issue.number;

const filename = `certificates/${contributorName}-${prNumber}-${timestamp}.png`;
Expand Down Expand Up @@ -218,6 +223,10 @@ jobs:
- name: Comment with embedded certificate image
if: ${{ github.event_name == 'workflow_dispatch' || steps.check_first_pr.outputs.is_first_pr == 'true' }}
uses: actions/github-script@v8
env:
CONTRIBUTOR_USERNAME: ${{ github.event.inputs.contributor_username }}
USER_LOGIN: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
script: |
try {
Expand All @@ -239,17 +248,17 @@ jobs:

if (context.eventName === 'workflow_dispatch') {
// Manual trigger case
const contributorName = '${{ github.event.inputs.contributor_username }}';
const prNumber = '${{ github.event.inputs.pr_number }}';
const contributorName = process.env.CONTRIBUTOR_USERNAME;
const prNumber = process.env.PR_NUMBER;
body = `📜 Certificate preview generated for @${contributorName} (PR #${prNumber}):\n\n${body}`;
} else {
// Auto trigger case for first-time contributors
const username = '${{ github.event.pull_request.user.login }}';
const username = process.env.USER_LOGIN;
body = `🎉 Congratulations on your first merged pull request, @${username}! Thank you for your contribution.\n\nHere's a preview of your certificate:\n\n${body}`;
}

const issueNumber = context.eventName === 'workflow_dispatch' ?
parseInt('${{ github.event.inputs.pr_number }}') :
parseInt(process.env.PR_NUMBER) :
context.issue.number;

await github.rest.issues.createComment({
Expand Down
30 changes: 20 additions & 10 deletions .github/workflows/mac-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,33 +36,42 @@ jobs:
steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
env:
INPUT_DRYRUN: ${{ inputs.dryrun }}
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${{ inputs.dryrun }}" ]]
if [[ -z "${INPUT_DRYRUN}" ]]
then
echo "dryrun=false" >> $GITHUB_OUTPUT
else
echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
fi
- name: Dry Run Status
env:
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
run: |
echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
- name: Determine Version
id: getversion
env:
INPUT_VERSION: ${{ inputs.version }}
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
if [[ -z "${{ inputs.version }}" ]]
if [[ -z "${INPUT_VERSION}" ]]
then
VERSION=${{ github.event.release.tag_name }}
VERSION=${TAG_NAME}
else
VERSION=${{ inputs.version }}
VERSION=${INPUT_VERSION}
fi
echo
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Check uploads
id: check
env:
VERSION: ${{ steps.getversion.outputs.version }}
run: |
URI="https://github.com/containers/podman/releases/download/${{steps.getversion.outputs.version}}"
URI="https://github.com/containers/podman/releases/download/${VERSION}"
ARM_FILE="podman-installer-macos-arm64.pkg"
AMD_FILE="podman-installer-macos-amd64.pkg"
UNIVERSAL_FILE="podman-installer-macos-universal.pkg"
Expand Down Expand Up @@ -165,8 +174,9 @@ jobs:
steps.check.outputs.builduniversal == 'true' )
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ steps.getversion.outputs.version }}
run: |
(gh release download ${{steps.getversion.outputs.version}} -p "shasums" || exit 0)
(gh release download "${VERSION}" -p "shasums" || exit 0)
cat contrib/pkginstaller/out/shasums >> shasums
gh release upload ${{steps.getversion.outputs.version}} contrib/pkginstaller/out/podman-installer-macos-*.pkg
gh release upload ${{steps.getversion.outputs.version}} --clobber shasums
gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg
gh release upload "${VERSION}" --clobber shasums
Loading