diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index c52c0958..00000000 --- a/.cirrus.yml +++ /dev/null @@ -1,203 +0,0 @@ ---- - -# Main collection of env. vars to set for all tasks and scripts. -env: - #### - #### Global variables used for all tasks - #### - CONMON_SLUG: "github.com/containers/conmon" - - # Overrides default location (/tmp/cirrus) for repo clone (will become $SRC) - CIRRUS_WORKING_DIR: "/var/tmp/src/${CONMON_SLUG}" - # Required so $ENVLIB gets loaded and /bin/sh is not used - CIRRUS_SHELL: "/bin/bash" - # Save a little typing (path relative to $CIRRUS_WORKING_DIR) - SCRIPT_BASE: "./contrib/cirrus" - # Spoof self as travis, as cirrus has the same test issues as travis does - TRAVIS: "true" - - # VM Image built in containers/automation_images - IMAGE_SUFFIX: "c20260310t170224z-f43f42d14" - FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" - - # Container FQIN's - FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}" - PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}" - - -# Only github users with write-access can define or use encrypted variables -# This credential represents a service account with access to manage both VMs -# and storage. -gcp_credentials: ENCRYPTED[13e51806369f650e6ccc326338deeb3c24052fc0a7be29beef2b96da551aed3200abbb6c6406a936bb4388fb2758405c] - - -# Default VM to use unless set or modified by task -gce_instance: - image_project: "libpod-218412" - zone: "us-central1-f" # Required by Cirrus for the time being - cpu: 2 - memory: "4Gb" - disk: 200 # Required for performance reasons - image_name: "${FEDORA_CACHE_IMAGE_NAME}" - - -# Default timeout for each task -timeout_in: '120m' - -# Verify conmon package can be built and installed on Fedora -fedora_packaging_task: - alias: fedora_packaging - - # Runs within Cirrus's "community cluster" - container: - cpu: 1 - memory: 4 - - matrix: - - name: "Packaging for Fedora" - container: - image: "${FEDORA_CONTAINER_FQIN}" - - name: "Packaging for Fedora N-1" - container: - image: "${PRIOR_FEDORA_CONTAINER_FQIN}" - - script: - - dnf install -y rpm-build libseccomp-devel - - cd $CIRRUS_WORKING_DIR - - make - - make -f .rpmbuild/Makefile - - rpmbuild --rebuild conmon-*.src.rpm - - dnf remove -y conmon - - dnf -y install ~/rpmbuild/RPMS/x86_64/conmon*.x86_64.rpm - - ls -l /usr/bin/conmon - - timeout_in: '20m' - - -# Verify build completes successfully -build_task: - # Runs within Cirrus's "community cluster" - gce_instance: - image_name: "${FEDORA_CACHE_IMAGE_NAME}" - cpu: 1 - memory: 4 - disk: 200 - - script: - - dnf install -y make glib2-devel git gcc pkg-config systemd-devel libseccomp-devel podman bats jq socat - - cd $CIRRUS_WORKING_DIR - - make - - make test - -# Test coverage -coverage_task: - # Runs within Cirrus's "community cluster" - gce_instance: - image_name: "${FEDORA_CACHE_IMAGE_NAME}" - cpu: 1 - memory: 4 - disk: 200 - - script: - - dnf install -y make glib2-devel git gcc pkg-config systemd-devel libseccomp-devel gcovr podman bats jq socat - - cd $CIRRUS_WORKING_DIR - - make test-coverage - - -# Verify code was fmt'ed properly -fmt_task: - # Runs within Cirrus's "community cluster" - container: - image: "${FEDORA_CONTAINER_FQIN}" - cpu: 1 - memory: 4 - - script: - - dnf install -y clang clang-tools-extra - - cd $CIRRUS_WORKING_DIR - - make fmt - - git diff --exit-code - - -# Build the static binary -static_binary_task: - alias: static_binary - - # Community-maintained task, may fail on occasion. If so, uncomment - # the next line and file an issue with details about the failure. - # allow_failures: true - - timeout_in: '360m' - - gce_instance: - image_name: "${FEDORA_CACHE_IMAGE_NAME}" - cpu: 8 - memory: 12 - disk: 200 - - env: - # Do not use 'latest', fixed-version tag for runtime stability. - CTR_FQIN: "docker.io/nixos/nix:2.15.0" - # Authentication token for pushing the build cache to cachix. - # This is critical, it helps to avoid a very lengthy process of - # statically building every dependency needed to build conmon. - # Assuming the pinned nix dependencies in nix/nixpkgs.json have not - # changed, this cache will ensure that only the static conmon binary is - # built. - CACHIX_AUTH_TOKEN: ENCRYPTED[4c3b8d82b0333abf048c56a71f2559ddb1c9ed38f0c28916eca13f79affa5904cf90c76a5bd8686680c89f41079ef341] - - matrix: - - name: "Static amd64 binary" - env: - TARGET: default.nix - - name: "Static arm64 binary" - env: - TARGET: default-arm64.nix - - name: "Static ppc64le binary" - env: - TARGET: default-ppc64le.nix - - name: "Static riscv64 binary" - env: - TARGET: default-riscv64.nix - - name: "Static s390x binary" - env: - TARGET: default-s390x.nix - - build_script: | - set -ex - podman run -i --rm \ - -e CACHIX_AUTH_TOKEN \ - -v $PWD:$PWD:Z \ - -w $PWD \ - $CTR_FQIN \ - sh -c \ - "nix-env -iA cachix -f https://cachix.org/api/v1/install && \ - cachix use conmon && \ - nix-build nix/$TARGET && \ - nix-store -qR --include-outputs \$(nix-instantiate nix/$TARGET) | grep -v conmon | cachix push conmon && \ - cp -R result/bin ." - - binaries_artifacts: - path: "bin/conmon" - -# This task is critical. It updates the "last-used by" timestamp stored -# in metadata for all VM images. This mechanism functions in tandem with -# an out-of-band pruning operation to remove disused VM images. -meta_task: - name: "VM img. keepalive" - alias: meta - container: - cpu: 2 - memory: 2 - image: quay.io/libpod/imgts:latest - env: - # Space-separated list of images used by this repository state - IMGNAMES: >- - ${FEDORA_CACHE_IMAGE_NAME} - BUILDID: "${CIRRUS_BUILD_ID}" - REPOREF: "${CIRRUS_REPO_NAME}" - GCPJSON: ENCRYPTED[08de2c74178470b1bc85a107e9962f06dbd11d33c7adf024d3e48ae4399ca5383f9d3ad0e2fd65c3ce12750dd6ef8803] - GCPNAME: ENCRYPTED[561ce33a9357e5b8e3fb54739c3af31730c0c3b736792f16a67026a8544379d83ff3c27d6fea1c7797a6ae49b6e58115] - GCPPROJECT: libpod-218412 - clone_script: &noop mkdir -p $CIRRUS_WORKING_DIR - script: /usr/local/bin/entrypoint.sh diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml new file mode 100644 index 00000000..7c9a70be --- /dev/null +++ b/.github/workflows/coverage.yml @@ -0,0 +1,31 @@ +name: coverage +on: + push: + tags: + - v* + branches: + - main + pull_request: +permissions: {} + +jobs: + + coverage: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y gcovr libglib2.0-dev libseccomp-dev libsystemd-dev pkg-config bats socat + - name: Run coverage + run: | + sudo mkdir -p /var/run/crio + sudo make test-coverage + + all-done: + needs: + - coverage + runs-on: ubuntu-latest + steps: + - run: echo "All jobs completed" diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 74dc0996..622d7aff 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -6,6 +6,7 @@ on: branches: - main pull_request: +permissions: {} jobs: diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml new file mode 100644 index 00000000..26381b6e --- /dev/null +++ b/.github/workflows/static.yml @@ -0,0 +1,60 @@ +name: static-binary +on: + push: + tags: + - v* + workflow_dispatch: +permissions: {} + +jobs: + + static-binary: + runs-on: ubuntu-latest + timeout-minutes: 360 + strategy: + fail-fast: false + matrix: + include: + - name: amd64 + target: default.nix + - name: arm64 + target: default-arm64.nix + - name: ppc64le + target: default-ppc64le.nix + - name: riscv64 + target: default-riscv64.nix + - name: s390x + target: default-s390x.nix + steps: + - uses: actions/checkout@v6 + - name: Install podman + run: | + sudo apt-get update + sudo apt-get install -y podman + - name: Build static ${{ matrix.name }} binary + env: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + TARGET: ${{ matrix.target }} + run: | + podman run -i --rm \ + -e CACHIX_AUTH_TOKEN \ + -v "$PWD:$PWD:Z" \ + -w "$PWD" \ + docker.io/nixos/nix:2.15.0 \ + sh -c \ + "nix-env -iA cachix -f https://cachix.org/api/v1/install && \ + cachix use conmon && \ + nix-build nix/$TARGET && \ + nix-store -qR --include-outputs \$(nix-instantiate nix/$TARGET) | grep -v conmon | cachix push conmon && \ + cp -R result/bin ." + - uses: actions/upload-artifact@v4 + with: + name: conmon-${{ matrix.name }} + path: bin/conmon + + all-done: + needs: + - static-binary + runs-on: ubuntu-latest + steps: + - run: echo "All jobs completed" diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 093dc249..cbca6f2d 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -7,8 +7,7 @@ on: - main - release-* pull_request: -permissions: - contents: read +permissions: {} jobs: