diff --git a/.github/workflows/.dco.yml b/.github/workflows/.dco.yml index 8adbe5d87f..6ee7c9e1a8 100644 --- a/.github/workflows/.dco.yml +++ b/.github/workflows/.dco.yml @@ -3,12 +3,6 @@ name: .dco # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -30,14 +24,14 @@ jobs: fetch-depth: 0 - name: Dump context - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | console.log(JSON.stringify(context, null, 2)); - name: Get base ref id: base-ref - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: result-encoding: string script: | diff --git a/.github/workflows/.test-unit.yml b/.github/workflows/.test-unit.yml index fae0f502c7..49117be2be 100644 --- a/.github/workflows/.test-unit.yml +++ b/.github/workflows/.test-unit.yml @@ -3,17 +3,14 @@ name: .test-unit # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read on: workflow_call: + secrets: + CODECOV_TOKEN: + required: false env: GO_VERSION: "1.26.2" @@ -42,9 +39,11 @@ jobs: uses: ./.github/actions/setup-runner - name: Prepare + env: + MODE: ${{ matrix.mode }} run: | CACHE_DEV_SCOPE=dev - if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then + if [[ "$MODE" == *"firewalld"* ]]; then echo "FIREWALLD=true" >> $GITHUB_ENV CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld" fi @@ -58,7 +57,7 @@ jobs: buildkitd-flags: --debug - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -87,7 +86,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-unit--${{ matrix.mode }} path: /tmp/reports/* diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml index 9dbf845707..f84d15fcdb 100644 --- a/.github/workflows/.test.yml +++ b/.github/workflows/.test.yml @@ -3,12 +3,6 @@ name: .test # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -19,6 +13,9 @@ on: required: true type: string default: "graphdriver" + secrets: + CODECOV_TOKEN: + required: false env: GO_VERSION: "1.26.2" @@ -55,7 +52,7 @@ jobs: buildkitd-flags: --debug - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -82,7 +79,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-docker-py-${{ inputs.storage }} path: /tmp/reports/* @@ -108,7 +105,7 @@ jobs: buildkitd-flags: --debug - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -130,9 +127,12 @@ jobs: - name: Create matrix includes id: set - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_STORAGE: ${{ inputs.storage }} with: script: | + const storage = core.getInput('storage', { required: true }); let includes = [ { os: 'ubuntu-22.04', mode: '' }, { os: 'ubuntu-22.04', mode: 'rootless' }, @@ -142,7 +142,7 @@ jobs: { os: 'ubuntu-24.04', mode: 'systemd' }, // { os: 'ubuntu-24.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084 ]; - if ("${{ inputs.storage }}" == "snapshotter") { + if (storage == "snapshotter") { includes.push({ os: 'ubuntu-24.04', mode: 'iptables+firewalld' }); includes.push({ os: 'ubuntu-24.04', mode: 'nftables' }); includes.push({ os: 'ubuntu-24.04', mode: 'nftables+firewalld' }); @@ -151,10 +151,6 @@ jobs: core.info(`matrix: ${JSON.stringify(includes)}`); core.setOutput('includes', JSON.stringify(includes)); }); - - - name: Show matrix - run: | - echo ${{ steps.set.outputs.includes }} integration: runs-on: ${{ matrix.os }} @@ -178,20 +174,22 @@ jobs: uses: ./.github/actions/setup-tracing - name: Prepare + env: + MODE: ${{ matrix.mode }} run: | CACHE_DEV_SCOPE=dev - if [[ "${{ matrix.mode }}" == *"rootless"* ]]; then + if [[ "$MODE" == *"rootless"* ]]; then echo "DOCKER_ROOTLESS=1" >> $GITHUB_ENV fi - if [[ "${{ matrix.mode }}" == *"systemd"* ]]; then + if [[ "$MODE" == *"systemd"* ]]; then echo "SYSTEMD=true" >> $GITHUB_ENV CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd" fi - if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then + if [[ "$MODE" == *"firewalld"* ]]; then echo "FIREWALLD=true" >> $GITHUB_ENV CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld" fi - if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then + if [[ "$MODE" == *"nftables"* ]]; then echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV fi echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV @@ -217,7 +215,7 @@ jobs: buildkitd-flags: --debug - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -232,10 +230,13 @@ jobs: - name: Prepare reports if: always() + env: + MATRIX_MODE: ${{ matrix.mode }} + MATRIX_OS: ${{ matrix.os }} run: | - reportsName=${{ matrix.os }} - if [ -n "${{ matrix.mode }}" ]; then - reportsName="$reportsName-${{ matrix.mode }}" + reportsName=$MATRIX_OS + if [ -n "$MATRIX_MODE" ]; then + reportsName="$reportsName-$MATRIX_MODE" fi reportsPath="/tmp/reports/$reportsName" echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV @@ -263,7 +264,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-integration-${{ inputs.storage }}-${{ env.TESTREPORTS_NAME }} path: /tmp/reports/* @@ -334,11 +335,15 @@ jobs: - name: Create gha matrix id: set - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_STORAGE: ${{ inputs.storage }} + INPUT_TEST-MATRIX: ${{ steps.tests.outputs.matrix }} with: script: | + const storage = core.getInput('storage', { required: true }); let matrix = { - test: ${{ steps.tests.outputs.matrix }}, + test: JSON.parse(core.getInput('test-matrix', { required: true })), include: [], }; // For some reasons, GHA doesn't combine a dynamically defined @@ -347,7 +352,7 @@ jobs: // Moreover, since the goal is to run only relevant tests with // firewalld/nftables enabled to minimize the number of CI jobs, we // statically define the list of test suites that we want to run. - if ("${{ inputs.storage }}" == "snapshotter") { + if (storage == "snapshotter") { matrix.include.push({ 'mode': 'iptables+firewalld', 'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite' @@ -389,10 +394,6 @@ jobs: core.info(`matrix: ${JSON.stringify(matrix)}`); core.setOutput('matrix', JSON.stringify(matrix)); }); - - - name: Show final gha matrix - run: | - echo ${{ steps.set.outputs.matrix }} integration-cli: runs-on: ubuntu-24.04 @@ -415,13 +416,15 @@ jobs: uses: ./.github/actions/setup-tracing - name: Prepare + env: + MODE: ${{ matrix.mode }} run: | CACHE_DEV_SCOPE=dev - if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then + if [[ "$MODE" == *"firewalld"* ]]; then echo "FIREWALLD=true" >> $GITHUB_ENV CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld" fi - if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then + if [[ "$MODE" == *"nftables"* ]]; then echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV fi echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV @@ -434,7 +437,7 @@ jobs: buildkitd-flags: --debug - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -450,14 +453,16 @@ jobs: - name: Prepare reports if: always() + env: + MATRIX_TEST: ${{ matrix.test }} run: | - reportsName=$(echo -n "${{ matrix.test }}" | sha256sum | cut -d " " -f 1) + reportsName=$(echo -n "$MATRIX_TEST" | sha256sum | cut -d " " -f 1) reportsPath=/tmp/reports/$reportsName echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV docker stop otelcol mkdir -p bundles $reportsPath - echo "${{ matrix.test }}" | tr -s '|' '\n' | tee -a "$reportsPath/tests.txt" + echo "$MATRIX_TEST" | tr -s '|' '\n' | tee -a "$reportsPath/tests.txt" find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz tar -xzf /tmp/reports.tar.gz -C $reportsPath mv /tmp/reports/otel-trace*.jsonl $reportsPath/ @@ -479,7 +484,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-${{ env.TESTREPORTS_NAME }} path: /tmp/reports/* diff --git a/.github/workflows/.vm.yml b/.github/workflows/.vm.yml index 1823590485..e2d83c0e06 100644 --- a/.github/workflows/.vm.yml +++ b/.github/workflows/.vm.yml @@ -3,12 +3,6 @@ name: .vm # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -180,7 +174,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-integration-${{ env.TESTREPORTS_NAME }} path: /tmp/reports/* diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml index 8794626037..9d47bf52d4 100644 --- a/.github/workflows/.windows.yml +++ b/.github/workflows/.windows.yml @@ -3,12 +3,6 @@ name: .windows # TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -26,6 +20,9 @@ on: required: false type: boolean default: false + secrets: + CODECOV_TOKEN: + required: false env: GO_VERSION: "1.26.2" @@ -62,12 +59,14 @@ jobs: Get-ChildItem Env: | Out-String - name: Init + env: + INPUT_OS: ${{ inputs.os }} run: | New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build" New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod" - If ("${{ inputs.os }}" -eq "windows-2025") { + If ($env:INPUT_OS -eq "windows-2025") { echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append - } ElseIf ("${{ inputs.os }}" -eq "windows-2022") { + } ElseIf ($env:INPUT_OS -eq "windows-2022") { echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append } - @@ -100,7 +99,7 @@ jobs: Get-ChildItem -Path ${{ env.BIN_OUT }} - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-${{ inputs.storage }}-${{ inputs.os }} path: ${{ env.BIN_OUT }}/* @@ -128,13 +127,15 @@ jobs: Get-ChildItem Env: | Out-String - name: Init + env: + INPUT_OS: ${{ inputs.os }} run: | New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build" New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod" New-Item -ItemType "directory" -Path "bundles" - If ("${{ inputs.os }}" -eq "windows-2025") { + If ($env:INPUT_OS -eq "windows-2025") { echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append - } ElseIf ("${{ inputs.os }}" -eq "windows-2022") { + } ElseIf ($env:INPUT_OS -eq "windows-2022") { echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append } - @@ -168,7 +169,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.os }}-${{ inputs.storage }}-unit-reports path: ${{ env.GOPATH }}\src\github.com\docker\docker\bundles\* @@ -232,10 +233,7 @@ jobs: # "Test integration" step exclusively. matrix="$(gotestlist -d ${{ env.ITG_CLI_MATRIX_SIZE }} -o "./..." ./...)" echo "matrix=$matrix" >> $GITHUB_OUTPUT - - - name: Show matrix - run: | - echo ${{ steps.tests.outputs.matrix }} + echo "$matrix" integration-test: runs-on: ${{ inputs.os }} @@ -303,19 +301,22 @@ jobs: path: ${{ env.BIN_OUT }} - name: Init + env: + INPUT_OS: ${{ inputs.os }} + MATRIX_TEST: ${{ matrix.test }} run: | New-Item -ItemType "directory" -Path "bundles" -ErrorAction SilentlyContinue New-Item -ItemType "directory" -Path "${env:ProgramData}\Docker" -ErrorAction SilentlyContinue New-Item -ItemType "directory" -Path "${env:ProgramData}\Docker\cli-plugins" -ErrorAction SilentlyContinue Move-Item -Path "${{ env.BIN_OUT }}\docker-buildx.exe" -Destination "${env:ProgramData}\Docker\cli-plugins\docker-buildx.exe" -Force -ErrorAction Continue - If ("${{ inputs.os }}" -eq "windows-2025") { + If ($env:INPUT_OS -eq "windows-2025") { echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append - } ElseIf ("${{ inputs.os }}" -eq "windows-2022") { + } ElseIf ($env:INPUT_OS -eq "windows-2022") { echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append } Write-Output "${{ env.BIN_OUT }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - $testName = ([System.BitConverter]::ToString((New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("${{ matrix.test }}"))) -replace '-').ToLower() + $testName = ([System.BitConverter]::ToString((New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($env:MATRIX_TEST))) -replace '-').ToLower() echo "TESTREPORTS_NAME=$testName" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append - # removes docker service that is currently installed on the runner. we @@ -338,6 +339,9 @@ jobs: } - name: Starting test daemon + env: + INPUT_STORAGE: ${{ inputs.storage }} + MATRIX_RUNTIME: ${{ matrix.runtime }} run: | Write-Host "Creating service" $args = @( @@ -348,11 +352,11 @@ jobs: "--pidfile=$env:TEMP\docker.pid", ` "--register-service" ) - If ("${{ matrix.runtime }}" -eq "containerd") { + If ($env:MATRIX_RUNTIME -eq "containerd") { $args += "--default-runtime=io.containerd.runhcs.v1" echo "DOCKER_WINDOWS_CONTAINERD_RUNTIME=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append } - if ("${{ inputs.storage }}" -eq "snapshotter") { + if ($env:INPUT_STORAGE -eq "snapshotter") { $args += "--feature=containerd-snapshotter" } New-Item -ItemType Directory "$env:TEMP\moby-root" -ErrorAction SilentlyContinue | Out-Null @@ -361,7 +365,7 @@ jobs: # Make the env-var visible to the service-managed dockerd, as there's no CLI flag for this option. $dockerEnviron = @("DOCKER_MIN_API_VERSION=1.24") $dockerEnviron += @(Get-Item Env:\OTEL_* | ForEach-Object { "$($_.Name)=$($_.Value)" }) - If ("${{ inputs.storage }}" -eq "graphdriver") { + If ($env:INPUT_STORAGE -eq "graphdriver") { $dockerEnviron += @("TEST_INTEGRATION_USE_GRAPHDRIVER=1") echo "TEST_INTEGRATION_USE_GRAPHDRIVER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append } @@ -371,6 +375,9 @@ jobs: Write-Host "Service started successfully!" - name: Waiting for test daemon to start + env: + MATRIX_RUNTIME: ${{ matrix.runtime }} + DOCKER_HOST: npipe:////./pipe/docker_engine run: | $tries=20 Write-Host "Waiting for the test daemon to start..." @@ -389,7 +396,7 @@ jobs: Start-Sleep -Seconds 1 } Write-Host "Test daemon started and replied!" - If ("${{ matrix.runtime }}" -eq "containerd") { + If ($env:MATRIX_RUNTIME -eq "containerd") { $containerdProcesses = Get-Process -Name containerd -ErrorAction:SilentlyContinue If (-not $containerdProcesses) { Throw "containerd process is not running" @@ -400,8 +407,6 @@ jobs: } } } - env: - DOCKER_HOST: npipe:////./pipe/docker_engine - name: Docker info run: | @@ -482,7 +487,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.os }}-${{ inputs.storage }}-integration-reports-${{ matrix.runtime }}-${{ env.TESTREPORTS_NAME }} path: ${{ env.GOPATH }}\src\github.com\docker\docker\bundles\* diff --git a/.github/workflows/arm64.yml b/.github/workflows/arm64.yml index 13b7a09e73..091d33c420 100644 --- a/.github/workflows/arm64.yml +++ b/.github/workflows/arm64.yml @@ -1,18 +1,12 @@ name: arm64 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: @@ -56,7 +50,7 @@ jobs: buildkitd-flags: --debug - name: Build - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: ${{ matrix.target }} - @@ -84,7 +78,7 @@ jobs: buildkitd-flags: --debug - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -117,7 +111,7 @@ jobs: uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -146,7 +140,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-unit-arm64-graphdriver path: /tmp/reports/* @@ -210,7 +204,7 @@ jobs: uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -250,7 +244,7 @@ jobs: - name: Upload reports if: always() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-integration-arm64-graphdriver path: /tmp/reports/* diff --git a/.github/workflows/bin-image.yml b/.github/workflows/bin-image.yml index cdc84450c2..cdff9f29d6 100644 --- a/.github/workflows/bin-image.yml +++ b/.github/workflows/bin-image.yml @@ -1,18 +1,12 @@ name: bin-image -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml index 54bf20a36a..4572ed3c49 100644 --- a/.github/workflows/buildkit.yml +++ b/.github/workflows/buildkit.yml @@ -1,18 +1,12 @@ name: buildkit -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: @@ -48,12 +42,12 @@ jobs: buildkitd-flags: --debug - name: Build - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: binary - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: binary path: ${{ env.DESTDIR }} @@ -97,7 +91,7 @@ jobs: # https://github.com/moby/buildkit/blob/567a99433ca23402d5e9b9f9124005d2e59b8861/client/client_test.go#L5407-L5411 - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -146,7 +140,7 @@ jobs: docker info - name: Build test image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 env: GO_VERSION: ${{ env.GO_VERSION }} with: @@ -251,7 +245,7 @@ jobs: cp ${{ env.GOPATH }}\bin\buildctl.exe ${{ env.BIN_OUT }} - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: build-windows path: ${{ env.BIN_OUT }}/* @@ -307,7 +301,7 @@ jobs: echo "BUILDKIT_TEST_DISABLE_FEATURES=${disabledFeatures}" >> $GITHUB_ENV - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4a8de85c48..e654589d11 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,18 +1,12 @@ name: ci -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: @@ -52,7 +46,7 @@ jobs: buildkitd-flags: --debug - name: Build - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: ${{ matrix.target }} - @@ -82,10 +76,7 @@ jobs: run: | matrix="$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms')" echo "matrix=$matrix" >> $GITHUB_OUTPUT - - - name: Show matrix - run: | - echo ${{ steps.platforms.outputs.matrix }} + echo "$matrix" cross: runs-on: ubuntu-24.04 @@ -101,9 +92,10 @@ jobs: steps: - name: Prepare + env: + PLATFORM: ${{ matrix.platform }} run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 @@ -113,7 +105,7 @@ jobs: buildkitd-flags: --debug - name: Build - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: all set: | @@ -132,10 +124,8 @@ jobs: timeout-minutes: 120 # guardrails timeout for the whole job # Always run security checks, even with 'ci/validate-only' label permissions: - # required to write sarif report - security-events: write - # required to check out the repository - contents: read + contents: read # same as global permission + security-events: write # required to write sarif report steps: - name: Set up Docker Buildx @@ -146,7 +136,7 @@ jobs: buildkitd-flags: --debug - name: Run - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: govulncheck env: @@ -173,7 +163,7 @@ jobs: buildkitd-flags: --debug - name: Build dind image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dind set: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5e5edb23f6..b8b7e9a534 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,11 +1,9 @@ name: codeql -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read @@ -18,9 +16,9 @@ on: tags: - 'v*' - 'docker-v*' + - 'api/v*' + - 'client/v*' pull_request: - # The branches below must be a subset of the branches above - branches: ["master"] schedule: # ┌───────────── minute (0 - 59) # │ ┌───────────── hour (0 - 23) @@ -41,27 +39,30 @@ jobs: runs-on: ubuntu-24.04 timeout-minutes: 10 permissions: - actions: read contents: read security-events: write - steps: - - name: Checkout + - + name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 - - name: Set up Go + - + name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ env.GO_VERSION }} cache: false - - name: Initialize CodeQL + - + name: Initialize CodeQL uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: languages: go - - name: Autobuild + - + name: Autobuild uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 - - name: Perform CodeQL Analysis + - + name: Perform CodeQL Analysis uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: category: "/language:go" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 1c42fcb512..8d86f3020d 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,10 +1,15 @@ -name: "Labeler" -on: - pull_request_target: +name: labeler + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true permissions: contents: read +on: + pull_request_target: # zizmor: ignore[dangerous-triggers] safe here, this workflow only applies labels and never checks out or executes PR code + jobs: labeler: permissions: @@ -12,7 +17,8 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - name: Labels + - + name: Labels uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: sync-labels: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e1b49b2eb5..1997ea623f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,18 +1,12 @@ name: test -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: @@ -48,8 +42,10 @@ jobs: steps: - name: Prepare + env: + MODE: ${{ matrix.mode }} run: | - if [ "${{ matrix.mode }}" = "systemd" ]; then + if [ "$MODE" = "systemd" ]; then echo "SYSTEMD=true" >> $GITHUB_ENV fi - @@ -61,7 +57,7 @@ jobs: buildkitd-flags: --debug - name: Build dev image - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: dev set: | @@ -82,7 +78,6 @@ jobs: - build-dev - validate-dco uses: ./.github/workflows/.test.yml - secrets: inherit strategy: fail-fast: false matrix: @@ -91,6 +86,8 @@ jobs: - snapshotter with: storage: ${{ matrix.storage }} + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} test-unit: if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }} @@ -98,7 +95,8 @@ jobs: - build-dev - validate-dco uses: ./.github/workflows/.test-unit.yml - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} validate-prepare: runs-on: ubuntu-24.04 @@ -117,10 +115,7 @@ jobs: run: | scripts=$(cd ./hack/validate && jq -nc '$ARGS.positional - ["all", "default", "dco"] | map(select(test("[.]")|not)) + ["generate-files"]' --args *) echo "matrix=$scripts" >> $GITHUB_OUTPUT - - - name: Show matrix - run: | - echo ${{ steps.scripts.outputs.matrix }} + echo "$scripts" validate: runs-on: ubuntu-24.04 @@ -160,8 +155,10 @@ jobs: docker load -i /tmp/dev-image.tar - name: Validate + env: + SCRIPT: ${{ matrix.script }} run: | - make -o build validate-${{ matrix.script }} + make -o build "validate-${SCRIPT}" validate-api-swagger: runs-on: ubuntu-24.04 @@ -200,10 +197,7 @@ jobs: run: | matrix="$(docker buildx bake binary-smoketest --print | jq -cr '.target."binary-smoketest".platforms')" echo "matrix=$matrix" >> $GITHUB_OUTPUT - - - name: Show matrix - run: | - echo ${{ steps.platforms.outputs.matrix }} + echo "$matrix" smoke: runs-on: ubuntu-24.04 @@ -218,9 +212,10 @@ jobs: steps: - name: Prepare + env: + PLATFORM: ${{ matrix.platform }} run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 @@ -233,7 +228,7 @@ jobs: buildkitd-flags: --debug - name: Test - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: binary-smoketest set: | diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index 05bbe2be27..3b335d4fc6 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -1,11 +1,9 @@ name: validate-pr -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/vm.yml b/.github/workflows/vm.yml index 5be0f22881..d106bc6d78 100644 --- a/.github/workflows/vm.yml +++ b/.github/workflows/vm.yml @@ -1,18 +1,12 @@ name: vm -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/windows-2022.yml b/.github/workflows/windows-2022.yml index f3c4ccb0c5..907c803fbe 100644 --- a/.github/workflows/windows-2022.yml +++ b/.github/workflows/windows-2022.yml @@ -1,18 +1,12 @@ name: windows-2022 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: schedule: - cron: '0 10 * * *' @@ -21,12 +15,10 @@ on: jobs: validate-dco: uses: ./.github/workflows/.dco.yml - run: needs: validate-dco if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }} uses: ./.github/workflows/.windows.yml - secrets: inherit strategy: fail-fast: false matrix: @@ -37,3 +29,5 @@ jobs: os: windows-2022 storage: ${{ matrix.storage }} send_coverage: true + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/windows-2025.yml b/.github/workflows/windows-2025.yml index db693b41dd..5429b59eb4 100644 --- a/.github/workflows/windows-2025.yml +++ b/.github/workflows/windows-2025.yml @@ -1,18 +1,12 @@ name: windows-2025 -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + on: workflow_dispatch: push: @@ -30,7 +24,6 @@ jobs: needs: validate-dco if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }} uses: ./.github/workflows/.windows.yml - secrets: inherit strategy: fail-fast: false matrix: @@ -41,3 +34,5 @@ jobs: os: windows-2025 storage: ${{ matrix.storage }} send_coverage: false + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}