dilim/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-06-30 19:58:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix zizmor findings

Browse Source 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
2026-04-15 12:30:57 +02:00
parent 0c878186d3
commit 1743957d3f
16 changed files with 181 additions and 229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/workflows/.dco.yml vendored
View File

@@ -3,12 +3,6 @@ name: .dco
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
@@ -30,14 +24,14 @@ jobs:
fetch-depth: 0
-
name: Dump context
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
console.log(JSON.stringify(context, null, 2));
-
name: Get base ref
id: base-ref
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
result-encoding: string
script: |

17
.github/workflows/.test-unit.yml vendored
View File

@@ -3,17 +3,14 @@ name: .test-unit
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
on:
workflow_call:
secrets:
CODECOV_TOKEN:
required: false
env:
GO_VERSION: "1.26.2"
@@ -42,9 +39,11 @@ jobs:
uses: ./.github/actions/setup-runner
-
name: Prepare
env:
MODE: ${{ matrix.mode }}
run: |
CACHE_DEV_SCOPE=dev
if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
if [[ "$MODE" == *"firewalld"* ]]; then
echo "FIREWALLD=true" >> $GITHUB_ENV
CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
fi
@@ -58,7 +57,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -87,7 +86,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-unit--${{ matrix.mode }}
path: /tmp/reports/*

79
.github/workflows/.test.yml vendored
View File

@@ -3,12 +3,6 @@ name: .test
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
@@ -19,6 +13,9 @@ on:
required: true
type: string
default: "graphdriver"
secrets:
CODECOV_TOKEN:
required: false
env:
GO_VERSION: "1.26.2"
@@ -55,7 +52,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -82,7 +79,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-docker-py-${{ inputs.storage }}
path: /tmp/reports/*
@@ -108,7 +105,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -130,9 +127,12 @@ jobs:
-
name: Create matrix includes
id: set
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_STORAGE: ${{ inputs.storage }}
with:
script: |
const storage = core.getInput('storage', { required: true });
let includes = [
{ os: 'ubuntu-22.04', mode: '' },
{ os: 'ubuntu-22.04', mode: 'rootless' },
@@ -142,7 +142,7 @@ jobs:
{ os: 'ubuntu-24.04', mode: 'systemd' },
// { os: 'ubuntu-24.04', mode: 'rootless-systemd' }, // FIXME: https://github.com/moby/moby/issues/44084
];
if ("${{ inputs.storage }}" == "snapshotter") {
if (storage == "snapshotter") {
includes.push({ os: 'ubuntu-24.04', mode: 'iptables+firewalld' });
includes.push({ os: 'ubuntu-24.04', mode: 'nftables' });
includes.push({ os: 'ubuntu-24.04', mode: 'nftables+firewalld' });
@@ -151,10 +151,6 @@ jobs:
core.info(`matrix: ${JSON.stringify(includes)}`);
core.setOutput('includes', JSON.stringify(includes));
});
-
name: Show matrix
run: |
echo ${{ steps.set.outputs.includes }}
integration:
runs-on: ${{ matrix.os }}
@@ -178,20 +174,22 @@ jobs:
uses: ./.github/actions/setup-tracing
-
name: Prepare
env:
MODE: ${{ matrix.mode }}
run: |
CACHE_DEV_SCOPE=dev
if [[ "${{ matrix.mode }}" == *"rootless"* ]]; then
if [[ "$MODE" == *"rootless"* ]]; then
echo "DOCKER_ROOTLESS=1" >> $GITHUB_ENV
fi
if [[ "${{ matrix.mode }}" == *"systemd"* ]]; then
if [[ "$MODE" == *"systemd"* ]]; then
echo "SYSTEMD=true" >> $GITHUB_ENV
CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
fi
if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
if [[ "$MODE" == *"firewalld"* ]]; then
echo "FIREWALLD=true" >> $GITHUB_ENV
CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
fi
if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
if [[ "$MODE" == *"nftables"* ]]; then
echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
fi
echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
@@ -217,7 +215,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -232,10 +230,13 @@ jobs:
-
name: Prepare reports
if: always()
env:
MATRIX_MODE: ${{ matrix.mode }}
MATRIX_OS: ${{ matrix.os }}
run: |
reportsName=${{ matrix.os }}
if [ -n "${{ matrix.mode }}" ]; then
reportsName="$reportsName-${{ matrix.mode }}"
reportsName=$MATRIX_OS
if [ -n "$MATRIX_MODE" ]; then
reportsName="$reportsName-$MATRIX_MODE"
fi
reportsPath="/tmp/reports/$reportsName"
echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV
@@ -263,7 +264,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-integration-${{ inputs.storage }}-${{ env.TESTREPORTS_NAME }}
path: /tmp/reports/*
@@ -334,11 +335,15 @@ jobs:
-
name: Create gha matrix
id: set
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
INPUT_STORAGE: ${{ inputs.storage }}
INPUT_TEST-MATRIX: ${{ steps.tests.outputs.matrix }}
with:
script: |
const storage = core.getInput('storage', { required: true });
let matrix = {
test: ${{ steps.tests.outputs.matrix }},
test: JSON.parse(core.getInput('test-matrix', { required: true })),
include: [],
};
// For some reasons, GHA doesn't combine a dynamically defined
@@ -347,7 +352,7 @@ jobs:
// Moreover, since the goal is to run only relevant tests with
// firewalld/nftables enabled to minimize the number of CI jobs, we
// statically define the list of test suites that we want to run.
if ("${{ inputs.storage }}" == "snapshotter") {
if (storage == "snapshotter") {
matrix.include.push({
'mode': 'iptables+firewalld',
'test': 'DockerCLINetworkSuite|DockerCLIPortSuite|DockerDaemonSuite'
@@ -389,10 +394,6 @@ jobs:
core.info(`matrix: ${JSON.stringify(matrix)}`);
core.setOutput('matrix', JSON.stringify(matrix));
});
-
name: Show final gha matrix
run: |
echo ${{ steps.set.outputs.matrix }}
integration-cli:
runs-on: ubuntu-24.04
@@ -415,13 +416,15 @@ jobs:
uses: ./.github/actions/setup-tracing
-
name: Prepare
env:
MODE: ${{ matrix.mode }}
run: |
CACHE_DEV_SCOPE=dev
if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
if [[ "$MODE" == *"firewalld"* ]]; then
echo "FIREWALLD=true" >> $GITHUB_ENV
CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
fi
if [[ "${{ matrix.mode }}" == *"nftables"* ]]; then
if [[ "$MODE" == *"nftables"* ]]; then
echo "DOCKER_FIREWALL_BACKEND=nftables" >> $GITHUB_ENV
fi
echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
@@ -434,7 +437,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -450,14 +453,16 @@ jobs:
-
name: Prepare reports
if: always()
env:
MATRIX_TEST: ${{ matrix.test }}
run: |
reportsName=$(echo -n "${{ matrix.test }}" | sha256sum | cut -d " " -f 1)
reportsName=$(echo -n "$MATRIX_TEST" | sha256sum | cut -d " " -f 1)
reportsPath=/tmp/reports/$reportsName
echo "TESTREPORTS_NAME=$reportsName" >> $GITHUB_ENV
docker stop otelcol
mkdir -p bundles $reportsPath
echo "${{ matrix.test }}" | tr -s '|' '\n' | tee -a "$reportsPath/tests.txt"
echo "$MATRIX_TEST" | tr -s '|' '\n' | tee -a "$reportsPath/tests.txt"
find bundles -path '*/root/*overlay2' -prune -o -type f \( -name '*-report.json' -o -name '*.log' -o -name '*.out' -o -name '*.prof' -o -name '*-report.xml' \) -print | xargs sudo tar -czf /tmp/reports.tar.gz
tar -xzf /tmp/reports.tar.gz -C $reportsPath
mv /tmp/reports/otel-trace*.jsonl $reportsPath/
@@ -479,7 +484,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-integration-cli-${{ inputs.storage }}-${{ matrix.mode }}-${{ env.TESTREPORTS_NAME }}
path: /tmp/reports/*

8
.github/workflows/.vm.yml vendored
View File

@@ -3,12 +3,6 @@ name: .vm
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
@@ -180,7 +174,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-integration-${{ env.TESTREPORTS_NAME }}
path: /tmp/reports/*

57
.github/workflows/.windows.yml vendored
View File

@@ -3,12 +3,6 @@ name: .windows
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
@@ -26,6 +20,9 @@ on:
required: false
type: boolean
default: false
secrets:
CODECOV_TOKEN:
required: false
env:
GO_VERSION: "1.26.2"
@@ -62,12 +59,14 @@ jobs:
Get-ChildItem Env: | Out-String
-
name: Init
env:
INPUT_OS: ${{ inputs.os }}
run: |
New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
If ("${{ inputs.os }}" -eq "windows-2025") {
If ($env:INPUT_OS -eq "windows-2025") {
echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
} ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
} ElseIf ($env:INPUT_OS -eq "windows-2022") {
echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
}
-
@@ -100,7 +99,7 @@ jobs:
Get-ChildItem -Path ${{ env.BIN_OUT }}
-
name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: build-${{ inputs.storage }}-${{ inputs.os }}
path: ${{ env.BIN_OUT }}/*
@@ -128,13 +127,15 @@ jobs:
Get-ChildItem Env: | Out-String
-
name: Init
env:
INPUT_OS: ${{ inputs.os }}
run: |
New-Item -ItemType "directory" -Path "${{ github.workspace }}\go-build"
New-Item -ItemType "directory" -Path "${{ github.workspace }}\go\pkg\mod"
New-Item -ItemType "directory" -Path "bundles"
If ("${{ inputs.os }}" -eq "windows-2025") {
If ($env:INPUT_OS -eq "windows-2025") {
echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
} ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
} ElseIf ($env:INPUT_OS -eq "windows-2022") {
echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
}
-
@@ -168,7 +169,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: ${{ inputs.os }}-${{ inputs.storage }}-unit-reports
path: ${{ env.GOPATH }}\src\github.com\docker\docker\bundles\*
@@ -232,10 +233,7 @@ jobs:
# "Test integration" step exclusively.
matrix="$(gotestlist -d ${{ env.ITG_CLI_MATRIX_SIZE }} -o "./..." ./...)"
echo "matrix=$matrix" >> $GITHUB_OUTPUT
-
name: Show matrix
run: |
echo ${{ steps.tests.outputs.matrix }}
echo "$matrix"
integration-test:
runs-on: ${{ inputs.os }}
@@ -303,19 +301,22 @@ jobs:
path: ${{ env.BIN_OUT }}
-
name: Init
env:
INPUT_OS: ${{ inputs.os }}
MATRIX_TEST: ${{ matrix.test }}
run: |
New-Item -ItemType "directory" -Path "bundles" -ErrorAction SilentlyContinue
New-Item -ItemType "directory" -Path "${env:ProgramData}\Docker" -ErrorAction SilentlyContinue
New-Item -ItemType "directory" -Path "${env:ProgramData}\Docker\cli-plugins" -ErrorAction SilentlyContinue
Move-Item -Path "${{ env.BIN_OUT }}\docker-buildx.exe" -Destination "${env:ProgramData}\Docker\cli-plugins\docker-buildx.exe" -Force -ErrorAction Continue
If ("${{ inputs.os }}" -eq "windows-2025") {
If ($env:INPUT_OS -eq "windows-2025") {
echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2025 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
} ElseIf ("${{ inputs.os }}" -eq "windows-2022") {
} ElseIf ($env:INPUT_OS -eq "windows-2022") {
echo "WINDOWS_BASE_IMAGE_TAG=${{ env.WINDOWS_BASE_TAG_2022 }}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
}
Write-Output "${{ env.BIN_OUT }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
$testName = ([System.BitConverter]::ToString((New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("${{ matrix.test }}"))) -replace '-').ToLower()
$testName = ([System.BitConverter]::ToString((New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($env:MATRIX_TEST))) -replace '-').ToLower()
echo "TESTREPORTS_NAME=$testName" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
-
# removes docker service that is currently installed on the runner. we
@@ -338,6 +339,9 @@ jobs:
}
-
name: Starting test daemon
env:
INPUT_STORAGE: ${{ inputs.storage }}
MATRIX_RUNTIME: ${{ matrix.runtime }}
run: |
Write-Host "Creating service"
$args = @(
@@ -348,11 +352,11 @@ jobs:
"--pidfile=$env:TEMP\docker.pid", `
"--register-service"
)
If ("${{ matrix.runtime }}" -eq "containerd") {
If ($env:MATRIX_RUNTIME -eq "containerd") {
$args += "--default-runtime=io.containerd.runhcs.v1"
echo "DOCKER_WINDOWS_CONTAINERD_RUNTIME=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
}
if ("${{ inputs.storage }}" -eq "snapshotter") {
if ($env:INPUT_STORAGE -eq "snapshotter") {
$args += "--feature=containerd-snapshotter"
}
New-Item -ItemType Directory "$env:TEMP\moby-root" -ErrorAction SilentlyContinue | Out-Null
@@ -361,7 +365,7 @@ jobs:
# Make the env-var visible to the service-managed dockerd, as there's no CLI flag for this option.
$dockerEnviron = @("DOCKER_MIN_API_VERSION=1.24")
$dockerEnviron += @(Get-Item Env:\OTEL_* | ForEach-Object { "$($_.Name)=$($_.Value)" })
If ("${{ inputs.storage }}" -eq "graphdriver") {
If ($env:INPUT_STORAGE -eq "graphdriver") {
$dockerEnviron += @("TEST_INTEGRATION_USE_GRAPHDRIVER=1")
echo "TEST_INTEGRATION_USE_GRAPHDRIVER=1" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
}
@@ -371,6 +375,9 @@ jobs:
Write-Host "Service started successfully!"
-
name: Waiting for test daemon to start
env:
MATRIX_RUNTIME: ${{ matrix.runtime }}
DOCKER_HOST: npipe:////./pipe/docker_engine
run: |
$tries=20
Write-Host "Waiting for the test daemon to start..."
@@ -389,7 +396,7 @@ jobs:
Start-Sleep -Seconds 1
}
Write-Host "Test daemon started and replied!"
If ("${{ matrix.runtime }}" -eq "containerd") {
If ($env:MATRIX_RUNTIME -eq "containerd") {
$containerdProcesses = Get-Process -Name containerd -ErrorAction:SilentlyContinue
If (-not $containerdProcesses) {
Throw "containerd process is not running"
@@ -400,8 +407,6 @@ jobs:
}
}
}
env:
DOCKER_HOST: npipe:////./pipe/docker_engine
-
name: Docker info
run: |
@@ -482,7 +487,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: ${{ inputs.os }}-${{ inputs.storage }}-integration-reports-${{ matrix.runtime }}-${{ env.TESTREPORTS_NAME }}
path: ${{ env.GOPATH }}\src\github.com\docker\docker\bundles\*

24
.github/workflows/arm64.yml vendored
View File

@@ -1,18 +1,12 @@
name: arm64
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
workflow_dispatch:
push:
@@ -56,7 +50,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: ${{ matrix.target }}
-
@@ -84,7 +78,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -117,7 +111,7 @@ jobs:
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -146,7 +140,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-unit-arm64-graphdriver
path: /tmp/reports/*
@@ -210,7 +204,7 @@ jobs:
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -250,7 +244,7 @@ jobs:
-
name: Upload reports
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: test-reports-integration-arm64-graphdriver
path: /tmp/reports/*

12
.github/workflows/bin-image.yml vendored
View File

@@ -1,18 +1,12 @@
name: bin-image
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
workflow_dispatch:
push:

24
.github/workflows/buildkit.yml vendored
View File

@@ -1,18 +1,12 @@
name: buildkit
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
workflow_dispatch:
push:
@@ -48,12 +42,12 @@ jobs:
buildkitd-flags: --debug
-
name: Build
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: binary
-
name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: binary
path: ${{ env.DESTDIR }}
@@ -97,7 +91,7 @@ jobs:
# https://github.com/moby/buildkit/blob/567a99433ca23402d5e9b9f9124005d2e59b8861/client/client_test.go#L5407-L5411
-
name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4
uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -146,7 +140,7 @@ jobs:
docker info
-
name: Build test image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
env:
GO_VERSION: ${{ env.GO_VERSION }}
with:
@@ -251,7 +245,7 @@ jobs:
cp ${{ env.GOPATH }}\bin\buildctl.exe ${{ env.BIN_OUT }}
- name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: build-windows
path: ${{ env.BIN_OUT }}/*
@@ -307,7 +301,7 @@ jobs:
echo "BUILDKIT_TEST_DISABLE_FEATURES=${disabledFeatures}" >> $GITHUB_ENV
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4
uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

36
.github/workflows/ci.yml vendored
View File

@@ -1,18 +1,12 @@
name: ci
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
workflow_dispatch:
push:
@@ -52,7 +46,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: ${{ matrix.target }}
-
@@ -82,10 +76,7 @@ jobs:
run: |
matrix="$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms')"
echo "matrix=$matrix" >> $GITHUB_OUTPUT
-
name: Show matrix
run: |
echo ${{ steps.platforms.outputs.matrix }}
echo "$matrix"
cross:
runs-on: ubuntu-24.04
@@ -101,9 +92,10 @@ jobs:
steps:
-
name: Prepare
env:
PLATFORM: ${{ matrix.platform }}
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
@@ -113,7 +105,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: all
set: |
@@ -132,10 +124,8 @@ jobs:
timeout-minutes: 120 # guardrails timeout for the whole job
# Always run security checks, even with 'ci/validate-only' label
permissions:
# required to write sarif report
security-events: write
# required to check out the repository
contents: read
contents: read # same as global permission
security-events: write # required to write sarif report
steps:
-
name: Set up Docker Buildx
@@ -146,7 +136,7 @@ jobs:
buildkitd-flags: --debug
-
name: Run
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: govulncheck
env:
@@ -173,7 +163,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dind image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dind
set: |

31
.github/workflows/codeql.yml vendored
View File

@@ -1,11 +1,9 @@
name: codeql
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
@@ -18,9 +16,9 @@ on:
tags:
- 'v*'
- 'docker-v*'
- 'api/v*'
- 'client/v*'
pull_request:
# The branches below must be a subset of the branches above
branches: ["master"]
schedule:
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
@@ -41,27 +39,30 @@ jobs:
runs-on: ubuntu-24.04
timeout-minutes: 10
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 2
- name: Set up Go
-
name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: false
- name: Initialize CodeQL
-
name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
languages: go
- name: Autobuild
-
name: Autobuild
uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
- name: Perform CodeQL Analysis
-
name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
category: "/language:go"

14
.github/workflows/labeler.yml vendored
View File

@@ -1,10 +1,15 @@
name: "Labeler"
on:
pull_request_target:
name: labeler
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: read
on:
pull_request_target: # zizmor: ignore[dangerous-triggers] safe here, this workflow only applies labels and never checks out or executes PR code
jobs:
labeler:
permissions:
@@ -12,7 +17,8 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- name: Labels
-
name: Labels
uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
with:
sync-labels: false

45
.github/workflows/test.yml vendored
View File

@@ -1,18 +1,12 @@
name: test
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
workflow_dispatch:
push:
@@ -48,8 +42,10 @@ jobs:
steps:
-
name: Prepare
env:
MODE: ${{ matrix.mode }}
run: |
if [ "${{ matrix.mode }}" = "systemd" ]; then
if [ "$MODE" = "systemd" ]; then
echo "SYSTEMD=true" >> $GITHUB_ENV
fi
-
@@ -61,7 +57,7 @@ jobs:
buildkitd-flags: --debug
-
name: Build dev image
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: dev
set: |
@@ -82,7 +78,6 @@ jobs:
- build-dev
- validate-dco
uses: ./.github/workflows/.test.yml
secrets: inherit
strategy:
fail-fast: false
matrix:
@@ -91,6 +86,8 @@ jobs:
- snapshotter
with:
storage: ${{ matrix.storage }}
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
test-unit:
if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
@@ -98,7 +95,8 @@ jobs:
- build-dev
- validate-dco
uses: ./.github/workflows/.test-unit.yml
secrets: inherit
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
validate-prepare:
runs-on: ubuntu-24.04
@@ -117,10 +115,7 @@ jobs:
run: |
scripts=$(cd ./hack/validate && jq -nc '$ARGS.positional - ["all", "default", "dco"] | map(select(test("[.]")|not)) + ["generate-files"]' --args *)
echo "matrix=$scripts" >> $GITHUB_OUTPUT
-
name: Show matrix
run: |
echo ${{ steps.scripts.outputs.matrix }}
echo "$scripts"
validate:
runs-on: ubuntu-24.04
@@ -160,8 +155,10 @@ jobs:
docker load -i /tmp/dev-image.tar
-
name: Validate
env:
SCRIPT: ${{ matrix.script }}
run: |
make -o build validate-${{ matrix.script }}
make -o build "validate-${SCRIPT}"
validate-api-swagger:
runs-on: ubuntu-24.04
@@ -200,10 +197,7 @@ jobs:
run: |
matrix="$(docker buildx bake binary-smoketest --print | jq -cr '.target."binary-smoketest".platforms')"
echo "matrix=$matrix" >> $GITHUB_OUTPUT
-
name: Show matrix
run: |
echo ${{ steps.platforms.outputs.matrix }}
echo "$matrix"
smoke:
runs-on: ubuntu-24.04
@@ -218,9 +212,10 @@ jobs:
steps:
-
name: Prepare
env:
PLATFORM: ${{ matrix.platform }}
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV
-
name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
@@ -233,7 +228,7 @@ jobs:
buildkitd-flags: --debug
-
name: Test
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: binary-smoketest
set: |

10
.github/workflows/validate-pr.yml vendored
View File

@@ -1,11 +1,9 @@
name: validate-pr
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read

12
.github/workflows/vm.yml vendored
View File

@@ -1,18 +1,12 @@
name: vm
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
workflow_dispatch:
push:

16
.github/workflows/windows-2022.yml vendored
View File

@@ -1,18 +1,12 @@
name: windows-2022
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
schedule:
- cron: '0 10 * * *'
@@ -21,12 +15,10 @@ on:
jobs:
validate-dco:
uses: ./.github/workflows/.dco.yml
run:
needs: validate-dco
if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
uses: ./.github/workflows/.windows.yml
secrets: inherit
strategy:
fail-fast: false
matrix:
@@ -37,3 +29,5 @@ jobs:
os: windows-2022
storage: ${{ matrix.storage }}
send_coverage: true
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

15
.github/workflows/windows-2025.yml vendored
View File

@@ -1,18 +1,12 @@
name: windows-2025
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
on:
workflow_dispatch:
push:
@@ -30,7 +24,6 @@ jobs:
needs: validate-dco
if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }}
uses: ./.github/workflows/.windows.yml
secrets: inherit
strategy:
fail-fast: false
matrix:
@@ -41,3 +34,5 @@ jobs:
os: windows-2025
storage: ${{ matrix.storage }}
send_coverage: false
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}