diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6e6f108ef9076..1c1bfe1f4ccbc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,8 +18,12 @@ updates: otel: patterns: - "go.opentelemetry.io/*" + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" open-pull-requests-limit: 10 + cooldown: + default-days: 7 diff --git a/.github/workflows/api-release.yml b/.github/workflows/api-release.yml index 6b985551f2dc0..abb9ccf37deb2 100644 --- a/.github/workflows/api-release.yml +++ b/.github/workflows/api-release.yml @@ -26,14 +26,13 @@ jobs: with: ref: ${{ github.ref }} path: src/github.com/containerd/containerd + persist-credentials: false - name: Check signature - env: - REF: ${{ github.ref }} run: | - releasever="$REF" + releasever=${GITHUB_REF} releasever="${releasever#refs/tags/}" - TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) || + TAGCHECK=$(git tag -v "${releasever}" 2>&1 >/dev/null) || echo "${TAGCHECK}" | grep -q "error" && { echo "::error::tag ${releasever} is not a signed tag. Failing release process." exit 1 @@ -45,12 +44,10 @@ jobs: - name: Release content id: contentrel - env: - REF: ${{ github.ref }} run: | - RELEASEVER="$REF" + RELEASEVER=${GITHUB_REF} echo "stringver=${RELEASEVER#refs/tags/api/v}" >> $GITHUB_OUTPUT - git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md + git tag -l "${RELEASEVER#refs/tags/}" -n20000 | tail -n +3 | cut -c 5- >release-notes.md working-directory: src/github.com/containerd/containerd - name: Save release notes diff --git a/.github/workflows/buf-breaking.yml b/.github/workflows/buf-breaking.yml index 1a6570aa3a1b7..774e43986403f 100644 --- a/.github/workflows/buf-breaking.yml +++ b/.github/workflows/buf-breaking.yml @@ -23,8 +23,10 @@ jobs: timeout-minutes: 10 steps: - - uses: actions/checkout@v7 - - uses: bufbuild/buf-action@v1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - uses: bufbuild/buf-action@fd21066df7214747548607aaa45548ba2b9bc1ff # v1.4.0 with: version: 1.63.0 github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index 106b94b3566f7..0b6ab466bd23d 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -44,6 +44,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: src/github.com/containerd/containerd + persist-credentials: false - uses: ./src/github.com/containerd/containerd/.github/actions/install-go @@ -161,11 +162,11 @@ jobs: run: | make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up setup-buildx - make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376 - make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376 + make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376" + make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376" - make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376 - make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376 + make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376" + make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376" - name: Cleanup resources if: always() diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 663747fa90fb8..bfed135a83a8c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,6 +33,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go - uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 with: @@ -53,6 +55,7 @@ jobs: with: path: src/github.com/containerd/containerd fetch-depth: 100 + persist-credentials: false - uses: ./src/github.com/containerd/containerd/.github/actions/install-go @@ -88,6 +91,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: src/github.com/containerd/containerd + persist-credentials: false - uses: ./src/github.com/containerd/containerd/.github/actions/install-go @@ -107,6 +111,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go - run: go install github.com/cpuguy83/go-md2man/v2@v2.0.7 - run: make man @@ -137,6 +143,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go - run: | set -e -x @@ -193,6 +201,8 @@ jobs: - os: ${{ github.event.repository.private && 'ubuntu-24.04-arm' || '' }} steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go with: go-version: ${{ matrix.go-version }} @@ -228,6 +238,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: src/github.com/containerd/containerd + persist-credentials: false - uses: ./src/github.com/containerd/containerd/.github/actions/install-go @@ -236,6 +247,7 @@ jobs: repository: kubernetes-sigs/cri-tools path: src/github.com/kubernetes-sigs/cri-tools fetch-depth: 0 + persist-credentials: false - name: Set env run: | @@ -388,6 +400,8 @@ jobs: GOTEST: gotestsum -- steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go - name: Install containerd dependencies @@ -628,6 +642,8 @@ jobs: cat /proc/cpuinfo free -mt - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /root/.vagrant.d @@ -684,6 +700,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Set up cgroup v2 delegation run: | sudo mkdir -p /etc/systemd/system/user@.service.d @@ -733,6 +751,8 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go - run: script/setup/install-gotestsum - run: script/setup/install-teststat diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a5a5c673c02f2..f684b0cf0aa2f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index d37a501c0e732..055195543c82c 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -41,6 +41,8 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: ./.github/actions/install-go - run: script/go-test-fuzz.sh - name: Upload Crash diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 3fb1262df8030..991cce575de71 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -29,6 +29,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: src/github.com/containerd/containerd + persist-credentials: false - uses: ./src/github.com/containerd/containerd/.github/actions/install-go @@ -72,8 +73,8 @@ jobs: echo "Mirroring $upstream to $mirror" - sudo ctr content fetch --all-platforms ${upstream} + sudo ctr content fetch --all-platforms "${upstream}" sudo ctr images ls - sudo ctr --debug images push -u ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} ${mirror} ${upstream} + sudo ctr --debug images push -u "${GITHUB_ACTOR}:${{ secrets.GITHUB_TOKEN }}" "${mirror}" "${upstream}" - sudo kill $containerd_pid + sudo kill "$containerd_pid" diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 24b8276723a24..41167696ac34c 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -19,6 +19,8 @@ jobs: timeout-minutes: 15 steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2.7.0 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 35ba3250241d4..cca2ce45310f4 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -23,6 +23,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: src/github.com/containerd/containerd + persist-credentials: false - uses: ./src/github.com/containerd/containerd/.github/actions/install-go @@ -141,6 +142,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: src/github.com/containerd/containerd + persist-credentials: false - uses: ./src/github.com/containerd/containerd/.github/actions/install-go diff --git a/.github/workflows/node-e2e.yml b/.github/workflows/node-e2e.yml index c2540674081cb..e796d6e3f91af 100644 --- a/.github/workflows/node-e2e.yml +++ b/.github/workflows/node-e2e.yml @@ -40,6 +40,7 @@ jobs: with: path: src/github.com/containerd/containerd fetch-depth: 0 + persist-credentials: false - name: Checkout Kubernetes uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -48,6 +49,7 @@ jobs: path: src/k8s.io/kubernetes ref: ${{ inputs.k8s_version }} fetch-depth: 0 + persist-credentials: false - name: Install Go uses: ./src/github.com/containerd/containerd/.github/actions/install-go diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 746ba125a1103..a16d525cc6151 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,15 +30,16 @@ jobs: with: ref: ${{ github.ref }} path: src/github.com/containerd/containerd + persist-credentials: false - name: Check signature run: | # git tag -v requires an allowedSignersFile to be configured and exist for ssh signature verification touch ${{ runner.temp }}/empty-allowedSignersFile git config --global gpg.ssh.allowedSignersFile ${{ runner.temp }}/empty-allowedSignersFile - releasever=${{ github.ref }} + releasever=${GITHUB_REF} releasever="${releasever#refs/tags/}" - TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) || + TAGCHECK=$(git tag -v "${releasever}" 2>&1 >/dev/null) || echo "${TAGCHECK}" | grep -q "error" && { echo "::error::tag ${releasever} is not a signed tag. Failing release process." exit 1 @@ -51,9 +52,9 @@ jobs: - name: Release content id: contentrel run: | - RELEASEVER=${{ github.ref }} + RELEASEVER=${GITHUB_REF} echo "stringver=${RELEASEVER#refs/tags/v}" >> $GITHUB_OUTPUT - git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md + git tag -l "${RELEASEVER#refs/tags/}" -n20000 | tail -n +3 | cut -c 5- >release-notes.md working-directory: src/github.com/containerd/containerd - name: Save release notes @@ -86,7 +87,7 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') shell: bash run: | - releasever=${{ github.ref }} + releasever=${GITHUB_REF} releasever="${releasever#refs/tags/}" echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV - name: Checkout containerd @@ -98,6 +99,7 @@ jobs: repository: ${{ github.repository }} ref: ${{ github.ref }} path: src/github.com/containerd/containerd + persist-credentials: false - name: Setup buildx instance uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index e83994453edd6..9cf3c8ebd7b25 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -8,7 +8,8 @@ on: branches: [ "main" ] # Declare default permissions as read only. -permissions: read-all +permissions: + contents: read jobs: analysis: @@ -22,12 +23,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # tag=v7.0.0 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # tag=v2.4.3 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -41,7 +42,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # tag=v7.0.1 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: SARIF file path: results.sarif @@ -49,6 +50,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # tag=v4.36.2 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 12f805397658a..6aa13cf6c8d38 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -6,7 +6,8 @@ on: paths: - '.github/workflows/stale.yml' -permissions: read-all +permissions: + contents: read jobs: stale: diff --git a/.github/workflows/windows-hyperv-periodic-trigger.yml b/.github/workflows/windows-hyperv-periodic-trigger.yml index 4c5f3ac793ad6..be7f95021d438 100644 --- a/.github/workflows/windows-hyperv-periodic-trigger.yml +++ b/.github/workflows/windows-hyperv-periodic-trigger.yml @@ -22,7 +22,7 @@ jobs: # upstream containerd repository should be replaced with the following to # potentially allow contributors to enable periodic Windows tests on forks as well: # uses: "${{ github.repository }}/.github/workflows/windows-hyperv-periodic.yml@${{ github.ref_name }}" - uses: containerd/containerd/.github/workflows/windows-hyperv-periodic.yml@main + uses: containerd/containerd/.github/workflows/windows-hyperv-periodic.yml@main # zizmor: ignore[unpinned-uses] reusable workflow intentionally tracks containerd/main secrets: AZURE_SUB_ID: "${{ secrets.AZURE_SUB_ID }}" AZURE_CREDS: "${{ secrets.AZURE_CREDS }}" diff --git a/.github/workflows/windows-hyperv-periodic.yml b/.github/workflows/windows-hyperv-periodic.yml index a8d3a68dcefa7..8e14d54f41ad3 100644 --- a/.github/workflows/windows-hyperv-periodic.yml +++ b/.github/workflows/windows-hyperv-periodic.yml @@ -45,6 +45,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Install required packages run: | diff --git a/.github/workflows/windows-periodic-trigger.yml b/.github/workflows/windows-periodic-trigger.yml index 1b1664f3fabd6..5881dd446595b 100644 --- a/.github/workflows/windows-periodic-trigger.yml +++ b/.github/workflows/windows-periodic-trigger.yml @@ -22,7 +22,7 @@ jobs: # upstream containerd repository should be replaced with the following to # potentially allow contributors to enable periodic Windows tests on forks as well: # uses: "${{ github.repository }}/.github/workflows/windows-periodic.yml@${{ github.ref_name }}" - uses: containerd/containerd/.github/workflows/windows-periodic.yml@main + uses: containerd/containerd/.github/workflows/windows-periodic.yml@main # zizmor: ignore[unpinned-uses] reusable workflow intentionally tracks containerd/main secrets: AZURE_SUB_ID: "${{ secrets.AZURE_SUB_ID }}" AZURE_CREDS: "${{ secrets.AZURE_CREDS }}" diff --git a/.github/workflows/windows-periodic.yml b/.github/workflows/windows-periodic.yml index 26bbe34e55c68..5cecaa1ad7ff1 100644 --- a/.github/workflows/windows-periodic.yml +++ b/.github/workflows/windows-periodic.yml @@ -45,6 +45,8 @@ jobs: timeout-minutes: 90 steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Install required packages run: | diff --git a/internal/cri/server/podsandbox/sandbox_run.go b/internal/cri/server/podsandbox/sandbox_run.go index 1f3755a25950e..1d9a8ebfa6615 100644 --- a/internal/cri/server/podsandbox/sandbox_run.go +++ b/internal/cri/server/podsandbox/sandbox_run.go @@ -43,6 +43,7 @@ import ( containerdio "github.com/containerd/containerd/v2/pkg/cio" "github.com/containerd/containerd/v2/pkg/deprecation" "github.com/containerd/errdefs" + dockerref "github.com/distribution/reference" ) func init() { @@ -78,10 +79,13 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll ) sandboxImage := c.getSandboxImageName() - - pauseImage, err := c.client.GetImage(ctx, sandboxImage) + normalized, err := dockerref.ParseDockerRef(sandboxImage) + if err != nil { + return cin, fmt.Errorf("failed to parse image reference %q: %w", sandboxImage, err) + } + pauseImage, err := c.client.GetImage(ctx, normalized.String()) if err != nil { - return cin, fmt.Errorf("failed to get sandbox image %q: %w", sandboxImage, err) + return cin, fmt.Errorf("failed to get sandbox image %q: %w", normalized.String(), err) } // Get the image spec from containerd image