Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@ updates:
otel:
patterns:
- "go.opentelemetry.io/*"
cooldown:
default-days: 7
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
cooldown:
default-days: 7
13 changes: 5 additions & 8 deletions .github/workflows/api-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,13 @@ jobs:
with:
ref: ${{ github.ref }}
path: src/github.com/containerd/containerd
persist-credentials: false

- name: Check signature
env:
REF: ${{ github.ref }}
run: |
releasever="$REF"
releasever=${GITHUB_REF}
releasever="${releasever#refs/tags/}"
TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
TAGCHECK=$(git tag -v "${releasever}" 2>&1 >/dev/null) ||
echo "${TAGCHECK}" | grep -q "error" && {
echo "::error::tag ${releasever} is not a signed tag. Failing release process."
exit 1
Expand All @@ -45,12 +44,10 @@ jobs:

- name: Release content
id: contentrel
env:
REF: ${{ github.ref }}
run: |
RELEASEVER="$REF"
RELEASEVER=${GITHUB_REF}
echo "stringver=${RELEASEVER#refs/tags/api/v}" >> $GITHUB_OUTPUT
git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
git tag -l "${RELEASEVER#refs/tags/}" -n20000 | tail -n +3 | cut -c 5- >release-notes.md
working-directory: src/github.com/containerd/containerd

- name: Save release notes
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/buf-breaking.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ jobs:
timeout-minutes: 10

steps:
- uses: actions/checkout@v7
- uses: bufbuild/buf-action@v1
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: bufbuild/buf-action@fd21066df7214747548607aaa45548ba2b9bc1ff # v1.4.0
with:
version: 1.63.0
github_token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/build-test-images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ jobs:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
path: src/github.com/containerd/containerd
persist-credentials: false

- uses: ./src/github.com/containerd/containerd/.github/actions/install-go

Expand Down Expand Up @@ -161,11 +162,11 @@ jobs:
run: |
make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up setup-buildx

make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376
make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376
make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376"
make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-copy-up push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376"

make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376
make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL=${{ env.PUBLIC_IP }}:2376
make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership build-registry PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376"
make -C $GITHUB_WORKSPACE/src/github.com/containerd/containerd/integration/images/volume-ownership push-manifest PROJ="$PROJECT" REMOTE_DOCKER_URL="${{ env.PUBLIC_IP }}:2376"

- name: Cleanup resources
if: always()
Expand Down
20 changes: 20 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ jobs:

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/install-go
- uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
with:
Expand All @@ -53,6 +55,7 @@ jobs:
with:
path: src/github.com/containerd/containerd
fetch-depth: 100
persist-credentials: false

- uses: ./src/github.com/containerd/containerd/.github/actions/install-go

Expand Down Expand Up @@ -88,6 +91,7 @@ jobs:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
path: src/github.com/containerd/containerd
persist-credentials: false

- uses: ./src/github.com/containerd/containerd/.github/actions/install-go

Expand All @@ -107,6 +111,8 @@ jobs:

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/install-go
- run: go install github.com/cpuguy83/go-md2man/v2@v2.0.7
- run: make man
Expand Down Expand Up @@ -137,6 +143,8 @@ jobs:

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/install-go
- run: |
set -e -x
Expand Down Expand Up @@ -193,6 +201,8 @@ jobs:
- os: ${{ github.event.repository.private && 'ubuntu-24.04-arm' || '' }}
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/install-go
with:
go-version: ${{ matrix.go-version }}
Expand Down Expand Up @@ -228,6 +238,7 @@ jobs:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
path: src/github.com/containerd/containerd
persist-credentials: false

- uses: ./src/github.com/containerd/containerd/.github/actions/install-go

Expand All @@ -236,6 +247,7 @@ jobs:
repository: kubernetes-sigs/cri-tools
path: src/github.com/kubernetes-sigs/cri-tools
fetch-depth: 0
persist-credentials: false

- name: Set env
run: |
Expand Down Expand Up @@ -388,6 +400,8 @@ jobs:
GOTEST: gotestsum --
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/install-go

- name: Install containerd dependencies
Expand Down Expand Up @@ -628,6 +642,8 @@ jobs:
cat /proc/cpuinfo
free -mt
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: /root/.vagrant.d
Expand Down Expand Up @@ -684,6 +700,8 @@ jobs:

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up cgroup v2 delegation
run: |
sudo mkdir -p /etc/systemd/system/user@.service.d
Expand Down Expand Up @@ -733,6 +751,8 @@ jobs:

steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/install-go
- run: script/setup/install-gotestsum
- run: script/setup/install-teststat
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- uses: ./.github/actions/install-go

Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/fuzz.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ jobs:
timeout-minutes: 30
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/install-go
- run: script/go-test-fuzz.sh
- name: Upload Crash
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ jobs:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
path: src/github.com/containerd/containerd
persist-credentials: false

- uses: ./src/github.com/containerd/containerd/.github/actions/install-go

Expand Down Expand Up @@ -72,8 +73,8 @@ jobs:

echo "Mirroring $upstream to $mirror"

sudo ctr content fetch --all-platforms ${upstream}
sudo ctr content fetch --all-platforms "${upstream}"
sudo ctr images ls
sudo ctr --debug images push -u ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} ${mirror} ${upstream}
sudo ctr --debug images push -u "${GITHUB_ACTOR}:${{ secrets.GITHUB_TOKEN }}" "${mirror}" "${upstream}"

sudo kill $containerd_pid
sudo kill "$containerd_pid"
2 changes: 2 additions & 0 deletions .github/workflows/links.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ jobs:
timeout-minutes: 15
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2.7.0
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ jobs:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
path: src/github.com/containerd/containerd
persist-credentials: false

- uses: ./src/github.com/containerd/containerd/.github/actions/install-go

Expand Down Expand Up @@ -141,6 +142,7 @@ jobs:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
path: src/github.com/containerd/containerd
persist-credentials: false

- uses: ./src/github.com/containerd/containerd/.github/actions/install-go

Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/node-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ jobs:
with:
path: src/github.com/containerd/containerd
fetch-depth: 0
persist-credentials: false

- name: Checkout Kubernetes
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Expand All @@ -48,6 +49,7 @@ jobs:
path: src/k8s.io/kubernetes
ref: ${{ inputs.k8s_version }}
fetch-depth: 0
persist-credentials: false

- name: Install Go
uses: ./src/github.com/containerd/containerd/.github/actions/install-go
Expand Down
12 changes: 7 additions & 5 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,16 @@ jobs:
with:
ref: ${{ github.ref }}
path: src/github.com/containerd/containerd
persist-credentials: false

- name: Check signature
run: |
# git tag -v requires an allowedSignersFile to be configured and exist for ssh signature verification
touch ${{ runner.temp }}/empty-allowedSignersFile
git config --global gpg.ssh.allowedSignersFile ${{ runner.temp }}/empty-allowedSignersFile
releasever=${{ github.ref }}
releasever=${GITHUB_REF}
releasever="${releasever#refs/tags/}"
TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
TAGCHECK=$(git tag -v "${releasever}" 2>&1 >/dev/null) ||
echo "${TAGCHECK}" | grep -q "error" && {
echo "::error::tag ${releasever} is not a signed tag. Failing release process."
exit 1
Expand All @@ -51,9 +52,9 @@ jobs:
- name: Release content
id: contentrel
run: |
RELEASEVER=${{ github.ref }}
RELEASEVER=${GITHUB_REF}
echo "stringver=${RELEASEVER#refs/tags/v}" >> $GITHUB_OUTPUT
git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
git tag -l "${RELEASEVER#refs/tags/}" -n20000 | tail -n +3 | cut -c 5- >release-notes.md
working-directory: src/github.com/containerd/containerd

- name: Save release notes
Expand Down Expand Up @@ -86,7 +87,7 @@ jobs:
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
shell: bash
run: |
releasever=${{ github.ref }}
releasever=${GITHUB_REF}
releasever="${releasever#refs/tags/}"
echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV
- name: Checkout containerd
Expand All @@ -98,6 +99,7 @@ jobs:
repository: ${{ github.repository }}
ref: ${{ github.ref }}
path: src/github.com/containerd/containerd
persist-credentials: false

- name: Setup buildx instance
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ on:
branches: [ "main" ]

# Declare default permissions as read only.
permissions: read-all
permissions:
contents: read

jobs:
analysis:
Expand All @@ -22,12 +23,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # tag=v7.0.0
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # tag=v2.4.3
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -41,14 +42,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # tag=v7.0.1
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # tag=v4.36.2
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: results.sarif
3 changes: 2 additions & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ on:
paths:
- '.github/workflows/stale.yml'

permissions: read-all
permissions:
contents: read

jobs:
stale:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/windows-hyperv-periodic-trigger.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
# upstream containerd repository should be replaced with the following to
# potentially allow contributors to enable periodic Windows tests on forks as well:
# uses: "${{ github.repository }}/.github/workflows/windows-hyperv-periodic.yml@${{ github.ref_name }}"
uses: containerd/containerd/.github/workflows/windows-hyperv-periodic.yml@main
uses: containerd/containerd/.github/workflows/windows-hyperv-periodic.yml@main # zizmor: ignore[unpinned-uses] reusable workflow intentionally tracks containerd/main
secrets:
AZURE_SUB_ID: "${{ secrets.AZURE_SUB_ID }}"
AZURE_CREDS: "${{ secrets.AZURE_CREDS }}"
2 changes: 2 additions & 0 deletions .github/workflows/windows-hyperv-periodic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- name: Install required packages
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/windows-periodic-trigger.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
# upstream containerd repository should be replaced with the following to
# potentially allow contributors to enable periodic Windows tests on forks as well:
# uses: "${{ github.repository }}/.github/workflows/windows-periodic.yml@${{ github.ref_name }}"
uses: containerd/containerd/.github/workflows/windows-periodic.yml@main
uses: containerd/containerd/.github/workflows/windows-periodic.yml@main # zizmor: ignore[unpinned-uses] reusable workflow intentionally tracks containerd/main
secrets:
AZURE_SUB_ID: "${{ secrets.AZURE_SUB_ID }}"
AZURE_CREDS: "${{ secrets.AZURE_CREDS }}"
Loading
Loading