- Part of #1833.
- Replace old targets with new ones.
- Try increased parallelism after test tweaks in #1857.
- Exclude test files from coverage analysis.
- Part of #1833.
- Adds `ContainerFixture` with scoped resource lifecycle and cleanup in
place of implementation inheritance for test support functions. The
fixture also handles resource prefixing and uses a more ergonomic
`CommandResult` in place of a tuple for return values.
- `ImageWarmup` suite pre-pulls well-known images, and
`copyWarmupImage()` tags test-local refs, keeping the canonical image
store untouched.
- Three-phase `integration-new`: warmup, followed by concurrent tests
(managed by the swift test
`--experimental-maximum-parallelization-width` flag), followed by
serialized tests.
- `coverage-new` merges unit + integration-new profraw, replacing
`coverage` in CI as a migration progress indicator.
- Updates GH workflow so non-coverage invokes both the `integration` and
`integration-new` Makefile targets, while coverage runs invoke the
`coverage-new` target.
- Updates `actions/checkout` from 6.0.3 to 7.0.0
- Updates `softprops/action-gh-release` from 3.0.0 to 3.0.1
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This also includes custom kernels for container machine. Its required
with nested virt as CONFIG_KVM needs to be enabled.
---------
Signed-off-by: michael_crosby <michael_crosby@apple.com>
-Bumps the github-actions group with 1 update in the / directory:
[actions/checkout](https://github.com/actions/checkout).
- Updates `actions/checkout` from 6.0.2 to 6.0.3
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Fixes#1642.
- The `ensure-hawkeye-exists.sh` now actually
ensures that hawkeye is installed. If it is not
installed, the script informs that the installation
uses `curl | sh` and asks the user to confirm
before proceeding.
- Automated workflows can bypass the prompt
by invoking the script with the `-y`/`--auto-install`
option, or by setting the environment variable
`HAWKEYE_AUTO_INSTALL=1`.
- Export HAWKEYE_AUTO_INSTALL=1 in every
Git workflow job that runs make check, to
ensure license/format checks don't stall.
- Bumps the github-actions group with 1 update:
- [actions/labeler](https://github.com/actions/labeler).
- Updates `actions/labeler` from 6.0.1 to 6.1.0
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
There is a bug in the artifact downloading where a single artifact
matching a pattern is extracted flat to the working directory without
creating a subdirectory. This meant the glob
`pr-coverage-*/pr-number.txt` never matched, silently skipping the
comment step on every run.
Fixed by using `merge-multiple: true` with an explicit `path`, giving a
deterministic download location regardless of artifact count.
## Type of Change
- [X] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation update
## Motivation and Context
Fix the GitHub actions to post coverage numbers
## Testing
- [ ] Tested locally
- [ ] Added/updated tests
- [ ] Added/updated docs
This extends the github actions to by default run the coverage
generation targets. The targets will generate the coverage artifacts,
which will then be used by a seprate github action to comment on the PR
the coverage numbers.
This is a sanity check for testing information for new features and
refactors alike. It will allow reviewers to quickly identify if there
are major issues with new tests, or large changes to coverage percentage
that indicate a problem.
- Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- Updates `actions/upload-pages-artifact` from 4 to 5
- Updates `softprops/action-gh-release` from 2 to 3
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Type of Change
- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [x] Documentation update
## Motivation and Context
Adding help guide to bug report template to make it easier for users to
include relevant information
## Testing
- [ ] Tested locally
- [ ] Added/updated tests
- [x] Added/updated docs
Bumps the github-actions group with 2 updates:
- Updates `actions/configure-pages` from 5 to 6
- Updates `actions/deploy-pages` from 4 to 5
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Closes#1236.
- As with other resources, default to tabular output, with `--format
json` alternative.
- Also changes common workflow to collect logs even when test step times
out.
- Adds a a `--log-root` option to `swift system start`, propagating the
value as `CONTAINER_LOG_ROOT` to services for logging to files instead
of the OS log facility. This is not a "production" capability as it
neither merges nor rotates logs.
- Currently we don't collect logs on CI builds, and we don't have
permission to run the `log` command there. The PR adds `--log-root` to
the CI test phase, archives the results, and uploads the archive as an
artifact.
- Use FilePath from swift-system for the log root. Foundation URL is a
bit of a footgun for filesystem paths, so unless we identify a
showstopper, we should incrementally transition to this type everywhere
except where we really need network URLs.
- Output the hostname of the CI runner at the start of the test phase so
we can identify runner-specific issues where they exist.
- Fix formatting for log messages with multiple metadata items, and fix
unstructured messages on instances that weren't found using `grep -r
'log\.' Sources`.
- Adds command reference documentation for `--log-root`.
## Type of Change
- [x] Bug fix
## Motivation and Context
The PR labeler workflow has been failing for a while but it's difficult
to know how to fix it since the PR labeler workflow is run from main
(aka NOT the current PR branch) for security reasons. Example at
https://github.com/apple/container/actions/runs/21690229300/workflow
- Runner fleet is on 26.3 now.
- Integration tests started flaking and it appears that we've been misconfiguring/not configuring proxy variables where we needed to be and it finally caught up with us. Workflow now adds appropriate exclusions for host-to-container and container-to-container network requests so they aren't all rammed through the proxy.
## Summary
Add Dependabot configuration to automatically keep GitHub Actions up to
date.
## Changes
Adds `.github/dependabot.yml` configured to:
- Check for GitHub Actions updates weekly
- Group all action updates together for easier review
- Use `ci` prefix for commit messages
## Why
As discussed in #958, this helps:
- Keep actions up to date with security patches automatically
- Handle Node runtime deprecations proactively (e.g., Node 20 → Node 24)
- Reduce manual maintenance burden
## Reference
Based on the pattern used in
[swift-nio](https://github.com/apple/swift-nio/blob/main/.github/dependabot.yml).
## Summary
Upgrade GitHub Actions to their latest versions to ensure compatibility
with Node 24, as Node 20 will reach end-of-life in April 2026.
## Changes
| Action | Old Version(s) | New Version | SHA |
|--------|---------------|-------------|-----|
| `actions/checkout` | v4 | v6 | `8e8c483` |
| `actions/download-artifact` | v4 | v7 | `37930b1` |
| `actions/upload-artifact` | v4 | v6 | `b7c566a` |
| `actions/labeler` | v5 | v6 | `634933e` |
| `actions/configure-pages` | v5 | v5 | `983d773` |
| `actions/upload-pages-artifact` | v3 | v3 | `56afc60` |
| `softprops/action-gh-release` | v2 | v2 | `a06a81a` |
## Context
Per [GitHub's
announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/),
Node 20 is being deprecated and runners will begin using Node 24 by
default starting March 4th, 2026.
### Why this matters
- **Node 20 EOL**: April 2026
- **Node 24 default**: March 4th, 2026
- **Action**: Update to latest action versions that support Node 24
### Security
All actions are now **pinned to commit SHAs** instead of mutable version
tags. This provides:
- Protection against tag hijacking attacks
- Immutable, reproducible builds
- Version comments for readability
### Automated Updates
A follow-up PR (#960) adds Dependabot configuration to automatically
keep these actions updated with new SHA-pinned versions.
### Testing
These changes only affect CI/CD workflow configurations and should not
impact application functionality. The workflows should be tested by
running them on a branch before merging.
Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
- This can basically Help teams know what changes are made in pr
- Added the split approach @katiewasnothere suggested using openssf
- Added additional feature for colors
- Currently this is for CLI only later we can add multiple
- Labeling flow
- TRIGGER: Pull Request Opened (untrusted code)
- READ-ONLY stage: just save job number to artifact
- WRITE: load job number artifact, use GH labeler
action with `labeler.yml` from repo
Reverts apple/container#741
The action does not have permissions to add labels. Reverting this while
we investigate the right fix
@Ronitsabhaya75 heads up
## Type of Change
- [ ] New feature : This can help dev teams to particularly look on
those things are differently and understand what has been changed
through labels
@dcantah can you please review this pr and suggest me if any changes
require
---------
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: Bisman Sahni <139563284+bismansahni@users.noreply.github.com>
Co-authored-by: J Logan <john_logan@apple.com>
## Type of Change
- [x] Process update
## Description
Remove description field in PR template
## Motivation and Context
I think having separate `Description` and `Motivation and Context`
sections have been redundant in recent usage of the PR template. This PR
removes the `Description` section. Ideally the PR title should cover the
same content previously in the `Description` section.
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
- Disabled tests that failed with release config.
- Changed so merge builds build with release config so this doesn't burn
us next release.
- Added `swift --version` to Makefile so we can see what we're running
up in CI.
Tags on the repo should be a way to classify an item instead of denoting
workflow or status of the item. Remove the addition of the triage label
on bug and feature issues.
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
Github now has a "Type" feature for issues. Types are set at the
organization level and can be used for consistent classification of
issues across an organization. We'd like to switch to using these to
classify if an issue is a bug or feature instead of labels. Labels will
be used for more granular classification within a repo.
See [github
docs](https://docs.github.com/en/issues/tracking-your-work-with-issues/configuring-issues/managing-issue-types-in-an-organization)
for more information about GitHub Issue Types.
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
## 🔧 Improvements Summary
This PR introduces three improvements focused on safety,
maintainability, and readability of the GitHub Actions workflow.
---
### 1. Define Global Environment Variable
**Before:**
Environment variable `CURRENT_SDK` was defined repeatedly in multiple
steps.
**After:**
Declared in gloabally one time.
#### Why This Matters:
- Eliminates duplication across steps.
- Makes it easier to update or remove the variable in the future.
- Still allows per-step override when necessary.
### 2. Fix Unsafe Shell Conditional on inputs.release
- Using **[[ ... ]]** **instea**d of **[ ... ]** for conditionals.
- Adding **double quotes** around inputs and refs to **avoid**
evaluation issues.
**PREVIOUSLY FIXED** Containerization project.
[https://github.com/apple/containerization/pull/68](url)
### 3. Removed EXCLUSION AND TODO comment.
#### Affected Steps:
`check Formatting`
`make proto`
### Improvements:
Now that the repositories are public, we no longer need to exclude files
like Package.swift and Package.resolved from formatting and proto
checks.
- Removed EXCLUDES logic
- Removed related TODO comments
- Updated git diff checks to include all files
@wlan0 @katiewasnothere