53 Commits

Author SHA1 Message Date
J Logan 5973b9cc62 Finalize Makefile for integration test rework. (#1878)
- Part of #1833.
- Replace old targets with new ones.
- Try increased parallelism after test tweaks in #1857.
- Exclude test files from coverage analysis.
2026-07-01 18:25:34 -07:00
J Logan 649164d9e2 Enhanced test fixtures for integration tests. (#1834)
- Part of #1833.
- Adds `ContainerFixture` with scoped resource lifecycle and cleanup in
place of implementation inheritance for test support functions. The
fixture also handles resource prefixing and uses a more ergonomic
`CommandResult` in place of a tuple for return values.
- `ImageWarmup` suite pre-pulls well-known images, and
`copyWarmupImage()` tags test-local refs, keeping the canonical image
store untouched.
- Three-phase `integration-new`: warmup, followed by concurrent tests
(managed by the swift test
`--experimental-maximum-parallelization-width` flag), followed by
serialized tests.
- `coverage-new` merges unit + integration-new profraw, replacing
`coverage` in CI as a migration progress indicator.
- Updates GH workflow so non-coverage invokes both the `integration` and
`integration-new` Makefile targets, while coverage runs invoke the
`coverage-new` target.
2026-06-26 12:00:44 -07:00
dependabot[bot] 27acdbe2f8 ci: bump the github-actions group across 1 directory with 2 updates (#1792)
- Updates `actions/checkout` from 6.0.3 to 7.0.0
- Updates `softprops/action-gh-release` from 3.0.0 to 3.0.1

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-25 21:44:11 -07:00
Bhavesh Varma af71f87408 Remove duplicate release workflow that double-builds and races on every tag (#1781)
- Closes #1755.
2026-06-25 17:48:11 -07:00
Kathryn Baldauf 22e90e0eab Pin xcode swift version in CI to 6.3 (#1746)
CI runners moved to the Xcode developer beta as the default, but macOS
builds are failing with a conflicting options error for
-warnings-as-errors and -suppress-warnings. Matches
https://github.com/apple/containerization/pull/771

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: J Logan <john_logan@apple.com>
2026-06-18 10:12:56 -07:00
Michael Crosby c4a22389ac add container machine nested virt (#1742)
This also includes custom kernels for container machine. Its required
with nested virt as CONFIG_KVM needs to be enabled.

---------

Signed-off-by: michael_crosby <michael_crosby@apple.com>
2026-06-18 06:53:21 -07:00
dependabot[bot] babddafd98 ci: bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions group across 1 directory (#1640)
-Bumps the github-actions group with 1 update in the / directory:
  [actions/checkout](https://github.com/actions/checkout).
- Updates `actions/checkout` from 6.0.2 to 6.0.3

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-15 10:44:37 -07:00
Raj 1b5576312f Increase CI timeout to 75 minutes (#1663)
## Type of Change
- [x] Bug fix
- [ ] New feature  
- [ ] Breaking change
- [ ] Documentation update

## Motivation and Context
Increase CI timeout to 75 minutes

## Testing
- [ ] Tested locally
- [ ] Added/updated tests
- [ ] Added/updated docs
2026-06-08 11:36:20 -07:00
Harshit Singh Bhandari 79f797b879 Auto-install hawkeye in ensure-hawkeye-exists.sh (#1644)
- Fixes #1642.
- The `ensure-hawkeye-exists.sh` now actually
  ensures that hawkeye is installed. If it is not
  installed, the script informs that the installation
  uses `curl | sh` and asks the user to confirm
  before proceeding.
- Automated workflows can bypass the prompt
  by invoking the script with the `-y`/`--auto-install`
  option, or by setting the environment variable
  `HAWKEYE_AUTO_INSTALL=1`.
- Export HAWKEYE_AUTO_INSTALL=1  in every
  Git workflow job that runs make check, to
  ensure license/format checks don't stall.
2026-06-05 09:04:05 -07:00
Kathryn Baldauf f81dcbf3f9 [Actions] Use commit sha for imported gh actions (#1649)
This PR updates the GitHub workflows to ensure all imported actions are
referenced by commit SHA.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2026-06-04 15:07:44 -07:00
dependabot[bot] c1a6d979ba ci: bump actions/labeler from 6.0.1 to 6.1.0 in the github-actions group (#1550)
- Bumps the github-actions group with 1 update:
  - [actions/labeler](https://github.com/actions/labeler).
- Updates `actions/labeler` from 6.0.1 to 6.1.0

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-14 08:57:30 -07:00
Noah Thornton cec58654ac Fix PR coverage comment never posting (#1541)
There is a bug in the artifact downloading where a single artifact
matching a pattern is extracted flat to the working directory without
creating a subdirectory. This meant the glob
`pr-coverage-*/pr-number.txt` never matched, silently skipping the
comment step on every run.

Fixed by using `merge-multiple: true` with an explicit `path`, giving a
deterministic download location regardless of artifact count.

## Type of Change
- [X] Bug fix
- [ ] New feature  
- [ ] Breaking change
- [ ] Documentation update

## Motivation and Context
Fix the GitHub actions to post coverage numbers

## Testing
- [ ] Tested locally
- [ ] Added/updated tests
- [ ] Added/updated docs
2026-05-11 12:26:53 -07:00
Noah Thornton d12d64d488 Change PR build to generate coverage and comment it (#1474)
This extends the github actions to by default run the coverage
generation targets. The targets will generate the coverage artifacts,
which will then be used by a seprate github action to comment on the PR
the coverage numbers.

This is a sanity check for testing information for new features and
refactors alike. It will allow reviewers to quickly identify if there
are major issues with new tests, or large changes to coverage percentage
that indicate a problem.
2026-05-04 11:10:02 -07:00
dependabot[bot] e710876ac8 ci: bump the github-actions group with 3 updates (#1419)
- Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- Updates `actions/upload-pages-artifact` from 4 to 5
- Updates `softprops/action-gh-release` from 2 to 3

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 11:00:39 +01:00
dependabot[bot] 3376fa8017 ci: bump the github-actions group with 2 updates (#1374)
Bumps the github-actions group with 2 updates:
- Updates `actions/configure-pages` from 5 to 6
- Updates `actions/deploy-pages` from 4 to 5

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 18:17:37 -07:00
dependabot[bot] 0ad33f40a1 ci: bump actions/download-artifact from 8.0.0 to 8.0.1 in the github-actions group (#1325)
Bumps the github-actions group with 1 update:
[actions/download-artifact](https://github.com/actions/download-artifact).

Updates `actions/download-artifact` from 8.0.0 to 8.0.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/download-artifact/releases">actions/download-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v8.0.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Support for CJK characters in the artifact name by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/download-artifact/pull/471">actions/download-artifact#471</a></li>
<li>Add a regression test for artifact name + content-type mismatches by
<a href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a>
in <a
href="https://redirect.github.com/actions/download-artifact/pull/472">actions/download-artifact#472</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/download-artifact/compare/v8...v8.0.1">https://github.com/actions/download-artifact/compare/v8...v8.0.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/download-artifact/commit/3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"><code>3e5f45b</code></a>
Add regression tests for CJK characters (<a
href="https://redirect.github.com/actions/download-artifact/issues/471">#471</a>)</li>
<li><a
href="https://github.com/actions/download-artifact/commit/e6d03f67377d4412c7aa56a8e2e4988e6ec479dd"><code>e6d03f6</code></a>
Add a regression test for artifact name + content-type mismatches (<a
href="https://redirect.github.com/actions/download-artifact/issues/472">#472</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/download-artifact/compare/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=8.0.0&new-version=8.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-23 11:10:02 -07:00
dependabot[bot] cafcc92c01 ci: bump the github-actions group with 2 updates (#1288)
Bumps the github-actions group with 2 updates:
[actions/upload-artifact](https://github.com/actions/upload-artifact)
and
[actions/download-artifact](https://github.com/actions/download-artifact).
2026-03-03 18:26:08 -08:00
J Logan ad7f843751 Capture container logs on failed CI runs. (#1285) 2026-03-03 17:39:44 -08:00
J Logan 8653507f80 GH actions: do not interpolate template variables in run blocks. (#1284)
- Prevents injection of code during CI build.
2026-03-03 14:13:32 -08:00
J Logan a409c0f7dd Add --format option for system status. (#1237)
- Closes #1236.
- As with other resources, default to tabular output, with `--format
json` alternative.
- Also changes common workflow to collect logs even when test step times
out.
2026-02-20 15:18:29 -08:00
J Logan d29947121f CI observability enhancements. (#1193)
- Adds a a `--log-root` option to `swift system start`, propagating the
value as `CONTAINER_LOG_ROOT` to services for logging to files instead
of the OS log facility. This is not a "production" capability as it
neither merges nor rotates logs.
- Currently we don't collect logs on CI builds, and we don't have
permission to run the `log` command there. The PR adds `--log-root` to
the CI test phase, archives the results, and uploads the archive as an
artifact.
- Use FilePath from swift-system for the log root. Foundation URL is a
bit of a footgun for filesystem paths, so unless we identify a
showstopper, we should incrementally transition to this type everywhere
except where we really need network URLs.
- Output the hostname of the CI runner at the start of the test phase so
we can identify runner-specific issues where they exist.
- Fix formatting for log messages with multiple metadata items, and fix
unstructured messages on instances that weren't found using `grep -r
'log\.' Sources`.
- Adds command reference documentation for `--log-root`.
2026-02-19 17:47:41 -08:00
Kathryn Baldauf 2d1dd6b4e7 Fix file path for the PR number in the PR labeler workflow (#1158)
## Type of Change
- [x] Bug fix

## Motivation and Context
The PR label applier GitHub workflow has been failing for a while. This
PR fixes that by correcting the file path we look for when trying to
read the PR number. See example failure here
https://github.com/apple/container/actions/runs/21691766538/job/62552959972#step:4:23
2026-02-04 15:42:29 -08:00
Kathryn Baldauf 6451e078b0 Add debugging to the PR labeler CI flow (#1155)
## Type of Change
- [x] Bug fix

## Motivation and Context
The PR labeler workflow has been failing for a while but it's difficult
to know how to fix it since the PR labeler workflow is run from main
(aka NOT the current PR branch) for security reasons. Example at
https://github.com/apple/container/actions/runs/21690229300/workflow
2026-02-04 14:44:53 -08:00
Danny Canter 23c0ece161 CI: Add signed commit check (#1152)
This requirement of ours often goes unnoticed because nothing yells at
you openly about it. Lets fail CI to make it more obvious.
2026-02-04 09:19:50 -08:00
dependabot[bot] 4f93e3e098 ci: bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions group (#1100)
- Updates `actions/checkout` from 6.0.1 to 6.0.2

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-28 18:21:08 -08:00
J Logan a18df81eb0 Select macOS 26 CI runners. (#1074)
- Runner fleet is on 26.3 now.
- Integration tests started flaking and it appears that we've been misconfiguring/not configuring proxy variables where we needed to be and it finally caught up with us. Workflow now adds appropriate exclusions for host-to-container and container-to-container network requests so they aren't all rammed through the proxy.
2026-01-21 18:25:39 -08:00
Salman Chishti 8e16bb239e Upgrade GitHub Actions to latest versions (#959)
- Upgrade GitHub Actions to their latest versions for
  improved features, bug fixes, and security updates.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
2025-12-16 12:14:45 -08:00
Salman Chishti 637c8f11a9 Upgrade GitHub Actions for Node 24 compatibility (#958)
## Summary

Upgrade GitHub Actions to their latest versions to ensure compatibility
with Node 24, as Node 20 will reach end-of-life in April 2026.

## Changes

| Action | Old Version(s) | New Version | SHA |
|--------|---------------|-------------|-----|
| `actions/checkout` | v4 | v6 | `8e8c483` |
| `actions/download-artifact` | v4 | v7 | `37930b1` |
| `actions/upload-artifact` | v4 | v6 | `b7c566a` |
| `actions/labeler` | v5 | v6 | `634933e` |
| `actions/configure-pages` | v5 | v5 | `983d773` |
| `actions/upload-pages-artifact` | v3 | v3 | `56afc60` |
| `softprops/action-gh-release` | v2 | v2 | `a06a81a` |

## Context

Per [GitHub's
announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/),
Node 20 is being deprecated and runners will begin using Node 24 by
default starting March 4th, 2026.

### Why this matters

- **Node 20 EOL**: April 2026
- **Node 24 default**: March 4th, 2026
- **Action**: Update to latest action versions that support Node 24

### Security

All actions are now **pinned to commit SHAs** instead of mutable version
tags. This provides:
- Protection against tag hijacking attacks
- Immutable, reproducible builds
- Version comments for readability

### Automated Updates

A follow-up PR (#960) adds Dependabot configuration to automatically
keep these actions updated with new SHA-pinned versions.

### Testing

These changes only affect CI/CD workflow configurations and should not
impact application functionality. The workflows should be tested by
running them on a branch before merging.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
2025-12-16 10:15:42 -08:00
Ronit Sabhaya c76e0f4f84 Added the split method for labeler workflow (#788)
- This can basically Help teams know what changes are made in pr
- Added the split approach @katiewasnothere suggested using openssf
- Added additional feature for colors
- Currently this is for CLI only later we can add multiple
- Labeling flow
  - TRIGGER: Pull Request Opened (untrusted code)
  - READ-ONLY stage: just save job number to artifact
  - WRITE: load job number artifact, use GH labeler
    action with `labeler.yml` from repo
2025-11-19 20:17:35 -03:00
Melissa Kilby ae279105a2 chore: restrict GitHub workflow permissions - future-proof (#781)
See https://github.com/swiftlang/github-workflows/issues/167 for
additional context

This approach aligns with security best practices, as detailed in the
following documentation:

-
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
-
https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes
-
https://openssf.org/blog/2024/08/12/mitigating-attack-vectors-in-github-workflows/


The default GITHUB_TOKEN permissions are defined at the repository
level. This PR modifies the workflow-level overrides to conform to
OpenSSF best practices -> defense in depth.

Allow me to quote OpenSSF:

https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

> The highest score is awarded when the permissions definitions in each
workflow's yaml file are set as read-only at the top level and the
required write permissions are declared at the run-level.”

> Remediation steps
> - Set top-level permissions as read-all or contents: read as described
in GitHub's documentation.
> - Set any required write permissions at the job-level. Only set the
permissions required for that job; do not set permissions: write-all at
the job level.


Compare to the LLVM project:

Top-level: contents read, e.g.
https://github.com/swiftlang/llvm-project/blob/next/.github/workflows/build-ci-container-windows.yml#L3-L4
-> this makes it future-proof

Job-level: Allow write permissions as needed, e.g.
https://github.com/swiftlang/llvm-project/blob/next/.github/workflows/build-ci-container-windows.yml#L53-L58

Signed-off-by: Melissa Kilby <mkilby@apple.com>
2025-10-17 15:03:41 -07:00
Kathryn Baldauf 7bfdcc9940 Revert "added the new workflow that automatically puts the labels in PR" (#776)
Reverts apple/container#741

The action does not have permissions to add labels. Reverting this while
we investigate the right fix

@Ronitsabhaya75 heads up
2025-10-16 18:08:54 -07:00
Ronit Sabhaya f49059fb7b added the new workflow that automatically puts the labels in PR (#741)
## Type of Change
- [ ] New feature : This can help dev teams to particularly look on
those things are differently and understand what has been changed
through labels


@dcantah can you please review this pr and suggest me if any changes
require

---------

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: Bisman Sahni <139563284+bismansahni@users.noreply.github.com>
Co-authored-by: J Logan <john_logan@apple.com>
2025-10-16 17:41:29 -07:00
J Logan bc70b39182 Fix broken proxy configuration for default kernel fetch. (#747)
- Closes #466.

## Type of Change
- [x] Bug fix
- [ ] New feature  
- [ ] Breaking change
- [ ] Documentation update

## Motivation and Context
Proxy logic worked well enough for CI but broken in general.

## Testing
- [x] Tested locally
- [x] Added/updated tests
- [ ] Added/updated docs
2025-10-10 10:17:42 -07:00
J Logan 4ac18b54f3 Test fixes for 0.4.1 release. (#550)
- Disabled tests that failed with release config.
- Changed so merge builds build with release config so this doesn't burn
us next release.
- Added `swift --version` to Makefile so we can see what we're running
up in CI.
2025-08-27 18:04:00 -07:00
J Logan 88223d8add Select alternate data path with container system start --app-root path. (#419)
Closes #418.
2025-08-06 14:49:09 -07:00
Kathryn Baldauf 7dc1dda43f Update xcode developer version to new symlink (#374)
Related to https://github.com/apple/containerization/pull/234

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-07-25 13:11:29 -07:00
Dmitry Kovba de2be705de Remove the support for CURRENT_SDK (#251)
This PR removes the no longer needed support for `CURRENT_SDK`.
2025-06-26 10:40:34 -04:00
Joseph Heck 8e892be2b0 limit build and test for runners to Apple repository (#228)
constrains build to run on apple/container

fixes #209
2025-06-20 15:28:17 -07:00
Dmitry Kovba 51c1b879d2 Update to Swift 6.2 (#195)
This PR updates to Swift 6.2 and resolves a build error after updating
to Swift 6.2-snapshot in
https://github.com/apple/containerization/pull/94.
2025-06-13 17:27:50 -07:00
Satyam Singh 24730167da fix(common.yml): globalize CURRENT_SDK, improve shell safety and imp… (#178)
## 🔧 Improvements Summary

This PR introduces three improvements focused on safety,
maintainability, and readability of the GitHub Actions workflow.

---

### 1. Define Global Environment Variable

**Before:**

Environment variable `CURRENT_SDK` was defined repeatedly in multiple
steps.

**After:**

 Declared in gloabally one time. 

#### Why This Matters:

-  Eliminates duplication across steps.
-  Makes it easier to update or remove the variable in the future.
-  Still allows per-step override when necessary.

### 2. Fix Unsafe Shell Conditional on inputs.release
- Using **[[ ... ]]** **instea**d of **[ ... ]** for conditionals.
- Adding **double quotes** around inputs and refs to **avoid**
evaluation issues.
**PREVIOUSLY FIXED** Containerization project.
[https://github.com/apple/containerization/pull/68](url)
  
 ### 3.  Removed EXCLUSION AND TODO comment.
  #### Affected Steps:

 `check Formatting`

`make proto`

### Improvements:

Now that the repositories are public, we no longer need to exclude files
like Package.swift and Package.resolved from formatting and proto
checks.

- Removed EXCLUDES logic
- Removed related TODO comments
- Updated git diff checks to include all files

@wlan0 @katiewasnothere
2025-06-13 13:47:24 -07:00
Satyam Singh 2364f33cc6 Fix release workflow: tag regex, artifact validation, and token usage (#187)
## 🔧 Summary
This PR improves the release.yml GitHub Actions workflow by addressing
several critical issues to ensure consistent and reliable behavior
during tag-based releases.

##  Changes Included
### 1. Fixed tag trigger regex
- Escaped dots in the tag regex ([0-9]+\\.[0-9]+\\.[0-9]+) to ensure
only semantic version tags like 1.2.3 trigger the workflow.
#####  Explanation
- Old **Regex** is incorrect because . matches **any character**, so it
matched:

`1-2-3`, `1_2_3`, even `1a2b3`, which is invalid for versioning.

 - Fixed **Regex** is strict — matches only 1.2.3.
 #### Find attached tested SCREEN SHOT BELOW .
**Bad Match with Old Regex:**

![proofwithBadMatch](https://github.com/user-attachments/assets/6dbec50d-6ffb-4338-a258-7b3629b08e24)


**Proper Match with Fixed Regex:**

![withfixedbadstring](https://github.com/user-attachments/assets/1c9b6315-074b-4db4-a911-6493a76b4b64)
---
### 💬 Note: If you're planning to adopt alternate version tag formats in
the future — such as:

 - v1.0.2 (semantic with prefix)

- release-1.0.2 or rel-1.0.2

- 1.0.2-beta, 1.0.2-rc.1 (prereleases with suffixes)

 - x1.0.2x (custom wrapping formats)

**…feel free to reach out. I'm happy to help extend the workflow to
support those formats reliably and safely.**
---
### 2. Added strict release job guard
- Prevented **accidental release runs** on non-tag events using if:
startsWith(github.ref, 'refs/tags/').

### 3. Explicit artifact validation
- **Introduced a shell check** using ls and test to ensure .zip and .pkg
files exist before attempting release. This gives early, clear failure
instead of a **vague error** from `action-gh-release`.

### 4. Clarified GitHub token usage
- Switched from ${{ secrets.GITHUB_TOKEN }} to ${{ github.token }} for
better readability and consistency with GitHub Actions best practices.

@katiewasnothere @wlan0
2025-06-13 10:43:59 -07:00
Kathryn Baldauf 6f1f770a4e Remove temporary workaround for image auth to ghcr (#155)
When we were setting up the repos, we needed these environment variables
for the GitHub Actions CI to be able to run the tests. Now that the
images are public, these can be removed.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-12 11:36:42 -07:00
Patrick Stöckle 2327e899cf Remove trailing whitespace from GitHub workflows (#154)
Remove trailing whitespace from GitHub workflows
2025-06-11 16:56:39 -07:00
Kathryn Baldauf 665532c374 Remove use of REPO_READ token (#124)
This token was needed when the repos were private. Now that they are
public, this should no longer be needed.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-10 15:38:19 -07:00
Kathryn Baldauf eeddf6f7e7 Publish docs from main (#67)
We eventually only want to support building docs from release branches
and tags, however, while we're working to initially set up the docs, we
may have some churn. So we want to be able to publish from main during
that churn.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-09 16:33:05 -07:00
Aditya Ramani f86dcefb04 Add make target to fetch the default kernel (#33)
Replaces the `--install-dependencies` flag with the
`(enable/disable)-kernel-install` flag. If the flag is not passed - the
default behavior is prompting the user for a response.

Also adds a make target `install-kernel`

```
➜ bin/container system start
Verifying apiserver is running...
Installing base container filesystem...
No default kernel configured.
Install the recommended default kernel from [https://github.com/kata-containers/kata-containers/releases/download/3.17.0/kata-static-3.17.0-arm64.tar.xz]? [Y/n]: n
Please use the `container system kernel set --recommended` command to configure the default kernel

➜ bin/container system start --disable-kernel-install
Verifying apiserver is running...

➜ bin/container system start --enable-kernel-install
Verifying apiserver is running...
Installing kernel...

➜ bin/container system start --help

USAGE: container system start ... [--enable-kernel-install] [--disable-kernel-install]
...
  --enable-kernel-install/--disable-kernel-install
                          Specify if the default kernel should be installed or not.

```

---------

Signed-off-by: Aditya Ramani <a_ramani@apple.com>
2025-06-07 12:45:45 -07:00
Kathryn Baldauf d4e01c6579 Only allow publishing docs on release branch or tags (#30)
This removes the ability to deploy docs on the main branch and instead
only allows docs deployment on either a tag or a release branch. Docs
are also built (but not deployed) in the common job run by the build and
release pipelines.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-06 21:49:49 -07:00
Kathryn Baldauf 7e0567cece Fix typo in release branch name (#14)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-05 15:53:35 -07:00
Kathryn Baldauf 7ce2585531 Add token to allow deploying github pages (#13)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-05 15:53:24 -07:00
Kathryn Baldauf ec4185fcc7 Publish docs github action (#9)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-05 15:53:13 -07:00