Commit Graph

37 Commits

Author SHA1 Message Date
Salman Chishti 8e16bb239e Upgrade GitHub Actions to latest versions (#959)
- Upgrade GitHub Actions to their latest versions for
  improved features, bug fixes, and security updates.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
2025-12-16 12:14:45 -08:00
Salman Chishti 0c7dca4d25 Add Dependabot for GitHub Actions updates (#960)
## Summary

Add Dependabot configuration to automatically keep GitHub Actions up to
date.

## Changes

Adds `.github/dependabot.yml` configured to:
- Check for GitHub Actions updates weekly
- Group all action updates together for easier review
- Use `ci` prefix for commit messages

## Why

As discussed in #958, this helps:
- Keep actions up to date with security patches automatically
- Handle Node runtime deprecations proactively (e.g., Node 20 → Node 24)
- Reduce manual maintenance burden

## Reference

Based on the pattern used in
[swift-nio](https://github.com/apple/swift-nio/blob/main/.github/dependabot.yml).
2025-12-16 11:23:31 -08:00
Salman Chishti 637c8f11a9 Upgrade GitHub Actions for Node 24 compatibility (#958)
## Summary

Upgrade GitHub Actions to their latest versions to ensure compatibility
with Node 24, as Node 20 will reach end-of-life in April 2026.

## Changes

| Action | Old Version(s) | New Version | SHA |
|--------|---------------|-------------|-----|
| `actions/checkout` | v4 | v6 | `8e8c483` |
| `actions/download-artifact` | v4 | v7 | `37930b1` |
| `actions/upload-artifact` | v4 | v6 | `b7c566a` |
| `actions/labeler` | v5 | v6 | `634933e` |
| `actions/configure-pages` | v5 | v5 | `983d773` |
| `actions/upload-pages-artifact` | v3 | v3 | `56afc60` |
| `softprops/action-gh-release` | v2 | v2 | `a06a81a` |

## Context

Per [GitHub's
announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/),
Node 20 is being deprecated and runners will begin using Node 24 by
default starting March 4th, 2026.

### Why this matters

- **Node 20 EOL**: April 2026
- **Node 24 default**: March 4th, 2026
- **Action**: Update to latest action versions that support Node 24

### Security

All actions are now **pinned to commit SHAs** instead of mutable version
tags. This provides:
- Protection against tag hijacking attacks
- Immutable, reproducible builds
- Version comments for readability

### Automated Updates

A follow-up PR (#960) adds Dependabot configuration to automatically
keep these actions updated with new SHA-pinned versions.

### Testing

These changes only affect CI/CD workflow configurations and should not
impact application functionality. The workflows should be tested by
running them on a branch before merging.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
2025-12-16 10:15:42 -08:00
Ronit Sabhaya c76e0f4f84 Added the split method for labeler workflow (#788)
- This can basically Help teams know what changes are made in pr
- Added the split approach @katiewasnothere suggested using openssf
- Added additional feature for colors
- Currently this is for CLI only later we can add multiple
- Labeling flow
  - TRIGGER: Pull Request Opened (untrusted code)
  - READ-ONLY stage: just save job number to artifact
  - WRITE: load job number artifact, use GH labeler
    action with `labeler.yml` from repo
2025-11-19 20:17:35 -03:00
Melissa Kilby ae279105a2 chore: restrict GitHub workflow permissions - future-proof (#781)
See https://github.com/swiftlang/github-workflows/issues/167 for
additional context

This approach aligns with security best practices, as detailed in the
following documentation:

-
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
-
https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes
-
https://openssf.org/blog/2024/08/12/mitigating-attack-vectors-in-github-workflows/


The default GITHUB_TOKEN permissions are defined at the repository
level. This PR modifies the workflow-level overrides to conform to
OpenSSF best practices -> defense in depth.

Allow me to quote OpenSSF:

https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

> The highest score is awarded when the permissions definitions in each
workflow's yaml file are set as read-only at the top level and the
required write permissions are declared at the run-level.”

> Remediation steps
> - Set top-level permissions as read-all or contents: read as described
in GitHub's documentation.
> - Set any required write permissions at the job-level. Only set the
permissions required for that job; do not set permissions: write-all at
the job level.


Compare to the LLVM project:

Top-level: contents read, e.g.
https://github.com/swiftlang/llvm-project/blob/next/.github/workflows/build-ci-container-windows.yml#L3-L4
-> this makes it future-proof

Job-level: Allow write permissions as needed, e.g.
https://github.com/swiftlang/llvm-project/blob/next/.github/workflows/build-ci-container-windows.yml#L53-L58

Signed-off-by: Melissa Kilby <mkilby@apple.com>
2025-10-17 15:03:41 -07:00
Kathryn Baldauf 7bfdcc9940 Revert "added the new workflow that automatically puts the labels in PR" (#776)
Reverts apple/container#741

The action does not have permissions to add labels. Reverting this while
we investigate the right fix

@Ronitsabhaya75 heads up
2025-10-16 18:08:54 -07:00
Ronit Sabhaya f49059fb7b added the new workflow that automatically puts the labels in PR (#741)
## Type of Change
- [ ] New feature : This can help dev teams to particularly look on
those things are differently and understand what has been changed
through labels


@dcantah can you please review this pr and suggest me if any changes
require

---------

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: Bisman Sahni <139563284+bismansahni@users.noreply.github.com>
Co-authored-by: J Logan <john_logan@apple.com>
2025-10-16 17:41:29 -07:00
J Logan bc70b39182 Fix broken proxy configuration for default kernel fetch. (#747)
- Closes #466.

## Type of Change
- [x] Bug fix
- [ ] New feature  
- [ ] Breaking change
- [ ] Documentation update

## Motivation and Context
Proxy logic worked well enough for CI but broken in general.

## Testing
- [x] Tested locally
- [x] Added/updated tests
- [ ] Added/updated docs
2025-10-10 10:17:42 -07:00
Dmitry Kovba 60cff76a5a Update an issue template (#694)
This PR adds the default value "N/A" to the logs section to prevent it
from being empty in most issues.
2025-10-01 09:43:53 -07:00
Kathryn Baldauf 7bd9e5ac82 Remove description field in PR template (#583)
## Type of Change
- [x] Process update

## Description
Remove description field in PR template 

## Motivation and Context
I think having separate `Description` and `Motivation and Context`
sections have been redundant in recent usage of the PR template. This PR
removes the `Description` section. Ideally the PR title should cover the
same content previously in the `Description` section.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-09-05 13:54:35 -07:00
Sidhartha Mani e42fe80aa0 Create command-reference.md (#445)
Fixes https://github.com/apple/container/issues/375
2025-08-29 10:23:45 -07:00
J Logan 4ac18b54f3 Test fixes for 0.4.1 release. (#550)
- Disabled tests that failed with release config.
- Changed so merge builds build with release config so this doesn't burn
us next release.
- Added `swift --version` to Makefile so we can see what we're running
up in CI.
2025-08-27 18:04:00 -07:00
J Logan 88223d8add Select alternate data path with container system start --app-root path. (#419)
Closes #418.
2025-08-06 14:49:09 -07:00
Kathryn Baldauf 7dc1dda43f Update xcode developer version to new symlink (#374)
Related to https://github.com/apple/containerization/pull/234

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-07-25 13:11:29 -07:00
Dmitry Kovba 9eb2f860fc Use a consistent capitalization in a bug report template (#269) 2025-06-27 15:51:31 -07:00
Kathryn Baldauf 00aa883a83 Remove use of triage label (#262)
Tags on the repo should be a way to classify an item instead of denoting
workflow or status of the item. Remove the addition of the triage label
on bug and feature issues.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-27 14:07:53 -04:00
Dmitry Kovba de2be705de Remove the support for CURRENT_SDK (#251)
This PR removes the no longer needed support for `CURRENT_SDK`.
2025-06-26 10:40:34 -04:00
Kathryn Baldauf e693139ab9 Move github issues to use feature and bug Types instead of Labels (#258)
Github now has a "Type" feature for issues. Types are set at the
organization level and can be used for consistent classification of
issues across an organization. We'd like to switch to using these to
classify if an issue is a bug or feature instead of labels. Labels will
be used for more granular classification within a repo.

See [github
docs](https://docs.github.com/en/issues/tracking-your-work-with-issues/configuring-issues/managing-issue-types-in-an-organization)
for more information about GitHub Issue Types.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-25 16:40:21 -07:00
Joseph Heck 8e892be2b0 limit build and test for runners to Apple repository (#228)
constrains build to run on apple/container

fixes #209
2025-06-20 15:28:17 -07:00
Dmitry Kovba 51c1b879d2 Update to Swift 6.2 (#195)
This PR updates to Swift 6.2 and resolves a build error after updating
to Swift 6.2-snapshot in
https://github.com/apple/containerization/pull/94.
2025-06-13 17:27:50 -07:00
Satyam Singh 24730167da fix(common.yml): globalize CURRENT_SDK, improve shell safety and imp… (#178)
## 🔧 Improvements Summary

This PR introduces three improvements focused on safety,
maintainability, and readability of the GitHub Actions workflow.

---

### 1. Define Global Environment Variable

**Before:**

Environment variable `CURRENT_SDK` was defined repeatedly in multiple
steps.

**After:**

 Declared in gloabally one time. 

#### Why This Matters:

-  Eliminates duplication across steps.
-  Makes it easier to update or remove the variable in the future.
-  Still allows per-step override when necessary.

### 2. Fix Unsafe Shell Conditional on inputs.release
- Using **[[ ... ]]** **instea**d of **[ ... ]** for conditionals.
- Adding **double quotes** around inputs and refs to **avoid**
evaluation issues.
**PREVIOUSLY FIXED** Containerization project.
[https://github.com/apple/containerization/pull/68](url)
  
 ### 3.  Removed EXCLUSION AND TODO comment.
  #### Affected Steps:

 `check Formatting`

`make proto`

### Improvements:

Now that the repositories are public, we no longer need to exclude files
like Package.swift and Package.resolved from formatting and proto
checks.

- Removed EXCLUDES logic
- Removed related TODO comments
- Updated git diff checks to include all files

@wlan0 @katiewasnothere
2025-06-13 13:47:24 -07:00
Satyam Singh 2364f33cc6 Fix release workflow: tag regex, artifact validation, and token usage (#187)
## 🔧 Summary
This PR improves the release.yml GitHub Actions workflow by addressing
several critical issues to ensure consistent and reliable behavior
during tag-based releases.

##  Changes Included
### 1. Fixed tag trigger regex
- Escaped dots in the tag regex ([0-9]+\\.[0-9]+\\.[0-9]+) to ensure
only semantic version tags like 1.2.3 trigger the workflow.
#####  Explanation
- Old **Regex** is incorrect because . matches **any character**, so it
matched:

`1-2-3`, `1_2_3`, even `1a2b3`, which is invalid for versioning.

 - Fixed **Regex** is strict — matches only 1.2.3.
 #### Find attached tested SCREEN SHOT BELOW .
**Bad Match with Old Regex:**

![proofwithBadMatch](https://github.com/user-attachments/assets/6dbec50d-6ffb-4338-a258-7b3629b08e24)


**Proper Match with Fixed Regex:**

![withfixedbadstring](https://github.com/user-attachments/assets/1c9b6315-074b-4db4-a911-6493a76b4b64)
---
### 💬 Note: If you're planning to adopt alternate version tag formats in
the future — such as:

 - v1.0.2 (semantic with prefix)

- release-1.0.2 or rel-1.0.2

- 1.0.2-beta, 1.0.2-rc.1 (prereleases with suffixes)

 - x1.0.2x (custom wrapping formats)

**…feel free to reach out. I'm happy to help extend the workflow to
support those formats reliably and safely.**
---
### 2. Added strict release job guard
- Prevented **accidental release runs** on non-tag events using if:
startsWith(github.ref, 'refs/tags/').

### 3. Explicit artifact validation
- **Introduced a shell check** using ls and test to ensure .zip and .pkg
files exist before attempting release. This gives early, clear failure
instead of a **vague error** from `action-gh-release`.

### 4. Clarified GitHub token usage
- Switched from ${{ secrets.GITHUB_TOKEN }} to ${{ github.token }} for
better readability and consistency with GitHub Actions best practices.

@katiewasnothere @wlan0
2025-06-13 10:43:59 -07:00
Dmitry Kovba c0433bec15 Update issue templates (#184)
Please see commits for the list of changes.
2025-06-13 09:11:32 -07:00
Kathryn Baldauf 6f1f770a4e Remove temporary workaround for image auth to ghcr (#155)
When we were setting up the repos, we needed these environment variables
for the GitHub Actions CI to be able to run the tests. Now that the
images are public, these can be removed.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-12 11:36:42 -07:00
Kathryn Baldauf 2ac52d4ce0 Add missing link to repo CoC in issue template (#157)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-12 11:36:23 -07:00
Kathryn Baldauf 5f7fe489a6 Add issue templates for bugs and features (#152)
I would love feedback on how people feel about these issue templates, if
there should be more or less templates, or if there are any fields that
people think we should add.

You can see an example of how to use these by testing opening an issue
on my fork [here](https://github.com/katiewasnothere/container/issues).

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-11 17:04:03 -07:00
Patrick Stöckle 2327e899cf Remove trailing whitespace from GitHub workflows (#154)
Remove trailing whitespace from GitHub workflows
2025-06-11 16:56:39 -07:00
Kathryn Baldauf 665532c374 Remove use of REPO_READ token (#124)
This token was needed when the repos were private. Now that they are
public, this should no longer be needed.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-10 15:38:19 -07:00
Kathryn Baldauf eeddf6f7e7 Publish docs from main (#67)
We eventually only want to support building docs from release branches
and tags, however, while we're working to initially set up the docs, we
may have some churn. So we want to be able to publish from main during
that churn.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-09 16:33:05 -07:00
Aditya Ramani f86dcefb04 Add make target to fetch the default kernel (#33)
Replaces the `--install-dependencies` flag with the
`(enable/disable)-kernel-install` flag. If the flag is not passed - the
default behavior is prompting the user for a response.

Also adds a make target `install-kernel`

```
➜ bin/container system start
Verifying apiserver is running...
Installing base container filesystem...
No default kernel configured.
Install the recommended default kernel from [https://github.com/kata-containers/kata-containers/releases/download/3.17.0/kata-static-3.17.0-arm64.tar.xz]? [Y/n]: n
Please use the `container system kernel set --recommended` command to configure the default kernel

➜ bin/container system start --disable-kernel-install
Verifying apiserver is running...

➜ bin/container system start --enable-kernel-install
Verifying apiserver is running...
Installing kernel...

➜ bin/container system start --help

USAGE: container system start ... [--enable-kernel-install] [--disable-kernel-install]
...
  --enable-kernel-install/--disable-kernel-install
                          Specify if the default kernel should be installed or not.

```

---------

Signed-off-by: Aditya Ramani <a_ramani@apple.com>
2025-06-07 12:45:45 -07:00
Kathryn Baldauf d4e01c6579 Only allow publishing docs on release branch or tags (#30)
This removes the ability to deploy docs on the main branch and instead
only allows docs deployment on either a tag or a release branch. Docs
are also built (but not deployed) in the common job run by the build and
release pipelines.

Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-06 21:49:49 -07:00
Kathryn Baldauf 7e0567cece Fix typo in release branch name (#14)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-05 15:53:35 -07:00
Kathryn Baldauf 7ce2585531 Add token to allow deploying github pages (#13)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-05 15:53:24 -07:00
Kathryn Baldauf ec4185fcc7 Publish docs github action (#9)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-05 15:53:13 -07:00
Aditya Ramani f12593c3c2 Register existing runtime plugin launch units on boot (#5) 2025-06-05 15:52:35 -07:00
Kathryn Baldauf 31a0cb2f4e Update alpine images used (#1)
Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com>
2025-06-05 15:52:13 -07:00
Kathryn Baldauf 8e9670c8f8 Initial commit
Co-authored-by: Aditya Ramani <a_ramani@apple.com>
Co-authored-by: Agam Dua <agam_dua@apple.com>
Co-authored-by: Danny Canter <danny_canter@apple.com>
Co-authored-by: Dmitry Kovba <dkovba@apple.com>
Co-authored-by: Eric Ernst <eric_ernst@apple.com>
Co-authored-by: Evan Hazlett <ehazlett@apple.com>
Co-authored-by: Gilbert Song <gilbertsong@apple.com>
Co-authored-by: Hugh Bussell <hbussell@apple.com>
Co-authored-by: John Logan <john_logan@apple.com>
Co-authored-by: Kathryn Baldauf <k_baldauf@apple.com>
Co-authored-by: Madhu Venugopal <mvenugopal@apple.com>
Co-authored-by: Michael Crosby <michael_crosby@apple.com>
Co-authored-by: Sidhartha Mani <sidhartha_mani@apple.com>
Co-authored-by: Tanweer Noor <tnoor@apple.com>
Co-authored-by: Ximena Perez Diaz <xperez528@gmail.com>
Co-authored-by: Yibo Zhuang <yzhuang@apple.com>
2025-06-05 15:51:55 -07:00