Merge branch 'containers:main' into fix/rootless-podman-in-podman-on-wsl

Author: dvorst

.cirrus.yml

@@ -24,14 +24,14 @@ env:
     ####
     #### Cache-image names to test with (double-quotes around names are critical)
     ####
-    FEDORA_NAME: "fedora-42"
+    FEDORA_NAME: "fedora-43"
     FEDORA_AARCH64_NAME: "${FEDORA_NAME}-aarch64"
-    PRIOR_FEDORA_NAME: "fedora-41"
+    PRIOR_FEDORA_NAME: "fedora-42"
     RAWHIDE_NAME: "rawhide"
-    DEBIAN_NAME: "debian-13"
+    DEBIAN_NAME: "debian-14"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20250910t092246z-f42f41d13"
+    IMAGE_SUFFIX: "c20251211t152018z-f43f42d14"
 
     # EC2 images
     FEDORA_AMI: "fedora-aws-${IMAGE_SUFFIX}"
@@ -271,7 +271,7 @@ alt_build_task:
 
 # Confirm building the remote client, natively on a Mac OS-X VM.
 osx_alt_build_task:
-    name: "Build for MacOS amd64+arm64" # N/B: Referenced by URLencoded strings elsewhere
+    name: "Build for MacOS arm64" # N/B: Referenced by URLencoded strings elsewhere
     alias: osx_alt_build
     # Docs: ./contrib/cirrus/CIModes.md
     only_if: *no_rhel_release  # RHEL never releases podman mac installer binary
@@ -300,12 +300,8 @@ osx_alt_build_task:
         - make podman-mac-helper
     build_pkginstaller_script:
         - pushd contrib/pkginstaller
-        - make ARCH=amd64 NO_CODESIGN=1 pkginstaller
         - make ARCH=aarch64 NO_CODESIGN=1 pkginstaller
-        - make ARCH=universal NO_CODESIGN=1 pkginstaller
         - popd
-    build_amd64_script:
-        - make podman-remote-release-darwin_amd64.zip
     # Building arm podman needs to be the last thing built in this task
     # The Mac tests rely this Podman binary to run, and the CI Mac is ARM-based
     build_arm64_script:
@@ -801,7 +797,7 @@ podman_machine_aarch64_task:
     depends_on: *build
     ec2_instance:
         <<: *standard_build_ec2_aarch64
-    timeout_in: 30m
+    timeout_in: 40m
     env:
         TEST_FLAVOR: "machine-linux"
         TEST_BUILD_TAGS: ""
@@ -899,7 +895,7 @@ podman_machine_mac_task:
     clone_script:  # artifacts from osx_alt_build_task
         - mkdir -p $CIRRUS_WORKING_DIR
         - cd $CIRRUS_WORKING_DIR
-        - $ARTCURL/Build%20for%20MacOS%20amd64%2Barm64/repo/repo.tar.zst
+        - $ARTCURL/Build%20for%20MacOS%20arm64/repo/repo.tar.zst
         - tar -xf repo.tar.zst
     # This host is/was shared with potentially many other CI tasks.
     # The previous task may have been canceled or aborted.
@@ -1090,7 +1086,9 @@ upgrade_test_task:
     depends_on: *build
     matrix:
         - env:
-              PODMAN_UPGRADE_FROM: v4.8.0
+              PODMAN_UPGRADE_FROM: v5.3.1
+        - env:
+              PODMAN_UPGRADE_FROM: v5.6.2
     gce_instance: *standardvm
     env:
         TEST_FLAVOR: upgrade_test
@@ -1126,7 +1124,7 @@ meta_task:
           ${WINDOWS_AMI}
         BUILDID: "${CIRRUS_BUILD_ID}"
         REPOREF: "${CIRRUS_REPO_NAME}"
-        AWSINI: ENCRYPTED[21b2db557171b11eb5abdbccae593f48c9caeba86dfcc4d4ff109edee9b4656ab6720a110dadfcd51e88cc59a71cc7af]
+        AWSINI: ENCRYPTED[a53616be7cafc6883ac619a26eda7bbd9f20ae99a9f9fe99137b18d780bde89bed7941e791e64d6e6b4d971011ca1d28]
         GCPJSON: ENCRYPTED[3a198350077849c8df14b723c0f4c9fece9ebe6408d35982e7adf2105a33f8e0e166ed3ed614875a0887e1af2b8775f4]
         GCPNAME: ENCRYPTED[2f9738ef295a706f66a13891b40e8eaa92a89e0e87faf8bed66c41eca72bf76cfd190a6f2d0e8444c631fdf15ed32ef6]
         GCPPROJECT: libpod-218412
@@ -1212,7 +1210,7 @@ artifacts_task:
     osx_binaries_script:
         - mkdir -p /tmp/osx
         - cd /tmp/osx
-        - $ARTCURL/Build%20for%20MacOS%20amd64%2Barm64/repo/repo.tar.zst
+        - $ARTCURL/Build%20for%20MacOS%20arm64/repo/repo.tar.zst
         - tar -xf repo.tar.zst
         - mv ./podman-remote-release-darwin_*.zip $CIRRUS_WORKING_DIR/
         - mv ./contrib/pkginstaller/out/podman-installer-macos-*.pkg $CIRRUS_WORKING_DIR/

.github/renovate.json5

@@ -42,17 +42,5 @@ and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
       "schedule": "before 11am",
       "matchPackageNames": ["github.com/containers{/,}**"]
     },
-
-    // Updates for c/common, c/image, and c/storage should be grouped into a single PR.
-    {
-      "matchCategories": ["golang"],
-      "groupName": "common, image, and storage deps",
-      "schedule": "before 11am",
-      "matchPackageNames": [
-        "/^github.com/containers/common/",
-        "/^github.com/containers/image/",
-        "/^github.com/containers/storage/"
-      ]
-    }
   ],
 }

.github/workflows/check_cirrus_cron.yml

@@ -44,7 +44,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             # This is where the scripts live
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@v6
               with:
                   repository: containers/podman
                   ref: 'main'
@@ -61,7 +61,7 @@ jobs:
             - if: steps.cron.outputs.failures > 0
               name: Send failure notification e-mail
               # Ref: https://github.com/dawidd6/action-send-mail
-              uses: dawidd6/[email protected]
+              uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
               with:
                 server_address: ${{secrets.ACTION_MAIL_SERVER}}
                 server_port: 465
@@ -73,14 +73,14 @@ jobs:
                 body: file://./artifacts/email_body.txt
 
             - if: always()
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@v5
               with:
                   name: ${{ github.job }}_artifacts
                   path: artifacts/*
 
             - if: failure()
               name: Send error notification e-mail
-              uses: dawidd6/[email protected]
+              uses: dawidd6/action-send-mail@2cea9617b09d79a095af21254fbcb7ae95903dde # v3.12.0
               with:
                 server_address: ${{secrets.ACTION_MAIL_SERVER}}
                 server_port: 465

.github/workflows/dev-bump.yml

@@ -3,20 +3,26 @@ on:
   push:
     tags:
       - '*'
+
+permissions: {}
+
 jobs:
   bump:
     name: Bump to -dev
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to create and push to a branch
+      pull-requests: write # to read and create pull requests
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.ref_name }}
           token: ${{ secrets.PODMANBOT_TOKEN }}
+          persist-credentials: true
       - name: Bump
         id: bump
         run: |
-          ref=${{ github.ref_name }}
-          version=${ref#v}
+          version=${GITHUB_REF_NAME#v}
           if [[ $version == *-rc* ]]; then
               devbump="${version%-*}-dev"
               echo "::notice:: is a rc - bumping z down to $devbump"
@@ -27,69 +33,75 @@ jobs:
               echo "::notice:: bumping z up to $devbump"
           fi
 
-          sed -i "s/const RawVersion = ".*"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
+          sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
 
           echo "devbump=$devbump" >> $GITHUB_OUTPUT
       - name: Push
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
         run: |
           # Make committer the user who triggered the action, either through cutting a release or manual trigger
           # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
-          git config --local user.name ${{ github.actor }}
-          git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
+          git config --local user.name "${GITHUB_ACTOR}"
+          git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+          bumpbranch="bump-${DEVBUMP}"
           git checkout -b $bumpbranch
           git add version/rawversion/version.go
-          git commit --signoff -m "Bump Podman to v${{ steps.bump.outputs.devbump }}"
+          git commit --signoff -m "Bump Podman to v${DEVBUMP}"
           git remote add podmanbot https://github.com/podmanbot/podman
           git push -f podmanbot "$bumpbranch"
       - name: Check open PRs
         id: checkpr
         env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
           GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
           prs=$(gh pr list \
-            --repo ${{ github.repository }} \
-            --head bump-${{ steps.bump.outputs.devbump }} \
+            --repo "${GITHUB_REPOSITORY}" \
+            --head "bump-${DEVBUMP}" \
             --state open \
             --json title \
             --jq 'length')
           if ((prs > 0)); then
-            echo "SKIPPING: PR already exists to update from ${{ github.ref_name }}."
+            echo "SKIPPING: PR already exists to update from ${GITHUB_REF_NAME}."
           else
             echo "prexists=false" >> "$GITHUB_OUTPUT"
           fi
       - name: Open PR
         if: steps.checkpr.outputs.prexists == 'false'
         id: pr
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
+          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
-          bumpbranch="bump-${{ steps.bump.outputs.devbump }}"
-          ref=${{ github.ref_name }}
-          base=${ref%.*}
+          bumpbranch="bump-${DEVBUMP}"
+          base=${GITHUB_REF_NAME%.*}
           body=$(printf '```release-note\nNone\n```\n')
           gh pr create \
-            --title "Bump Podman to v${{ steps.bump.outputs.devbump }}" \
+            --title "Bump Podman to v${DEVBUMP}" \
             --body  "$body" \
             --head "podmanbot:$bumpbranch" \
             --base "$base" \
-            --repo ${{ github.repository }}
-        env:
-          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
+            --repo "${GITHUB_REPOSITORY}"
   mainbump:
     name: Bump on main
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to create and push to a branch
+      pull-requests: write # to read and create pull requests
     env:
       GH_TOKEN: ${{ github.token }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: main
           token: ${{ secrets.PODMANBOT_TOKEN }}
+          persist-credentials: true
       - name: Check version on main
         id: check
         run: |
           mainvers=`grep -P '(?<=const RawVersion = ")(\d.\d)' -o version/rawversion/version.go`
-          ref=${{ github.ref_name }}
-          releasevers=${ref#v}
+          releasevers=${GITHUB_REF_NAME#v}
           if echo "${mainvers},${releasevers}" | tr ',' '\n' | sort -V -C
           then
               echo "bump=true" >> $GITHUB_OUTPUT
@@ -101,58 +113,61 @@ jobs:
         id: bump
         if: steps.check.outputs.bump == 'true'
         run: |
-          ref=${{ github.ref_name }}
-          releasevers=${ref#v}
+          releasevers=${GITHUB_REF_NAME#v}
 
           arr=($(echo "$releasevers" | tr . '\n'))
           arr[1]=$((${arr[1]}+1))
           arr[2]=0
           devbump="$(IFS=. ; echo "${arr[*]}")-dev"
           echo "::notice:: Bumping main to: $devbump"
 
-          sed -i "s/const RawVersion = \".*\"/const RawVersion = \"$devbump\"/g" version/rawversion/version.go
+          sed --sandbox -i -e "s/const RawVersion = \".*\"/const RawVersion = \"${devbump}\"/g" version/rawversion/version.go
 
           echo "devbump=$devbump" >> $GITHUB_OUTPUT
       - name: Push
         if: steps.check.outputs.bump == 'true'
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
         run: |
           # Make committer the user who triggered the action, either through cutting a release or manual trigger
-          # GitHub gisves everyone a noreply email associated with their account, use that email for the sign-off
-          git config --local user.name ${{ github.actor }}
-          git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
+          # GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
+          git config --local user.name "${GITHUB_ACTOR}"
+          git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+          bumpbranch="bump-main-${DEVBUMP}"
           git checkout -b $bumpbranch
           git add version/rawversion/version.go
-          git commit --signoff -m "Bump main to v${{ steps.bump.outputs.devbump }}"
+          git commit --signoff -m "Bump main to v${DEVBUMP}"
           git remote add podmanbot https://github.com/podmanbot/podman
           git push -f podmanbot "$bumpbranch"
       - name: Check open PRs
         id: checkpr
         if: steps.check.outputs.bump == 'true'
         env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
           GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
           prs=$(gh pr list \
-            --repo ${{ github.repository }} \
-            --head bump-main-${{ steps.bump.outputs.devbump }} \
+            --repo "${GITHUB_REPOSITORY}" \
+            --head "bump-main-${DEVBUMP}" \
             --state open \
             --json title \
             --jq 'length')
           if ((prs > 0)); then
-            echo "SKIPPING: PR already exists to update to ${{ steps.bump.outputs.devbump }}."
+            echo "SKIPPING: PR already exists to update to ${DEVBUMP}."
           else
             echo "prexists=false" >> "$GITHUB_OUTPUT"
           fi
       - name: Open PR
         if: steps.check.outputs.bump == 'true' &&  steps.checkpr.outputs.prexists == 'false'
+        env:
+          DEVBUMP: ${{ steps.bump.outputs.devbump }}
+          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
         run: |
-          bumpbranch="bump-main-${{ steps.bump.outputs.devbump }}"
+          bumpbranch="bump-main-${DEVBUMP}"
           body=$(printf '```release-note\nNone\n```\n')
           gh pr create \
-            --title "Bump main to v${{ steps.bump.outputs.devbump }}" \
+            --title "Bump main to v${DEVBUMP}" \
             --body  "$body" \
             --head "podmanbot:$bumpbranch" \
             --base "main" \
-            --repo ${{ github.repository }}
-        env:
-          GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
+            --repo "${GITHUB_REPOSITORY}"