From 9bc1ec2b1b34326b849974306fe171d469c618fc Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 14:45:44 +0200 Subject: [PATCH 01/11] consolidate codespell CI jobs Merge the per repo codespell configs into one file and then just have the one github action job which runs codespell. Signed-off-by: Paul Holzinger --- .cirrus.yml | 13 ------------ common/.codespelldict => .codespelldict | 0 common/.codespellrc => .codespellrc | 4 ++-- .github/workflows/common-validate.yml | 6 ++---- .github/workflows/image-codespell.yml | 28 ------------------------- image/.codespellrc | 6 ------ storage/.codespellrc | 3 --- 7 files changed, 4 insertions(+), 56 deletions(-) rename common/.codespelldict => .codespelldict (100%) rename common/.codespellrc => .codespellrc (73%) delete mode 100644 .github/workflows/image-codespell.yml delete mode 100644 image/.codespellrc delete mode 100644 storage/.codespellrc diff --git a/.cirrus.yml b/.cirrus.yml index 7ecd399c62..d0b91b09ee 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -345,18 +345,6 @@ storage_gofix_task: # gofix anyway. git diff --diff-filter=M --exit-code -- . ":(exclude)*.crt" ":(exclude)*.key" ":(exclude)*.cert" -storage_codespell_task: - only_if: *only_if_storage - alias: storage_codespell - name: "Storage: codespell" - container: - image: python - build_script: pip install codespell - test_script: | - cd storage - codespell - - # Status aggregator for all tests. This task simply ensures a defined # set of tasks all passed, and allows confirming that based on the status # of this task. @@ -372,7 +360,6 @@ success_task: - images_timestamp_update - storage_cross - storage_gofix - - storage_codespell - common_testing - image_validate - image_cross diff --git a/common/.codespelldict b/.codespelldict similarity index 100% rename from common/.codespelldict rename to .codespelldict diff --git a/common/.codespellrc b/.codespellrc similarity index 73% rename from common/.codespellrc rename to .codespellrc index 93027e3dd6..452af6e235 100644 --- a/common/.codespellrc +++ b/.codespellrc @@ -2,10 +2,10 @@ [codespell] # Comma-separated list of files to skip. -skip = ./vendor,./.git #,bin,vendor,.git,go.sum,changelog.txt,.cirrus.yml,"RELEASE_NOTES.md,*.xz,*.gz,*.tar,*.tgz,bin2img,*ico,*.png,*.1,*.5,copyimg,*.orig,apidoc.go" +skip = ./.git,./image/signature/fixtures,./image/signature/simplesigning/testdata,./storage/tests/tools/vendor,./storage/AUTHORS # Comma separated list of words to be ignored. Words must be lowercased. -ignore-words-list = clos,creat,ro,hastable,shouldnot,mountns,passt +ignore-words-list = clos,creat,ro,hastable,shouldnot,mountns,passt,te,bu,afile,flate,prevend,Plack,worl # Custom dictionary file that contains spelling corrections. # Run with option '--dictionary=-' to include also default dictionary. diff --git a/.github/workflows/common-validate.yml b/.github/workflows/common-validate.yml index 425362986a..e6b80cb987 100644 --- a/.github/workflows/common-validate.yml +++ b/.github/workflows/common-validate.yml @@ -14,11 +14,8 @@ env: LINT_VERSION: v2.1.6 jobs: - common-codespell: + codespell: runs-on: ubuntu-24.04 - defaults: - run: - working-directory: ./common steps: - uses: actions/checkout@v4 - name: install deps @@ -26,6 +23,7 @@ jobs: run: pip install --break-system-packages codespell==v2.3.0 - name: run codespell run: codespell --dictionary=- + common-lint: runs-on: ubuntu-24.04 defaults: diff --git a/.github/workflows/image-codespell.yml b/.github/workflows/image-codespell.yml deleted file mode 100644 index b81bf76fef..0000000000 --- a/.github/workflows/image-codespell.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -name: Image - Codespell - -on: - push: - branches: [main] - pull_request: - branches: [main] - -permissions: - contents: read - -jobs: - image-codespell: - name: Check for spelling errors - runs-on: ubuntu-latest - defaults: - run: - working-directory: ./image - - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: install deps - # Version of codespell bundled with Ubuntu is way old, so use pip. - run: pip install --break-system-packages codespell==v2.3.0 - - name: run codespell - run: codespell --dictionary=- diff --git a/image/.codespellrc b/image/.codespellrc deleted file mode 100644 index df04cb4d68..0000000000 --- a/image/.codespellrc +++ /dev/null @@ -1,6 +0,0 @@ -# See https://github.com/codespell-project/codespell#using-a-config-file -[codespell] -skip = ./vendor,./.git,./go.sum,./signature/fixtures,./signature/simplesigning/testdata - -# NOTE words added to the list below need to be lowercased. -ignore-words-list = te,bu diff --git a/storage/.codespellrc b/storage/.codespellrc deleted file mode 100644 index 2af969196e..0000000000 --- a/storage/.codespellrc +++ /dev/null @@ -1,3 +0,0 @@ -[codespell] -skip = ./.git,./vendor,./tests/tools/vendor,AUTHORS -ignore-words-list = afile,flate,prevend,Plack,worl From 92829024f2ca0957c0fe250d28a4cffbd1352c83 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 14:48:40 +0200 Subject: [PATCH 02/11] update codespell to 2.4.1 Update to latest version. Signed-off-by: Paul Holzinger --- .github/workflows/common-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/common-validate.yml b/.github/workflows/common-validate.yml index e6b80cb987..02725d9f92 100644 --- a/.github/workflows/common-validate.yml +++ b/.github/workflows/common-validate.yml @@ -20,7 +20,7 @@ jobs: - uses: actions/checkout@v4 - name: install deps # Version of codespell bundled with Ubuntu is way old, so use pip. - run: pip install --break-system-packages codespell==v2.3.0 + run: pip install --break-system-packages codespell==v2.4.1 - name: run codespell run: codespell --dictionary=- From ed3787db570304f22f4ed55e5da8cd0dc30cced5 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 15:47:42 +0200 Subject: [PATCH 03/11] add git-validation gh action task It seems easier to run git-validation as part of github actions as we can get the proper PR commit count there. Signed-off-by: Paul Holzinger --- .github/workflows/common-validate.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/common-validate.yml b/.github/workflows/common-validate.yml index 02725d9f92..c9d5d1f33f 100644 --- a/.github/workflows/common-validate.yml +++ b/.github/workflows/common-validate.yml @@ -57,3 +57,22 @@ jobs: - name: validate seccomp run: ./tools/validate_seccomp.sh ./pkg/seccomp + + git-validate: + # only run this on PRs + if: github.event_name == 'pull_request' + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + with: + # By default github actions creates a merge commit which fails the validation, + # we only must validate the actual commits of the author. + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: ${{ github.event.pull_request.commits }} + - uses: actions/setup-go@v5 + with: + go-version: 1.25.x + - name: install deps + run: go install github.com/vbatts/git-validation@v1.2.2 + - name: run git-validation + run: git-validation -q -run DCO,short-subject,dangling-whitespace -range "HEAD~${{ github.event.pull_request.commits }}..HEAD" From d67167bf6e5a2c325251e0297ad2863c64a41115 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 15:51:45 +0200 Subject: [PATCH 04/11] lint all modules with github action Signed-off-by: Paul Holzinger --- .github/workflows/common-validate.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/common-validate.yml b/.github/workflows/common-validate.yml index c9d5d1f33f..4e422dced7 100644 --- a/.github/workflows/common-validate.yml +++ b/.github/workflows/common-validate.yml @@ -24,7 +24,7 @@ jobs: - name: run codespell run: codespell --dictionary=- - common-lint: + lint: runs-on: ubuntu-24.04 defaults: run: @@ -39,21 +39,33 @@ jobs: - name: install deps run: | sudo apt-get -qq update - sudo apt-get -qq install libseccomp-dev - - name: lint + sudo apt-get -qq install libseccomp-dev libgpgme-dev libbtrfs-dev libsubid-dev + - name: lint-common uses: golangci/golangci-lint-action@v8 with: version: "${{ env.LINT_VERSION }}" args: --verbose working-directory: ./common # Extra linters, only checking new code from a pull request. - - name: lint-extra + - name: lint-common-extra uses: golangci/golangci-lint-action@v8 with: args: --config=.golangci-extra.yml version: "${{ env.LINT_VERSION }}" only-new-issues: true working-directory: ./common + - name: lint-image + uses: golangci/golangci-lint-action@v8 + with: + version: "${{ env.LINT_VERSION }}" + args: --verbose + working-directory: ./image + - name: lint-storage + uses: golangci/golangci-lint-action@v8 + with: + version: "${{ env.LINT_VERSION }}" + args: --verbose + working-directory: ./storage - name: validate seccomp run: ./tools/validate_seccomp.sh ./pkg/seccomp From 1d2ee4e13e890518cbf1a260a715c3b2c58e512d Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 15:53:36 +0200 Subject: [PATCH 05/11] rename common-validate.yml -> validate.yml It validates all modules now. Signed-off-by: Paul Holzinger --- .github/workflows/{common-validate.yml => validate.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{common-validate.yml => validate.yml} (100%) diff --git a/.github/workflows/common-validate.yml b/.github/workflows/validate.yml similarity index 100% rename from .github/workflows/common-validate.yml rename to .github/workflows/validate.yml From f87c5768a4fd6047a4853d0c9a9ad2bdc2b0ddf5 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 17:25:05 +0200 Subject: [PATCH 06/11] cirrus: drop image and storage validate tasks We do the validation in github action now which should be faster and more consitent with each module. Signed-off-by: Paul Holzinger --- .cirrus.yml | 56 +++-------------------------------------------------- 1 file changed, 3 insertions(+), 53 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index d0b91b09ee..fdb2253b8e 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -71,8 +71,6 @@ gce_instance: storage_linux_testing: &linux_testing - depends_on: - - storage_lint gce_instance: # Only need to specify differences from defaults (above) image_name: "${VM_IMAGE}" @@ -136,30 +134,6 @@ storage_debian_testing_task: &storage_debian_testing - env: TEST_DRIVER: "btrfs" - -storage_lint_task: - alias: storage_lint - name: "Storage: Lint" - only_if: *only_if_storage - - env: - CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage" - container: - image: golang - modules_cache: - fingerprint_script: cat storage/go.sum - folder: $GOPATH/pkg/mod - build_script: | - apt-get update - apt-get install -y libbtrfs-dev libsubid-dev - test_script: | - cd storage - [ -n "${CIRRUS_BASE_SHA}" ] && git fetch origin ${CIRRUS_BASE_SHA} # Make ${CIRRUS_BASE_SHA} resolvable for git-validation - make TAGS=regex_precompile local-validate - make lint - make clean - - # Update metadata on VM images referenced by this repository state images_timestamp_update_task: alias: images_timestamp_update @@ -186,10 +160,9 @@ images_timestamp_update_task: script: '/usr/local/bin/entrypoint.sh |& ${_TIMESTAMP}' - -image_validate_task: - alias: image_validate - name: "Image: Validate" +image_cross_task: + alias: image_cross + name: "Image: Cross" only_if: &only_if_image >- $CIRRUS_PR == '' || changesInclude('.cirrus.yml', 'go.work', 'go.work.sum') || @@ -205,23 +178,6 @@ image_validate_task: # Eventually, hard-code FEDORA_CACHE_IMAGE_NAME here again and remove the # VM_IMAGE_NAME parameter. image_name: ${VM_IMAGE_NAME} - env: - HOME: "/root" # default unset, needed by golangci-lint. - VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME} - script: | - cd image - git remote update - make tools - # TODO: Enable once we are done with monorepo tests. - # ${GOBIN}/git-validation -q -run DCO,short-subject,dangling-whitespace -range $(git merge-base origin/${DEST_BRANCH} HEAD)..${CIRRUS_CHANGE_IN_REPO} - make validate - - -image_cross_task: - alias: image_cross - name: "Image: Cross" - only_if: *only_if_image - gce_instance: *fedora_vm env: HOME: "/root" # default unset, needed by golangci-lint. VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME} @@ -232,8 +188,6 @@ image_cross_task: image_test_task: alias: image_test - depends_on: - - image_validate only_if: *only_if_image gce_instance: *fedora_vm env: @@ -269,8 +223,6 @@ image_test_task: image_test_skopeo_task: alias: image_test_skopeo only_if: *only_if_image - depends_on: - - image_validate gce_instance: *fedora_vm env: HOME: "/root" # default unset, needed by golangci-lint. @@ -354,14 +306,12 @@ success_task: # Ref: https://github.com/openshift/release/pull/49820 name: "Total Success" depends_on: - - storage_lint - storage_fedora_testing - storage_debian_testing - images_timestamp_update - storage_cross - storage_gofix - common_testing - - image_validate - image_cross - image_test - image_test_skopeo From 55223dba51bbc798309541c9b4f82d30f6ae3912 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 17:29:10 +0200 Subject: [PATCH 07/11] add debug info for rekor setup in CI Looks like we have a (new?) flake in CI where the db is not ready. In such case dump the container logs and show podman ps output so we see what is going on when it happens again. Signed-off-by: Paul Holzinger --- image/signature/sigstore/rekor/testdata/start-rekor.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/image/signature/sigstore/rekor/testdata/start-rekor.sh b/image/signature/sigstore/rekor/testdata/start-rekor.sh index 4c00cd975d..4f433441da 100755 --- a/image/signature/sigstore/rekor/testdata/start-rekor.sh +++ b/image/signature/sigstore/rekor/testdata/start-rekor.sh @@ -46,7 +46,9 @@ while [[ $retries -le $max_retries ]]; do retries=$((retries + 1)) if [[ $retries -ge $max_retries ]]; then - echo "Failed to wait for the database to become ready" + echo "Failed to wait for the database to become ready, logs:" + echo "$out" + podman ps podman pod rm -f -t0 $POD_NAME exit 1 fi From 2c0b6a4477ed9c435a37422b52667dc1dc4c5ffd Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 17:56:21 +0200 Subject: [PATCH 08/11] gh action: fix go caching By default the action tries to cache the modules which is good but it doesn't handle "monorepos" by default, we need to provide the paths to the go.sum files. see https://github.com/actions/setup-go?tab=readme-ov-file#caching-dependency-files-and-build-outputs Signed-off-by: Paul Holzinger --- .github/workflows/validate.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 4e422dced7..acfb602748 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -36,6 +36,10 @@ jobs: - uses: actions/setup-go@v5 with: go-version: 1.25.x + # By default the go cache will only use go.sum in the root which we don't have, + # make it use for all checksum files. + # https://github.com/actions/setup-go?tab=readme-ov-file#caching-dependency-files-and-build-outputs + cache-dependency-path: "**/go.sum" - name: install deps run: | sudo apt-get -qq update @@ -84,6 +88,8 @@ jobs: - uses: actions/setup-go@v5 with: go-version: 1.25.x + # See comment on lint task + cache-dependency-path: "**/go.sum" - name: install deps run: go install github.com/vbatts/git-validation@v1.2.2 - name: run git-validation From 257313a8cc0ed8b8c45ee4a0cde1d6c951d68f55 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 18:31:42 +0200 Subject: [PATCH 09/11] cirrus: don't test storage cross build several times We don't have to run the cross builds as part of each storage driver test, in fact the main cirrus.yml already has a separate cross build task which already covers this so we can simplify and thus speed up the storage test task. Signed-off-by: Paul Holzinger --- storage/contrib/cirrus/build_and_test.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/storage/contrib/cirrus/build_and_test.sh b/storage/contrib/cirrus/build_and_test.sh index ad00c9b7c8..bfee27775d 100755 --- a/storage/contrib/cirrus/build_and_test.sh +++ b/storage/contrib/cirrus/build_and_test.sh @@ -9,7 +9,6 @@ pwd ls -l make install.tools showrun make local-binary -showrun make local-cross case $TEST_DRIVER in overlay) From 35a0a3941e32d624e13ba388cc6b55ca9912743d Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 19:16:45 +0200 Subject: [PATCH 10/11] fix start-rekor.sh flake in CI As it seems the DB is still starting up after 20s so give it more time, increase timeout to 40s. Signed-off-by: Paul Holzinger --- image/signature/sigstore/rekor/testdata/start-rekor.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/signature/sigstore/rekor/testdata/start-rekor.sh b/image/signature/sigstore/rekor/testdata/start-rekor.sh index 4f433441da..5daa1a8106 100755 --- a/image/signature/sigstore/rekor/testdata/start-rekor.sh +++ b/image/signature/sigstore/rekor/testdata/start-rekor.sh @@ -36,7 +36,7 @@ podman run -d --pod $POD_NAME --name rekor-db-$SUFFIX \ # The db takes a bit to start up, wait until it is ready otherwise the trillian # containers fail to start due the missing db connection. -max_retries=20 +max_retries=40 retries=0 while [[ $retries -le $max_retries ]]; do out=$(podman logs rekor-db-$SUFFIX 2>&1) From c6f27687b5245be1b5ac404b8733f42f7f7a82a6 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 26 Aug 2025 19:22:14 +0200 Subject: [PATCH 11/11] cirrus: set task timeout to 20m No task should take longer than that, having a big timeout just means if a test/task hangs it waits for 2h for no reason. Signed-off-by: Paul Holzinger --- .cirrus.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cirrus.yml b/.cirrus.yml index fdb2253b8e..8d6f618064 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -58,7 +58,7 @@ env: gcp_credentials: ENCRYPTED[f448b0e5ed38a52ba93550305f9e38c9b0c03852b9fc3115930f231fc7124b7423e8c912b4d9e002cc34b3a7ac3c145b] # Default timeout for each task -timeout_in: 120m +timeout_in: 20m # Default VM to use unless set or modified by task gce_instance: