This reverts commit 7676cde0c5.
It turns out that when triggerred from a PR, the docker login command is
failing with
```
Error: Cannot perform an interactive login from a non TTY device
```
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Adds cargo-deny to scan for vulnerabilities and license issues regarding
rust crates.
GitHub Actions does not have an obvious way to loop over each of the
Cargo.toml files. To avoid hardcoding it, I worked around the problem
using a composite action that first generates the cargo-deny action by
finding all Cargo.toml files before calling this new generated action in
the master workflow.
Uses recommended deny.toml from cargo-deny repo with the following
modifications:
ignore = ["RUSTSEC-2020-0071"]
because chrono is dependent on the version of time with the
vulnerability and there is no simple workaround
multiple-versions = "allow"
Because of the above error and other packages, there are instances
where some crates require different versions of a crate.
unknown-git = "allow"
I don't see a particular issue with allowing crates from other repos.
An alternative would be the manually set each repo we want in an
allow-git list, but I see this as more of a nuisance that its worth.
We could leave this as a warning (default), but to avoid clutter I'm
going to allow it.
If deny.toml needs to be edited in the future, here's the guide:
https://embarkstudios.github.io/cargo-deny/index.htmlFixes#3359
Signed-off-by: Derek Lee <derlee@redhat.com>
An implementation of semi-automating the backporting
process.
This implementation has two steps:
1. Checking whether any associated issues are marked as bugs
If they do, mark with `auto-backport` label
2. On a successful merge, if there is a `auto-backport` label and there
are any tags of `backport-to-BRANCHNAME`, it calls an action that
cherry-picks the commits in the PR and automatically creates a PR to
those branches.
This action uses https://github.com/sqren/backport-github-actionFixes#3618
Signed-off-by: Derek Lee <derlee@redhat.com>
To keep runtime-rs up to date, we will merge main into runtime-rs every
week.
Fixes:#4776
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
repository_owner check in docs-url-alive-check.yaml now is specified for each step, it can be in job level to save lines.
Fixes: #4611
Signed-off-by: Yuan-Zhuo <yuanzhuo0118@outlook.com>
Recently added check-commit-message to the tests repository. Minor
changes were also made to action. For consistency's sake, copied changes
over to here as well.
tests - https://github.com/kata-containers/tests/pull/4878
Minor Changes:
1. Body length check is now 75 and consistent with guidelines
2. Lines without spaces are not counted in body length check
Fixes#4559
Signed-off-by: Derek Lee <derlee@redhat.com>
`snap`/`snapcraft` seems to have changed recently. Since `snap`
auto-updates all `snap` packages and since we use the `snapcraft` `snap`
for building snaps, this is impacting all our CI jobs which now show:
```
Installing Snapcraft for Linux…
snapcraft 7.0.4 from Canonical* installed
Run snapcraft -d snap --destructive-mode
Usage: snapcraft [options] command [args]...
Try 'snapcraft pack -h' for help.
Error: unrecognized arguments: -d
Error: Process completed with exit code 1.
```
Move the debug option to make it a sub-command (long) option to resolve
this issue.
Fixes: #4457.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Some generated merge commit messages are >75 chars
Allow these to not trigger the subject line length failure
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
this will require to set a PR number when triggering the test-kata-deploy workflow manually
also make sure user variables are set correctly when workflow_dispatch is used
Fixes: #4349
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
As already done for the other assets we rely on, let's build (well, pull
in this very specific case) the virtiofsd binary, as we're relying on
its standlone rust version from now on.
Fixes: #4234
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This workflow is a scheduled job that runs at 23:00
every Sunday, it should only run the main repo
but not the forked ones.
Fixes: #4219
Signed-off-by: Bin Liu <bin@hyper.sh>
Instead of only vendoring the code needed by the agent, let's ensure we
vendor all the needed rust code, and let's do it using the newly
introduced enerate_vendor.sh script.
Fixes: #3973
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
'make kata-tarball' sometimes fails early with:
cp: cannot create regular file '[...]/tools/packaging/kata-deploy/local-build/dockerbuild/install_yq.sh': File exists
This happens because all assets are built in parallel using the same
`kata-deploy-binaries-in-docker.sh` script, and thus all try to copy
the `install_yq.sh` script to the same location with the `cp` command.
This is a well known race condition that cannot be avoided without
serialization of `cp` invocations.
Move the copying of `install_yq.sh` to a separate script and ensure
it is called *before* parallel builds. Make the presence of the copy
a prerequisite for each sub-build so that they still can be triggered
individually. Update the GH release workflow to also call this script
before calling `kata-deploy-binaries-in-docker.sh`.
Fixes#3756
Signed-off-by: Greg Kurz <groug@kaod.org>
This PR updates the link for the format patch documentation for the
commit message check.
Fixes#3900
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Change the secret used by the GitHub Action that adds the PR size
label to one with the correct set of privileges.
Fixes: #3856.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
There are a few outstanding changes required to build the runtime on
Darwin.
Let's add a GitHub action to exercise build and unit tests of the
packages which we do expect to work. Eventually this should be dropped
and we can run any Darwin specific tests, or just add MacOS to the
matrix for our static check OSes.
Fixes: #3778
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Let's stop building the experimental kernel as, currently, we have
all the needed contents as part of the vanilla kernel.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This reverts commit 7a879164bd, as it's
been proved that re-triggering the checks at every single change is more
painful than having to close / re-open a PR in case we ever use the
`force-skip-ci` label again.
Fixes: #2804
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Since we are using this to exercise any changes to osbuilder or
packaging scripts, let's make sure that we only run the test in that
case.
Similarly, don't run for every single push. Just run this workflow for
pull requests.
Fixes: #3594
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Since we are already checking that only an admin is triggering the job,
let's go ahead and make sure we are testing against the PR itself. This
will ensure that we are exercising changes to kata-deploy tooling, which
is important for this test.
While at it, cleanup and simplify some of the tarball creation.
Fixes: #3586
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
The commit message of a revert commit usually generated by
`git revert`, we should consider this as legal.
Consider the commit as the merge commit if the subject
starts with 'Reject "'
Follow the pr kata-containers/tests/#3938, the suttle diffrence
is we skip all commit checks for revert commit including fixes checking
and subsystem checking. Because the commit was reverted must have passed
the check so the revert-commit should have the Fixes and Subsystem.
Fixes: #3568Fixes: kata-containers/tests#3934
Signed-off-by: Tim Zhang <tim@hyper.sh>
Weekly check(at 23:00 every Sunday) whether the docs url is ALIVE, so that
we can find the failed url in time
Fixes#815
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
Although I've done tests on my own fork using `head_ref` and those
worked, it seems those only worked as the PR was coming from exactly the
same repository as the target one.
Let's switch to base_ref, instead, which we for sure have as part of our
repo.
The downside of this is that we run the test with the last merged PR,
rather than with the "to-be-approved" PR, but that's a limitation we've
always had.
Fixes: #3482
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is needed in order to ensure that, for instance, if `force-skip-ci`
label is either added or removed later, the jobs related to the actions
will be restarted and accordingly checked.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Before this change it was only applied to the static-checks, but if
we're already taking the extreme path of skipping the CI, we better
ensure we skip all the actions and not just a few of them.
Fixes: #3471
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The action used for testing kata-deploy is entirely based on the action
used to build the kata-deploy tarball, but while the latter is able to
use the correct branch, the former always uses `main`.
This happens as the `issue_comment`, from GitHub actions, passed the
"default branch" as the GITHUB_REF.
As we're not the first ones to face such a issue, I've decided to take
one of the approaches suggested at one of the checkout's issues,
https://github.com/actions/checkout/issues/331, and take advantage of a
new action provided by the community, which will get the PR where the
comment was made, give us that ref, and that then can be used with the
checkout action, resulting on what we originally wanted.
Fixes: #3443
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's take advantage of the "is-organization-member" action and only
allow members who are part of the `kata-containers` organization to
trigger `/test_kata_deploy`.
One caveat with this approach is that for the user to be considered as
part of an organization, they **must** have their "Organization
Visibility" configured as Public (and I think the default is Private).
This was found out and suggested by @jcvenegas!
Fixes: #3130
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Commit 3c9ae7f made /test_kata_deploy run
against HEAD, but it also mistakenly removed all the checks that ensure
/test_kata_deploy only runs when explicitly called.
Mea culpa on this, and let's add the tests back.
Fixes: #3101
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Is the past few releases we ended up hitting issues that could be easily
avoided if `/test_kata_deploy` would use HEAD instead of a specific
tarball.
By the end of the day, we want to ensure kata-deploy works, but before
we cut a release we also want to ensure that the binaries used in that
release are in a good shape. If we don't do that we end up either
having to roll a release back, or to cut a second release in a really
short time (and that's time consuming).
Note: there's code duplication here that could and should be avoided,b
but I sincerely would prefer treating it in a different PR.
Fixes: #3001
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The main.yaml workflow was created and used only on 1.x. We inherited
it, but we didn't remove it after deprecating the 1.x repos.
While here, let's also update the reference to the `main.yaml` file,
and point to `release.yaml` (the file that's actually used for 2.x).
Fixes: #3033
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>