mirror of
https://github.com/containers/skopeo.git
synced 2025-09-17 23:39:13 +00:00
DO NOT MERGE: Also build+test with Sequoia
Relies on UNMERGED https://github.com/containers/automation_images/pull/411 . Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač
18
.cirrus.yml
18
.cirrus.yml
@@ -21,8 +21,14 @@ env:
|
||||
SCRIPT_BASE: "./contrib/cirrus"
|
||||
|
||||
# Google-cloud VM Images
|
||||
IMAGE_SUFFIX: "c20250721t181111z-f42f41d13"
|
||||
# If you are updating IMAGE_SUFFIX: We are currently using rawhide for
|
||||
# the containers_image_sequoia tests because the rust-podman-sequoia
|
||||
# package is not available in earlier releases; once we update to a future
|
||||
# Fedora release (or if the package is backported), switch back from Rawhide
|
||||
# to the latest Fedora release.
|
||||
IMAGE_SUFFIX: "c20250730t185529z-f42f41d13"
|
||||
FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
|
||||
RAWHIDE_CACHE_IMAGE_NAME: "rawhide-${IMAGE_SUFFIX}"
|
||||
|
||||
# Container FQIN's
|
||||
FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
|
||||
@@ -190,14 +196,21 @@ test_skopeo_task:
|
||||
# Required to be 200gig, do not modify - has i/o performance impact
|
||||
# according to gcloud CLI tool warning messages.
|
||||
disk: 200
|
||||
image_name: ${FEDORA_CACHE_IMAGE_NAME}
|
||||
image_name: ${VM_IMAGE_NAME}
|
||||
matrix:
|
||||
- name: "Skopeo Test" # N/B: Name ref. by hack/get_fqin.sh
|
||||
env:
|
||||
BUILDTAGS: ''
|
||||
VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
|
||||
- name: "Skopeo Test w/ opengpg"
|
||||
env:
|
||||
BUILDTAGS: *withopengpg
|
||||
VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
|
||||
- name: "Skopeo test w/ Sequoia (currently Rawhide)"
|
||||
env:
|
||||
BUILDTAGS: 'containers_image_sequoia'
|
||||
# If you are removing the use of rawhide, also remove the VM_IMAGE_NAME condition from runner.sh .
|
||||
VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
|
||||
setup_script: >-
|
||||
"${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
|
||||
vendor_script: >-
|
||||
@@ -226,6 +239,7 @@ meta_task:
|
||||
# Space-separated list of images used by this repository state
|
||||
IMGNAMES: |
|
||||
${FEDORA_CACHE_IMAGE_NAME}
|
||||
${RAWHIDE_CACHE_IMAGE_NAME}
|
||||
build-push-${IMAGE_SUFFIX}
|
||||
BUILDID: "${CIRRUS_BUILD_ID}"
|
||||
REPOREF: "${CIRRUS_REPO_NAME}"
|
||||
|
||||
6
Makefile
6
Makefile
@@ -24,6 +24,8 @@ GOBIN := $(shell $(GO) env GOBIN)
|
||||
GOOS ?= $(shell go env GOOS)
|
||||
GOARCH ?= $(shell go env GOARCH)
|
||||
|
||||
SEQUOIA_SONAME_DIR =
|
||||
|
||||
# N/B: This value is managed by Renovate, manual changes are
|
||||
# possible, as long as they don't disturb the formatting
|
||||
# (i.e. DO NOT ADD A 'v' prefix!)
|
||||
@@ -84,7 +86,7 @@ CONTAINER_RUN ?= $(CONTAINER_CMD) --security-opt label=disable -v $(CURDIR):$(CO
|
||||
GIT_COMMIT := $(shell GIT_CEILING_DIRECTORIES=$$(cd ..; pwd) git rev-parse HEAD 2> /dev/null || true)
|
||||
|
||||
EXTRA_LDFLAGS ?=
|
||||
SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} $(EXTRA_LDFLAGS)'
|
||||
SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} -X github.com/containers/image/v5/signature/internal/sequoia.sequoiaLibraryDir=$(SEQUOIA_SONAME_DIR) $(EXTRA_LDFLAGS)'
|
||||
|
||||
MANPAGES_MD = $(wildcard docs/*.md)
|
||||
MANPAGES ?= $(MANPAGES_MD:%.md=%)
|
||||
@@ -251,7 +253,7 @@ validate-docs: bin/skopeo
|
||||
hack/xref-helpmsgs-manpages
|
||||
|
||||
test-unit-local:
|
||||
$(GO) test -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
|
||||
$(GO) test $(SKOPEO_LDFLAGS) -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
|
||||
|
||||
vendor:
|
||||
$(GO) mod tidy
|
||||
|
||||
@@ -71,8 +71,10 @@ _run_setup() {
|
||||
# automation, but the sources are in different directories. It's
|
||||
# possible for a mismatch to happen, but should (hopefully) be unlikely.
|
||||
# Double-check to make sure.
|
||||
# Temporarily, allow running on Rawhide VMs and consuming older binaries:
|
||||
# that should be compatible enough. Eventually, we’ll stop using Rawhide again.
|
||||
if ! grep -Fqx "ID=$OS_RELEASE_ID" $mnt/etc/os-release || \
|
||||
! grep -Fqx "VERSION_ID=$OS_RELEASE_VER" $mnt/etc/os-release; then
|
||||
{ ! [[ "$VM_IMAGE_NAME" =~ "rawhide" ]] && ! grep -Fqx "VERSION_ID=$OS_RELEASE_VER" $mnt/etc/os-release; } then
|
||||
die "Somehow $SKOPEO_CIDEV_CONTAINER_FQIN is not based on $OS_REL_VER."
|
||||
fi
|
||||
msg "Copying test binaries from $SKOPEO_CIDEV_CONTAINER_FQIN /usr/local/bin/"
|
||||
@@ -97,7 +99,7 @@ _run_vendor() {
|
||||
|
||||
_run_build() {
|
||||
make bin/skopeo BUILDTAGS="$BUILDTAGS"
|
||||
make install PREFIX=/usr/local
|
||||
make install PREFIX=/usr/local BUILDTAGS="$BUILDTAGS"
|
||||
}
|
||||
|
||||
_run_cross() {
|
||||
|
||||
@@ -776,9 +776,9 @@ func (s *copySuite) TestCopySignatures() {
|
||||
// Verify that mis-signed images are rejected
|
||||
assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/personal:personal", "atomic:localhost:5006/myns/official:attack")
|
||||
assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/personal:attack")
|
||||
assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*",
|
||||
assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
|
||||
"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:attack", dirDest)
|
||||
assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*",
|
||||
assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
|
||||
"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:attack", dirDest)
|
||||
|
||||
// Verify that signed identity is verified.
|
||||
@@ -791,7 +791,7 @@ func (s *copySuite) TestCopySignatures() {
|
||||
|
||||
// Verify that cosigning requirements are enforced
|
||||
assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
|
||||
assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*",
|
||||
assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
|
||||
"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest)
|
||||
|
||||
assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
|
||||
@@ -836,7 +836,7 @@ func (s *copySuite) TestCopyDirSignatures() {
|
||||
// Verify that correct images are accepted
|
||||
assertSkopeoSucceeds(t, "", "--policy", policy, "copy", topDirDest+"/restricted/official", topDirDest+"/dest")
|
||||
// ... and that mis-signed images are rejected.
|
||||
assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*",
|
||||
assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
|
||||
"--policy", policy, "copy", topDirDest+"/restricted/personal", topDirDest+"/dest")
|
||||
|
||||
// Verify that the signed identity is verified.
|
||||
|
||||
@@ -154,7 +154,7 @@ END_PUSH
|
||||
fi
|
||||
done <<END_TESTS
|
||||
/myns/alice:signed
|
||||
/myns/bob:signedbyalice Invalid GPG signature
|
||||
/myns/bob:signedbyalice (Invalid GPG signature|.* not found)
|
||||
/myns/alice:unsigned Signature for identity \\\\\\\\"localhost:5000/myns/alice:signed\\\\\\\\" is not accepted
|
||||
/myns/carol:latest Running image docker://localhost:5000/myns/carol:latest is rejected by policy.
|
||||
/open/forall:latest
|
||||
|
||||
Reference in New Issue
Block a user