Building all PRs of all container projects into the same COPR does not
properly isolate PRs from each other.
To avoid that, change the copr_build configuration to use the packit
default COPRs, which are specific to the particular PR, and disappear
after a few weeks. Depending projects should only run against what
landed in skopeo/main i.e. the podman-next COPR.
Signed-off-by: Martin Pitt <mpitt@redhat.com>
> go get github.com/containers/image/v5@main
> make vendor
This moves c/image to a commit that includes both the work on main
that we were already vendoring, and the last tagged version 5.27.0.
That should prevent Renovate from proposing downgrades which fail tests:
- https://github.com/containers/skopeo/pull/2065
- https://github.com/containers/skopeo/pull/2066
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We already require it, because docker/credential-helpers uses Go 1.19
os/exec.Cmd.Environ(). So make that official.
> go mod tidy -go=1.19
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/containers/image/v5@main
> go mod tidy && go mod vendor
This updates c/image with a new version of x/exp.
That package has changed API in an incompatible way,
so just bumping x/exp (as in https://github.com/containers/skopeo/pull/2060 )
would break Skopeo builds.
This updates both c/image and x/exp in lockstep (and nothing
needs updating in Skopeo itself for the x/exp breakage).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This automatically the global --policy-path and --insecure-policy options,
which don't affect h.sysctx.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The pre-sync action constantly breaks and is currently not possible to
reliably test until the subsequent upstream release due to limitations
in packit.
The lines being added by the action script to the downstream Fedora spec
were only meant to keep Fedora happy. But given that they provide
no tangible benefit as github notifies us of security
issues in libraries mentioned in go.mod and go.sum, along with redhat
prodsec's own magic for creating security alerts, there's absolutely
no point to having the pre-sync action run and add a layer of uncertainty.
This commit removes the pre-sync action and
`rpm/update-spec-provides.sh`.
Ref: https://github.com/containers/podman/issues/19232
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
In PR review for a different issue, the question of what happens
if we hit overflow for the imageid serial was hit. This feels
pretty unlikely; if I did the math right, it'd require opening
an average of 136 images per second to overflow it in a year.
Nevertheless, in practice what we're sending on the wire is just a JSON
number, and if we extend this to the "max safe JSON number" of 2^53,
it'd take 285,616,414 images per second to overflow in a year, going
from implausible to probably impossible.
With a bit more work of course, we could make this a sparse mapping
and reuse freed numbers, but eh.
Signed-off-by: Colin Walters <walters@verbum.org>
The default Packit sandbox environment that runs Packit tasks for
downstream Fedora does not have golist installed by default and can't
run superuser tasks.
This commit will download and extract the golist binary from the Fedora
rpm and use it to provide golist.
The GOPATH mention in `rpm/update-spec-provides.sh` is only required for
golist to generate the gopaths and doesn't affect upstream or the rpm spec.
Currently, the only way to reliably test this is on an open github issue by running
`/packit propose-downstream`. This can't be run on an open PR.
The job-specific packit actions can only be tested via the packit
service and not via packit cli.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
