Merge pull request #3723 from apostasie/namespace-validate

Cleanup namespace validation
containerd · Dec 6, 2024 · d3fc11c · d3fc11c
2 parents 3206b49 + b8f4d9c
commit d3fc11c
Show file tree

Hide file tree

Showing 16 changed files with 293 additions and 777 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,4 +1,5 @@
-name: lint
+# "Hide" the name from the GitHub check status line, as it just clutters the display
+name: " "
 
 on:
   push:
@@ -7,72 +8,42 @@ on:
       - 'release/**'
   pull_request:
 
-env:
-  GO_VERSION: 1.23.x
-
 jobs:
-  go:
-    timeout-minutes: 5
-    name: "go | ${{ matrix.goos }} | ${{ matrix.canary }}"
-    runs-on: "${{ matrix.os }}"
-    defaults:
-      run:
-        shell: bash
+  # Source the common environment
+  environment:
+    name: " "
+    uses: ./.github/workflows/reusable_environment.yml
+
+  # Linting go
+  lint-go:
+    # Define the matrix we want to lint on: every supported OS, with the current go version, and additionally go canary on linux
     strategy:
       matrix:
+        # The GOOS-es we run golint for, with no canary (eg: the base supported GO_VERSION)
+        goos: [linux, freebsd, windows]
+        # And no canary
+        canary: [false]
         include:
-          - os: ubuntu-24.04
-            goos: linux
-          - os: ubuntu-24.04
-            goos: freebsd
-          # FIXME: this is currently failing in a non-sensical way, so, running on linux instead...
-          # - os: windows-2022
-          - os: ubuntu-24.04
-            goos: windows
-          - os: ubuntu-24.04
-            goos: linux
-            # This allows the canary script to select any upcoming golang alpha/beta/RC
-            canary: go-canary
-    env:
-      GOOS: "${{ matrix.goos }}"
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - name: Set GO env
-        run: |
-          # If canary is specified, get the latest available golang pre-release instead of the major version
-          if [ "$canary" != "" ]; then
-            . ./hack/build-integration-canary.sh
-            canary::golang::latest
-          fi
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          args: --verbose
-  other:
-    timeout-minutes: 5
-    name: yaml | shell | imports order
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - name: yaml
-        run: make lint-yaml
-      - name: shell
-        run: make lint-shell
-      - name: go imports ordering
-        run: |
-          go install -v github.com/incu6us/goimports-reviser/v3@latest
-          make lint-imports
+          # Only run canary on linux (note: the canary script will select any upcoming golang alpha/beta/RC when the `canary` param is set to a non-empty string)
+          - goos: linux
+            canary: true
+
+    # If we do not "collapse" the name using a bogux matrix var, it will display all matrix parameters, which we do not want
+    name: "lint${{ matrix.c }}"
+    uses: ./.github/workflows/reusable_lint_go.yml
+    needs: environment
+    with:
+      goos: ${{ matrix.goos }}
+      canary: ${{ matrix.canary }}
+      os: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+      goversion: ${{ needs.environment.outputs.GO_VERSION }}
+      timeout-minutes: ${{ fromJSON(needs.environment.outputs.SHORT_TIMEOUT) }}
+
+  # Linting other filetypes
+  lint-other:
+    name: "lint"
+    uses: ./.github/workflows/reusable_lint_other.yml
+    needs: environment
+    with:
+      os: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+      timeout-minutes: ${{ fromJSON(needs.environment.outputs.SHORT_TIMEOUT) }}
diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml
@@ -1,4 +1,4 @@
-name: project
+name: " "
 
 on:
   push:
@@ -8,24 +8,40 @@ on:
   pull_request:
 
 jobs:
+  # Source the common environment
+  environment:
+    name: " "
+    uses: ./.github/workflows/reusable_environment.yml
+
   project:
-    name: checks
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20
+    name: "project checks"
+    timeout-minutes: ${{ fromJSON(needs.environment.outputs.SHORT_TIMEOUT) }}
+    runs-on: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+    needs: environment
+
     steps:
-      - uses: actions/checkout@v4.2.2
+      - name: "Checkout"
+        uses: actions/checkout@v4
         with:
           path: src/github.com/containerd/nerdctl
+          # Fetch the last 100 commits
           fetch-depth: 100
-      - uses: actions/setup-go@v5
+
+      - name: "Install go"
+        uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ needs.environment.outputs.GO_VERSION }}
           cache-dependency-path: src/github.com/containerd/nerdctl
-      - uses: containerd/project-checks@v1.1.0
+
+      - name: "Install and run default containerd project checks"
+        uses: containerd/project-checks@v1.1.0
         with:
           working-directory: src/github.com/containerd/nerdctl
-          repo-access-token: ${{ secrets.GITHUB_TOKEN }}
-      - run: ./hack/verify-no-patent.sh
+
+      - name: "Verify no patent"
+        run: ./hack/verify-no-patent.sh
         working-directory: src/github.com/containerd/nerdctl
-      - run: ./hack/verify-pkg-isolation.sh
+
+      - name: "Verify package isolation"
+        run: ./hack/verify-pkg-isolation.sh
         working-directory: src/github.com/containerd/nerdctl
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,43 +1,61 @@
 # See https://github.com/containerd/nerdctl/blob/main/MAINTAINERS_GUIDE.md for how to make a release.
 name: Release
+
 on:
   push:
     tags:
     - 'v*'
     - 'test-action-release-*'
 jobs:
+  # Source the common environment
+  environment:
+    name: " "
+    uses: ./.github/workflows/reusable_environment.yml
+
   release:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 40
+    name: "checks"
+    timeout-minutes: ${{ fromJSON(needs.environment.outputs.LONG_TIMEOUT) }}
+    runs-on: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+    needs: environment
+
     steps:
-    - uses: actions/checkout@v4.2.2
-    - uses: actions/setup-go@v5
-      with:
-        go-version: 1.23.x
-    - name: "Compile binaries"
-      run: make artifacts
-    - name: "SHA256SUMS"
-      run: |
-        ( cd _output; sha256sum nerdctl-* ) | tee /tmp/SHA256SUMS
-        mv /tmp/SHA256SUMS _output/SHA256SUMS
-    - name: "The sha256sum of the SHA256SUMS file"
-      run: (cd _output; sha256sum SHA256SUMS)
-    - name: "Prepare the release note"
-      run: |
-        shasha=$(sha256sum _output/SHA256SUMS | awk '{print $1}')
-        cat <<-EOF | tee /tmp/release-note.txt
-        $(hack/generate-release-note.sh)
-        - - -
-        The binaries were built automatically on GitHub Actions.
-        The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
-
-        The sha256sum of the SHA256SUMS file itself is \`${shasha}\` .
-        - - -
-        Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])
-        EOF
-    - name: "Create release"
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        tag="${GITHUB_REF##*/}"
-        gh release create -F /tmp/release-note.txt --draft --title "${tag}" "${tag}" _output/*
+      - name: "Checkout"
+        uses: actions/checkout@v4
+
+      - name: "Install go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ needs.environment.outputs.GO_VERSION }}
+          check-latest: true
+
+      - name: "Compile binaries"
+        run: make artifacts
+
+      - name: "SHA256SUMS"
+        run: |
+          ( cd _output; sha256sum nerdctl-* ) | tee /tmp/SHA256SUMS
+          mv /tmp/SHA256SUMS _output/SHA256SUMS
+
+      - name: "The sha256sum of the SHA256SUMS file"
+        run: (cd _output; sha256sum SHA256SUMS)
+
+      - name: "Prepare the release note"
+        run: |
+          shasha=$(sha256sum _output/SHA256SUMS | awk '{print $1}')
+          cat <<-EOF | tee /tmp/release-note.txt
+          $(hack/generate-release-note.sh)
+          - - -
+          The binaries were built automatically on GitHub Actions.
+          The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+          The sha256sum of the SHA256SUMS file itself is \`${shasha}\` .
+          - - -
+          Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])
+          EOF
+
+      - name: "Create release"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          tag="${GITHUB_REF##*/}"
+          gh release create -F /tmp/release-note.txt --draft --title "${tag}" "${tag}" _output/*
diff --git a/.github/workflows/reusable_environment.yml b/.github/workflows/reusable_environment.yml
@@ -0,0 +1,52 @@
+name: common_environment
+
+env:
+  GO_VERSION: 1.23.x
+  HOST_UBUNTU_LTS: ubuntu-24.04
+  SHORT_TIMEOUT: 5
+  LONG_TIMEOUT: 20
+#  REGISTRY_SERVER: ghcr.io
+#  BUSYBOX_VERSION: 5ad83957fa74aafd061afbfb8da14ce3220659a9
+#  REGISTRY_VERSION: v2.8.3
+#  CURL_VERSION: 8.11.0_4
+
+on:
+  workflow_call:
+    outputs:
+      GO_VERSION:
+        description: "The major golang version we are targeting"
+        value: ${{ jobs.environment.outputs.output_go }}
+      HOST_UBUNTU_LTS:
+        description: "The major LTS ubuntu host runner we run our tasks on"
+        value: ${{ jobs.environment.outputs.output_ubuntu_lts }}
+      SHORT_TIMEOUT:
+        description: "The timeout for tasks that are supposed to run fast (lint, etc)"
+        value: ${{ jobs.environment.outputs.output_short_timeout }}
+      LONG_TIMEOUT:
+        description: "The timeout for tasks that are going to run up to 20 minutes (building, integration, etc)"
+        value: ${{ jobs.environment.outputs.output_long_timeout }}
+#      REGISTRY_SERVER:
+#        description: "The second output string"
+#        value: ${{ jobs.environment.outputs.output_registry }}
+
+jobs:
+  environment:
+    name: "environ"
+    runs-on: ubuntu-24.04
+    steps:
+      - id: go
+        run: echo "GO_VERSION=$GO_VERSION" >> $GITHUB_OUTPUT
+      - id: ubuntu_lts
+        run: echo "HOST_UBUNTU_LTS=$HOST_UBUNTU_LTS" >> $GITHUB_OUTPUT
+      - id: short_timeout
+        run: echo "SHORT_TIMEOUT=$SHORT_TIMEOUT" >> $GITHUB_OUTPUT
+      - id: long_timeout
+        run: echo "LONG_TIMEOUT=$LONG_TIMEOUT" >> $GITHUB_OUTPUT
+#      - id: registry_server
+#        run: echo "REGISTRY_SERVER=$REGISTRY_SERVER" >> $GITHUB_OUTPUT
+    outputs:
+      output_go: ${{ steps.go.outputs.GO_VERSION }}
+      output_ubuntu_lts: ${{ steps.ubuntu_lts.outputs.HOST_UBUNTU_LTS }}
+      output_short_timeout: ${{ steps.short_timeout.outputs.SHORT_TIMEOUT }}
+      output_long_timeout: ${{ steps.long_timeout.outputs.LONG_TIMEOUT }}
+#      output_registry: ${{ steps.registry.outputs.REGISTRY_SERVER }}
diff --git a/.github/workflows/reusable_lint_go.yml b/.github/workflows/reusable_lint_go.yml
@@ -0,0 +1,69 @@
+# This defines a reusable golint job that will run `make lint-go` and `make lint-imports`
+# See `inputs` for expected parameters
+name: tasks_lint_go
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+        description: "the host runner we are going to use"
+      goos:
+        required: true
+        type: string
+        description: "the GOOS we want to lint for (linux/windows/freebsd)"
+      goversion:
+        required: true
+        type: string
+        description: "the golang version we want to use"
+      canary:
+        required: false
+        type: boolean
+        default: false
+        description: "whether we want to try and find an alpha/beta/RC version of golang instead of the default version"
+      timeout-minutes:
+        required: false
+        type: number
+        default: 100
+        description: "the timeout in minutes for this task"
+
+jobs:
+  go:
+    name: "${{ inputs.goos }} ${{ inputs.canary && 'canary' || inputs.goversion }}"
+    timeout-minutes: ${{ inputs.timeout-minutes }}
+    runs-on: ${{ inputs.os }}
+
+    env:
+      GOOS: "${{ inputs.goos }}"
+      GO_VERSION: "${{ inputs.goversion }}"
+
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+
+      - name: "Set go version"
+        run: |
+          # If canary is specified, get the latest available golang pre-release instead of the major version
+          if [ "${{ inputs.canary }}" == true ]; then
+            . ./hack/build-integration-canary.sh
+            canary::golang::latest
+          fi
+
+      - name: "Install go"
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: "Run golangci-lint"
+        uses: golangci/golangci-lint-action@v6
+        with:
+          args: --verbose
+
+      # Go imports ordering applies to all platforms, so, only run it once, for linux / no canary
+      - name: "Verify imports ordering"
+        if: ${{ inputs.goos == 'linux' && ! inputs.canary }}
+        run: |
+          go install github.com/incu6us/goimports-reviser/v3@latest
+          make lint-imports