diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt index aaaf938ad..1158b0adc 100644 --- a/.bootc-dev-infra-commit.txt +++ b/.bootc-dev-infra-commit.txt @@ -1 +1 @@ -b23aa64010d014befa5adc5bc54363b6fb60a3e4 +10decade10bbbb5d7dea158661b612eb743ebad7 diff --git a/.github/actions/bootc-ubuntu-setup/action.yml b/.github/actions/bootc-ubuntu-setup/action.yml index 8e0178b71..5bfcbb2e4 100644 --- a/.github/actions/bootc-ubuntu-setup/action.yml +++ b/.github/actions/bootc-ubuntu-setup/action.yml @@ -61,33 +61,21 @@ runs: id: set_arch shell: bash run: echo "ARCH=$(arch)" >> $GITHUB_ENV - # We often use Rust, so set up opinionated default caching - - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 - with: - cache-all-crates: true - # Only generate caches on push to git main - save-if: ${{ github.ref == 'refs/heads/main' }} - # Suppress actually using the cache for builds running from - # git main so that we avoid incremental compilation bugs - lookup-only: ${{ github.ref == 'refs/heads/main' }} # Install libvirt stack if requested - name: Install libvirt and virtualization stack if: ${{ inputs.libvirt == 'true' }} shell: bash - env: - GH_TOKEN: ${{ github.token }} run: | set -xeuo pipefail - export BCVK_VERSION=0.6.0 + export BCVK_VERSION=0.8.0 /bin/time -f '%E %C' sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system # Something in the stack is overriding this, but we want session right now for bcvk echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV td=$(mktemp -d) cd $td - # Install bcvk from PR 159 - gh run download 19640807620 --name bcvk-binary --repo bootc-dev/bcvk + # Install bcvk target=bcvk-$(arch)-unknown-linux-gnu + /bin/time -f '%E %C' curl -LO https://github.com/bootc-dev/bcvk/releases/download/v${BCVK_VERSION}/${target}.tar.gz tar xzf ${target}.tar.gz sudo install -T ${target} /usr/bin/bcvk cd - diff --git a/.github/actions/setup-rust/action.yml b/.github/actions/setup-rust/action.yml new file mode 100644 index 000000000..f2f5e0673 --- /dev/null +++ b/.github/actions/setup-rust/action.yml @@ -0,0 +1,20 @@ +name: 'Setup Rust' +description: 'Install Rust toolchain with caching and nextest' +runs: + using: 'composite' + steps: + - name: Install Rust toolchain + uses: dtolnay/rust-toolchain@stable + - name: Install nextest + uses: taiki-e/install-action@v2 + with: + tool: nextest + - name: Setup Rust cache + uses: Swatinem/rust-cache@v2 + with: + cache-all-crates: true + # Only generate caches on push to git main + save-if: ${{ github.ref == 'refs/heads/main' }} + # Suppress actually using the cache for builds running from + # git main so that we avoid incremental compilation bugs + lookup-only: ${{ github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml new file mode 100644 index 000000000..2166beb15 --- /dev/null +++ b/.github/workflows/openssf-scorecard.yml @@ -0,0 +1,50 @@ +# Upstream https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml +# Tweaked to not pin actions by SHA digest as I think that's overkill noisy security theater. +name: OpenSSF Scorecard analysis +on: + push: + branches: + - main + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-24.04 + permissions: + # Needed for Code scanning upload + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@v2.4.3 + with: + results_file: results.sarif + results_format: sarif + # Scorecard team runs a weekly scan of public GitHub repos, + # see https://github.com/ossf/scorecard#public-data. + # Setting `publish_results: true` helps us scale by leveraging your workflow to + # extract the results instead of relying on our own infrastructure to run scans. + # And it's free for you! + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: results.sarif + diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml new file mode 100644 index 000000000..ab42fbc1d --- /dev/null +++ b/.github/workflows/rebase.yml @@ -0,0 +1,45 @@ +name: Automatic Rebase +on: + pull_request: + types: [labeled] + +permissions: + contents: read + +jobs: + rebase: + name: Rebase + if: github.event.label.name == 'needs-rebase' + runs-on: ubuntu-latest + steps: + - name: Generate Actions Token + id: token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + + - name: Checkout + uses: actions/checkout@v5 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + + - name: Automatic Rebase + uses: peter-evans/rebase@v3 + with: + token: ${{ steps.token.outputs.token }} + + - name: Remove needs-rebase label + if: always() + uses: actions/github-script@v8 + with: + github-token: ${{ steps.token.outputs.token }} + script: | + await github.rest.issues.removeLabel({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + name: 'needs-rebase' + });