Move away from raw github domain to API

Signed-off-by: apostasie <[email protected]>

Author: apostasie

.github/workflows/ghcr-image-build-and-publish.yml

@@ -68,3 +68,5 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            github_token=${{ secrets.GITHUB_TOKEN }}

.github/workflows/job-test-dependencies.yml

@@ -39,6 +39,8 @@ jobs:
         uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
 
       - name: "Run: build dependencies for the integration test environment image"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Cache is sharded per-architecture
           arch=${{ env.RUNNER_ARCH == 'ARM64' && 'arm64' || 'amd64' }}
@@ -49,6 +51,7 @@ jobs:
             args=(--build-arg CONTAINERD_VERSION=${{ inputs.containerd-version }})
           fi
           docker buildx build \
+            --secret id=github_token,env=GITHUB_TOKEN \
             --cache-to type=gha,compression=zstd,mode=max,scope=test-integration-dependencies-"$arch" \
             --cache-from type=gha,scope=test-integration-dependencies-"$arch" \
             --target build-dependencies "${args[@]}" .

.github/workflows/job-test-in-container.yml

@@ -86,6 +86,8 @@ jobs:
           canary::build::integration
       - if: ${{ ! inputs.canary }}
         name: "Init: prepare test image"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           buildargs=()
           # If the runner is old, use old ubuntu inside the container as well
@@ -104,6 +106,7 @@ jobs:
           arch=${{ env.RUNNER_ARCH == 'ARM64' && 'arm64' || 'amd64' }}
           docker buildx create --name with-gha --use
           docker buildx build \
+            --secret id=github_token,env=GITHUB_TOKEN \
             --output=type=docker \
             --cache-from type=gha,scope=test-integration-dependencies-"$arch" \
             -t "$target" --target "$target" \

.github/workflows/job-test-in-lima.yml

@@ -79,6 +79,8 @@ jobs:
         uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124  # v3.1.0
 
       - name: "Init: prepare integration tests"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -eux
 
@@ -88,6 +90,7 @@ jobs:
           [ "$TARGET" = "rootless" ] && TARGET=test-integration-rootless || TARGET=test-integration
           docker buildx create --name with-gha --use
           docker buildx build \
+            --secret id=github_token,env=GITHUB_TOKEN \
             --output=type=docker \
             --cache-from type=gha,scope=test-integration-dependencies-amd64 \
             -t test-integration --target "${TARGET}" \

Dockerfile

@@ -61,6 +61,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
   make \
   git \
+  jq \
   curl \
   dpkg-dev
 ARG TARGETARCH
@@ -75,6 +76,7 @@ RUN xx-apt-get update -qq && xx-apt-get install -qq --no-install-recommends \
   pkg-config
 RUN git config --global advice.detachedHead false
 ADD hack/git-checkout-tag-with-hash.sh /usr/local/bin/
+ADD hack/scripts/lib.sh /usr/local/bin/http::helper
 
 FROM build-base AS build-containerd
 ARG TARGETARCH
@@ -174,10 +176,11 @@ RUN cd /out/lib/systemd/system && \
   echo "" >> buildkit.service && \
   echo "# This file was converted from containerd.service, with \`sed -E '${sedcomm}'\`" >> buildkit.service
 ARG STARGZ_SNAPSHOTTER_VERSION
-RUN STARGZ_SNAPSHOTTER_VERSION=${STARGZ_SNAPSHOTTER_VERSION%%@*}; \
+RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
+  STARGZ_SNAPSHOTTER_VERSION=${STARGZ_SNAPSHOTTER_VERSION%%@*}; \
   fname="stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
   curl -o "${fname}" -fsSL --proto '=https' --tlsv1.2 "https://github.com/containerd/stargz-snapshotter/releases/download/${STARGZ_SNAPSHOTTER_VERSION}/${fname}" && \
-  curl -o "stargz-snapshotter.service" -fsSL --proto '=https' --tlsv1.2 "https://raw.githubusercontent.com/containerd/stargz-snapshotter/${STARGZ_SNAPSHOTTER_VERSION}/script/config/etc/systemd/system/stargz-snapshotter.service" && \
+  http::helper github::file containerd/stargz-snapshotter script/config/etc/systemd/system/stargz-snapshotter.service "${STARGZ_SNAPSHOTTER_VERSION}" > "stargz-snapshotter.service" && \
   grep "${fname}" "/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}" | sha256sum -c - && \
   grep "stargz-snapshotter.service" "/SHA256SUMS.d/stargz-snapshotter-${STARGZ_SNAPSHOTTER_VERSION}" | sha256sum -c - && \
   tar xzf "${fname}" -C /out/bin && \
@@ -245,6 +248,10 @@ RUN ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION%%@*}; \
 ARG GOMODJAIL_VERSION
 COPY --from=build-gomodjail /out/${TARGETARCH:-amd64}/* /out/bin/
 RUN echo "- gomodjail: ${GOMODJAIL_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+ARG CONTAINERIZED_SYSTEMD_VERSION
+RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
+  http::helper github::file AkihiroSuda/containerized-systemd docker-entrypoint.sh "${CONTAINERIZED_SYSTEMD_VERSION}" > /docker-entrypoint.sh && \
+  chmod +x /docker-entrypoint.sh
 
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
@@ -281,9 +288,7 @@ RUN apt-get update -qq && apt-get install -qq -y --no-install-recommends \
   iproute2 iptables \
   dbus dbus-user-session systemd systemd-sysv \
   fuse3
-ARG CONTAINERIZED_SYSTEMD_VERSION
-RUN curl -o /docker-entrypoint.sh -fsSL --proto '=https' --tlsv1.2 https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/${CONTAINERIZED_SYSTEMD_VERSION}/docker-entrypoint.sh && \
-  chmod +x /docker-entrypoint.sh
+COPY --from=build-full /docker-entrypoint.sh /docker-entrypoint.sh
 COPY --from=out-full / /usr/local/
 RUN perl -pi -e 's/multi-user.target/docker-entrypoint.target/g' /usr/local/lib/systemd/system/*.service && \
   systemctl enable containerd buildkit stargz-snapshotter && \

Makefile

@@ -253,7 +253,7 @@ TAR_OWNER0_FLAGS=--owner=0 --group=0
 TAR_FLATTEN_FLAGS=--transform 's/.*\///g'
 
 define make_artifact_full_linux
-	$(DOCKER) build --output type=tar,dest=$(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar --target out-full --platform $(1) --build-arg GO_VERSION -f $(MAKEFILE_DIR)/Dockerfile $(MAKEFILE_DIR)
+	$(DOCKER) build --secret id=github_token,env=GITHUB_TOKEN --output type=tar,dest=$(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar --target out-full --platform $(1) --build-arg GO_VERSION -f $(MAKEFILE_DIR)/Dockerfile $(MAKEFILE_DIR)
 	gzip -9 $(CURDIR)/_output/nerdctl-full-$(VERSION_TRIMMED)-linux-$(1).tar
 endef
 

hack/scripts/lib.sh

@@ -226,9 +226,10 @@ github::settoken(){
 }
 
 github::request(){
-  local endpoint="$1"
+  local accept="$1"
+  local endpoint="$2"
   local args=(
-    "Accept: application/vnd.github+json"
+    "Accept: $accept"
     "X-GitHub-Api-Version: 2022-11-28"
   )
 
@@ -237,21 +238,30 @@ github::request(){
   http::get /dev/stdout https://api.github.com/"$endpoint" "${args[@]}"
 }
 
+github::file(){
+  local repo="$1"
+  local path="$2"
+  local ref="${3:-main}"
+  github::request "application/vnd.github.v3.raw" "repos/$repo/contents/$path?ref=$ref"
+}
+
 github::tags::latest(){
   local repo="$1"
-  github::request "repos/$repo/tags" | jq -rc .[0].name
+  github::request "application/vnd.github+json" "repos/$repo/tags" | jq -rc .[0].name
 }
 
 github::releases(){
   local repo="$1"
-  github::request "repos/$repo/releases" |
+  github::request "application/vnd.github+json" "repos/$repo/releases" |
     jq -rc .[]
 }
 
 github::releases::latest(){
   local repo="$1"
-  github::request "repos/$repo/releases/latest" | jq -rc .
+  github::request "application/vnd.github+json" "repos/$repo/releases/latest" | jq -rc .
 }
 
 log::init
 host::require jq tar curl shasum
+
+[[ "${1:-}" != "github"* ]] || "$@"