chore: import upstream snapshot with attribution
container project - merge build / Invoke build (push) Successful in 1s

This commit is contained in:
wehub-resource-sync
2026-07-13 12:06:18 +08:00
commit e84fb4a79e
474 changed files with 68321 additions and 0 deletions
+64
View File
@@ -0,0 +1,64 @@
name: Bug report
description: File a bug report.
title: "[Bug]: "
type: "Bug"
body:
- type: markdown
attributes:
value: |
Thanks for taking the time to fill out this bug report!
- type: checkboxes
id: prereqs
attributes:
label: I have done the following
description: Select that you have completed the following prerequisites.
options:
- label: I have searched the existing issues
required: true
- label: If possible, I've reproduced the issue using the 'main' branch of this project
required: false
- type: textarea
id: reproduce
attributes:
label: Steps to reproduce
description: |
Explain how to reproduce the incorrect behavior.
📖 **Need help?** See our guide: [How to write effective reproduction steps](https://github.com/apple/container/blob/main/docs/bug-report-how-to.md#steps-to-reproduce)
validations:
required: true
- type: textarea
id: what-happened
attributes:
label: Problem description
description: |
Briefly describe your problem, and what you believe the correct behavior should be.
📖 **Need help?** See our guide: [Problem Description](https://github.com/apple/container/blob/main/docs/bug-report-how-to.md#problem-description)
validations:
required: true
- type: textarea
attributes:
label: Environment
description: |
Examples:
- **OS**: macOS 26.0 (25A354)
- **Xcode**: Version 26.0 (17A324)
- **Container**: Container CLI version 0.1.0
📖 **Need help gathering this info?** See our guide: [Environment Information](https://github.com/apple/container/blob/main/docs/bug-report-how-to.md#environment-information)
value: |
- OS:
- Xcode:
- Container:
render: markdown
validations:
required: true
- type: checkboxes
id: terms
attributes:
label: Code of Conduct
description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/apple/.github/blob/main/CODE_OF_CONDUCT.md).
options:
- label: I agree to follow this project's Code of Conduct
required: true
+24
View File
@@ -0,0 +1,24 @@
name: Feature or enhancement request
description: File a request for a feature or enhancement
title: "[Request]: "
type: "Feature"
body:
- type: markdown
attributes:
value: |
Thanks for contributing to the container project!
- type: textarea
id: request
attributes:
label: Feature or enhancement request details
description: Describe your proposed feature or enhancement. Code samples that show what's missing, or what new capabilities will be possible, are very helpful! Provide links to existing issues or external references/discussions, if appropriate.
validations:
required: true
- type: checkboxes
id: terms
attributes:
label: Code of Conduct
description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/apple/.github/blob/main/CODE_OF_CONDUCT.md).
options:
- label: I agree to follow this project's Code of Conduct
required: true
+5
View File
@@ -0,0 +1,5 @@
blank_issues_enabled: false
contact_links:
- name: Container community support
url: https://github.com/apple/container/discussions
about: Please ask and answer questions here.
+12
View File
@@ -0,0 +1,12 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
groups:
github-actions:
patterns:
- "*"
commit-message:
prefix: "ci"
+16
View File
@@ -0,0 +1,16 @@
cli:
- changed-files:
- any-glob-to-any-file:
- 'Sources/CLI/**'
- 'Sources/ContainerCommands/**'
documentation:
- changed-files:
- any-glob-to-any-file:
- '**/*.md'
- 'docs/**'
ci:
- changed-files:
- any-glob-to-any-file:
- '.github/**'
+13
View File
@@ -0,0 +1,13 @@
## Type of Change
- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation update
## Motivation and Context
[Why is this change needed?]
## Testing
- [ ] Tested locally
- [ ] Added/updated tests
- [ ] Added/updated docs
+210
View File
@@ -0,0 +1,210 @@
name: container project - common jobs
permissions:
contents: read
on:
workflow_call:
inputs:
release:
type: boolean
description: "Publish this build for release"
default: false
coverage:
type: boolean
description: "Run tests with code coverage enabled"
default: false
pr_number:
type: string
description: "PR number for coverage artifact naming (required when coverage is true)"
default: ""
jobs:
buildAndTest:
name: Build and test the project
if: github.repository == 'apple/container'
timeout-minutes: 75
runs-on: [self-hosted, macos, tahoe, ARM64]
permissions:
contents: read
packages: read
env:
DEVELOPER_DIR: "/Applications/Xcode_swift_6.3.app/Contents/Developer"
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
- name: Check formatting
env:
HAWKEYE_AUTO_INSTALL: "1"
run: |
./scripts/install-hawkeye.sh
make fmt
if ! git diff --quiet -- . ; then
echo "❌ The following files require formatting or license header updates:"
git diff --name-only -- .
false
fi
- name: Check protobuf
run: |
make protos
if ! git diff --quiet -- . ; then
echo "❌ The following files require formatting or license header updates:"
git diff --name-only -- .
false
fi
- name: Set build configuration
env:
RELEASE: ${{ inputs.release }}
run: |
echo "BUILD_CONFIGURATION=debug" >> $GITHUB_ENV
if [[ "${RELEASE}" == "true" ]]; then
echo "BUILD_CONFIGURATION=release" >> $GITHUB_ENV
fi
- name: Make the container project and docs
run: |
make container dsym docs
tar cfz _site.tgz _site
- name: Validate coverage inputs
if: ${{ inputs.coverage }}
env:
PR_NUMBER: ${{ inputs.pr_number }}
run: |
if [ -z "${PR_NUMBER}" ]; then
echo "::error::pr_number input is required when coverage is true"
exit 1
fi
- name: Create package
run: |
mkdir -p outputs
mv "bin/${BUILD_CONFIGURATION}/container-installer-unsigned.pkg" outputs
mv "bin/${BUILD_CONFIGURATION}/bundle/container-dSYM.zip" outputs
- name: Set up test environment
run: |
APP_ROOT=$(mktemp -d -p "${RUNNER_TEMP}")
LOG_ROOT="${APP_ROOT}/logs"
echo "created data directory: ${APP_ROOT}"
echo "hostname: $(hostname)"
export NO_PROXY="${NO_PROXY},192.168.0.0/16,fe80::/10"
echo NO_PROXY=${NO_PROXY}
export no_proxy="${no_proxy},192.168.0.0/16,fe80::/10"
echo no_proxy=${no_proxy}
echo "APP_ROOT=${APP_ROOT}" >> $GITHUB_ENV
echo "LOG_ROOT=${LOG_ROOT}" >> $GITHUB_ENV
- name: Test the container project
if: ${{ !inputs.coverage }}
run: make APP_ROOT="${APP_ROOT}" LOG_ROOT="${LOG_ROOT}" test install-kernel integration
- name: Test the container project with coverage
if: ${{ inputs.coverage }}
run: make APP_ROOT="${APP_ROOT}" LOG_ROOT="${LOG_ROOT}" install-kernel coverage
- name: Extract coverage percentages
if: ${{ inputs.coverage }}
env:
PR_NUMBER: ${{ inputs.pr_number }}
run: |
mkdir -p pr-coverage
jq -r '.data[0].totals.lines.percent | . * 100 | round | . / 100' coverage-reports/unit/coverage-summary.json > pr-coverage/unit-line-coverage.txt
jq -r '.data[0].totals.lines.percent | . * 100 | round | . / 100' coverage-reports/integration/coverage-summary.json > pr-coverage/integration-line-coverage.txt
jq -r '.data[0].totals.lines.percent | . * 100 | round | . / 100' coverage-reports/combined/coverage-summary.json > pr-coverage/combined-line-coverage.txt
echo "${PR_NUMBER}" > pr-coverage/pr-number.txt
echo "Coverage data:"
cat pr-coverage/*.txt
- name: Upload coverage data
if: ${{ inputs.coverage }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: pr-coverage-${{ inputs.pr_number }}
path: pr-coverage/
retention-days: 1
if-no-files-found: warn
- name: Upload coverage HTML reports
if: ${{ inputs.coverage }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: coverage-html-reports
path: |
coverage-reports/unit/html/
coverage-reports/integration/html/
coverage-reports/combined/html/
retention-days: 14
if-no-files-found: ignore
- name: Archive test logs
if: always()
run: |
if [ -d "${APP_ROOT}/containers" ] && [ -n "${LOG_ROOT}" ]; then
rsync -a --include='*/' --include='*.log' --exclude='*' \
"${APP_ROOT}/containers/" \
"${LOG_ROOT}/containers/"
fi
if [ -n "${LOG_ROOT}" ] && [ -d "${LOG_ROOT}" ] ; then
echo "Collecting logs from ${LOG_ROOT}..."
tar czf container-logs.tar.gz -C "$(dirname "${LOG_ROOT}")" "$(basename "${LOG_ROOT}")"
echo "Log archive created: container-logs.tar.gz"
fi
if [ -n "${APP_ROOT}" ] ; then
rm -rf "${APP_ROOT}"
echo "Removed data directory ${APP_ROOT}"
fi
rm -rf coverage-reports pr-coverage
- name: Upload logs if present
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: container-test-logs
path: container-logs.tar.gz
retention-days: 14
if-no-files-found: ignore
- name: Save documentation artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: api-docs
path: "./_site.tgz"
retention-days: 14
- name: Save package artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: container-package
path: ${{ github.workspace }}/outputs
uploadPages:
# Separate upload step required because upload-pages-artifact needs
# gtar which is not on the macOS runner.
name: Upload artifact for GitHub Pages
needs: buildAndTest
timeout-minutes: 5
runs-on: ubuntu-latest
steps:
- name: Setup Pages
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6
- name: Download a single artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: api-docs
- name: Add API docs to documentation
run: |
tar xfz _site.tgz
- name: Upload Artifact
uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
with:
path: "./_site"
+46
View File
@@ -0,0 +1,46 @@
# Manual workflow for releasing docs ad-hoc. Workflow can only be run for main or release branches.
# Workflow does NOT publish a release of container.
name: Deploy application website
permissions:
contents: read
on:
workflow_dispatch:
jobs:
checkBranch:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags') || startsWith(github.ref, 'refs/heads/release')
steps:
- name: Branch validation
env:
REF_NAME: ${{ github.ref_name }}
run: echo "Branch ${REF_NAME} is allowed"
buildSite:
name: Build application website
needs: checkBranch
uses: ./.github/workflows/common.yml
secrets: inherit
permissions:
contents: read
packages: write
pages: write
deployDocs:
runs-on: ubuntu-latest
needs: [checkBranch, buildSite]
permissions:
contents: read
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v5
+22
View File
@@ -0,0 +1,22 @@
name: container project - merge build
permissions:
contents: read
on:
push:
branches:
- main
- release/*
jobs:
build:
name: Invoke build
uses: ./.github/workflows/common.yml
with:
release: true
secrets: inherit
permissions:
contents: read
packages: read
pages: write
+53
View File
@@ -0,0 +1,53 @@
name: container project - PR build
permissions:
contents: read
on:
pull_request:
types: [opened, reopened, synchronize]
jobs:
verify-signatures:
name: Verify commit signatures
runs-on: ubuntu-latest
steps:
- name: Check all commits are signed
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
commits=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}/commits" --paginate)
unsigned_commits=""
while IFS='|' read -r sha author verified; do
if [ "$verified" != "true" ]; then
unsigned_commits="$unsigned_commits - $sha by $author\n"
fi
done < <(echo "$commits" | jq -r '.[] | "\(.sha)|\(.commit.author.name)|\(.commit.verification.verified)"')
if [ -n "$unsigned_commits" ]; then
echo "::error::The following commits are not signed:"
echo -e "$unsigned_commits"
echo ""
echo "Please sign your commits. See:"
echo " - https://github.com/apple/containerization/blob/main/CONTRIBUTING.md#pull-requests"
echo " - https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
exit 1
fi
echo "All commits are signed!"
build:
name: Invoke build
uses: ./.github/workflows/common.yml
with:
release: false
coverage: true
pr_number: ${{ github.event.pull_request.number }}
secrets: inherit
permissions:
contents: read
packages: read
pages: write
+84
View File
@@ -0,0 +1,84 @@
name: PR Coverage Comment
on:
workflow_run:
workflows: ["container project - PR build"]
types:
- completed
permissions:
contents: read
jobs:
comment:
name: Post coverage comment
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
permissions:
contents: read
actions: read
pull-requests: write
steps:
- name: Download coverage artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
pattern: pr-coverage-*
merge-multiple: true
path: pr-coverage-data
id: download-artifact
continue-on-error: true
- name: Check artifact exists
if: steps.download-artifact.outcome == 'success'
id: check-artifact
run: |
if [ -f pr-coverage-data/pr-number.txt ]; then
echo "found=true" >> $GITHUB_OUTPUT
else
echo "No coverage artifact found — coverage job may have failed."
echo "found=false" >> $GITHUB_OUTPUT
fi
- name: Validate and post comment
if: steps.check-artifact.outputs.found == 'true'
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
run: |
PR_NUMBER=$(cat pr-coverage-data/pr-number.txt)
grep -qxE '[0-9]+' <<< "$PR_NUMBER" || { echo "Invalid PR number: ${PR_NUMBER}"; exit 1; }
UNIT=$(cat pr-coverage-data/unit-line-coverage.txt)
grep -qxE '[0-9]+(\.[0-9]+)?' <<< "$UNIT" || { echo "Invalid unit coverage: ${UNIT}"; exit 1; }
INTEGRATION=$(cat pr-coverage-data/integration-line-coverage.txt)
grep -qxE '[0-9]+(\.[0-9]+)?' <<< "$INTEGRATION" || { echo "Invalid integration coverage: ${INTEGRATION}"; exit 1; }
COMBINED=$(cat pr-coverage-data/combined-line-coverage.txt)
grep -qxE '[0-9]+(\.[0-9]+)?' <<< "$COMBINED" || { echo "Invalid combined coverage: ${COMBINED}"; exit 1; }
MARKER="<!-- coverage-bot -->"
BODY=$(cat <<EOF
${MARKER}
## Code Coverage
| Tier | Line Coverage |
|------|--------------|
| Unit | ${UNIT}% |
| Integration | ${INTEGRATION}% |
| Combined | ${COMBINED}% |
EOF
)
EXISTING_COMMENT_ID=$(gh api "repos/${REPO}/issues/${PR_NUMBER}/comments" --paginate --jq ".[] | select(.body | contains(\"${MARKER}\")) | .id" | head -1)
if [ -n "${EXISTING_COMMENT_ID}" ]; then
gh api "repos/${REPO}/issues/comments/${EXISTING_COMMENT_ID}" -X PATCH -f body="${BODY}"
echo "Updated existing coverage comment ${EXISTING_COMMENT_ID}"
else
gh pr comment "${PR_NUMBER}" --repo "${REPO}" --body "${BODY}"
echo "Created new coverage comment"
fi
+28
View File
@@ -0,0 +1,28 @@
name: PR Label Analysis
on:
pull_request:
types: [opened]
permissions:
contents: read
jobs:
analyze:
name: Analyze PR for labeling
runs-on: ubuntu-latest
steps:
- name: Save PR metadata
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
mkdir -p ./pr-metadata
echo "${PR_NUMBER}" > ./pr-metadata/pr-number.txt
- name: Upload PR metadata as artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: pr-metadata-${{ github.event.pull_request.number }}
path: pr-metadata/
retention-days: 1
+47
View File
@@ -0,0 +1,47 @@
name: PR Label Apply
on:
workflow_run:
workflows: ["PR Label Analysis"]
types:
- completed
permissions:
contents: read
jobs:
apply-labels:
name: Apply labels to PR
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Download PR metadata artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
pattern: pr-metadata-*
merge-multiple: false
id: download-artifact
- name: Read PR number
id: pr-number
run: |
PR_NUMBER=$(cat "pr-number.txt")
echo "number=${PR_NUMBER}" >> $GITHUB_OUTPUT
echo "PR Number: ${PR_NUMBER}"
- name: Apply labels using labeler
uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6
with:
pr-number: ${{ steps.pr-number.outputs.number }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
configuration-path: .github/labeler.yml
sync-labels: true
+57
View File
@@ -0,0 +1,57 @@
name: container project - release build
permissions:
contents: read
on:
push:
tags:
- "[0-9]+\\.[0-9]+\\.[0-9]+"
jobs:
build:
name: Invoke build and release
uses: ./.github/workflows/common.yml
with:
release: true
secrets: inherit
permissions:
contents: read
packages: read
pages: write
release:
if: startsWith(github.ref, 'refs/tags/')
name: Publish release
timeout-minutes: 30
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
packages: read
pages: write
steps:
- name: Download artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: outputs
- name: Verify artifacts exist
run: |
echo "Checking for expected artifacts..."
ls -la outputs/container-package/
test -e outputs/container-package/*.zip || (echo "Missing .zip file!" && exit 1)
test -e outputs/container-package/*.pkg || (echo "Missing .pkg file!" && exit 1)
- name: Create release
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3
with:
token: ${{ github.token }}
name: ${{ github.ref_name }}-prerelease
draft: true
make_latest: false
prerelease: true
fail_on_unmatched_files: true
files: |
outputs/container-package/*.zip
outputs/container-package/*.pkg