podman-container-tools · timcoding1988 · May 29, 2026
diff --git a/.cirrus.yml b/.cirrus.yml
diff --git a/.github/filters.yaml b/.github/filters.yaml
@@ -0,0 +1,12 @@
+code:
+  - '**/*.go'
+  - 'go.mod'
+  - 'go.sum'
+  - 'vendor/**'
+  - 'Makefile'
+  - '.github/**'
+  - 'contrib/ci/**'
+  - 'hack/**'
+  - 'tests/**'
+  - '.codespellrc'
+  - '.golangci.yml'
diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,205 @@
+name: "ci"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  path-filter:
+    name: path-filter
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      pull-requests: read
+    outputs:
+      code: ${{ steps.filter.outputs.code }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+      - id: filter
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d  # v4.0.1
+        with:
+          filters: .github/filters.yaml
+
+  smoke:
+    name: smoke
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-4-16-x86
+      test: smoke
+      distro: fedora-current
+      timeout: 20
+
+  vendor:
+    name: vendor
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-4-16-x86
+      test: vendor
+      distro: fedora-current
+      timeout: 20
+
+  cross:
+    name: cross
+    runs-on: cncf-ubuntu-8-32-x86
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build all cross targets
+        run: make -j4 cross CGO_ENABLED=0
+
+  unit:
+    needs: [smoke, vendor, path-filter]
+    if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request'
+    name: unit ${{ matrix.storage }}
+    strategy:
+      fail-fast: false
+      matrix:
+        storage: [vfs, overlay]
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-4-16-x86
+      test: unit
+      storage: ${{ matrix.storage }}
+      priv: root
+      distro: fedora-current
+      timeout: 60
+
+  conformance:
+    needs: [smoke, vendor, path-filter]
+    if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request'
+    name: conformance ${{ matrix.storage }}
+    strategy:
+      fail-fast: false
+      matrix:
+        storage: [vfs, overlay]
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-8-32-x86
+      test: conformance
+      storage: ${{ matrix.storage }}
+      priv: root
+      distro: debian-sid
+      timeout: 40
+
+  integration:
+    needs: [smoke, vendor, path-filter]
+    if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request'
+    name: integration ${{ matrix.storage }} ${{ matrix.priv }} ${{ matrix.distro }}
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [fedora-current, fedora-prior, debian-sid]
+        storage: [vfs, overlay]
+        priv: [root, rootless]
+        exclude:
+          - storage: vfs
+            priv: rootless
+          - distro: debian-sid
+            priv: rootless
+          # Skip rootless+overlay: upstream Cirrus's PASSTHROUGH_ENV_RE drops
+          # STORAGE_DRIVER through SSH re-exec to rootlessuser, so their
+          # "Integration rootless ... w/ overlay" task silently tests vfs.
+          # When we propagate STORAGE_DRIVER properly, we expose a real
+          # rootless+overlay cleanup bug in buildah's storage code
+          # ("replacing mount point .../merged: directory not empty").
+          # Skip these cells until that's fixed upstream.
+          - storage: overlay
+            priv: rootless
+        include:
+          - storage: overlay
+            priv: root
+            distro: fedora-rawhide
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-8-32-x86
+      test: integration
+      storage: ${{ matrix.storage }}
+      priv: ${{ matrix.priv }}
+      distro: ${{ matrix.distro }}
+      timeout: 60
+
+  in_podman:
+    needs: [smoke, vendor, path-filter]
+    if: needs.path-filter.outputs.code == 'true' || github.event_name != 'pull_request'
+    name: in_podman
+    uses: ./.github/workflows/lima.yml
+    with:
+      runner: cncf-ubuntu-8-32-x86
+      test: in_podman
+      storage: vfs
+      priv: root
+      distro: fedora-current
+      timeout: 60
+
+  mac:
+    needs: [smoke, vendor]
+    name: build (darwin)
+    runs-on: macos-15
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build darwin/arm64
+        run: make bin/buildah.darwin.arm64
+
+      - name: Build darwin/amd64
+        run: make bin/buildah.darwin.amd64
+
+      - name: Upload artifacts
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          name: buildah-darwin
+          path: bin/buildah.darwin.*
+          if-no-files-found: error
+
+  success:
+    name: "Total Success"
+    if: always()
+    needs:
+      - path-filter
+      - smoke
+      - vendor
+      - cross
+      - unit
+      - conformance
+      - integration
+      - in_podman
+      - mac
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check all required jobs
+        run: |
+          if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]] || \
+             [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
+            echo "One or more required jobs failed or were cancelled"
+            exit 1
+          fi
+          echo "All required jobs passed or were skipped"
diff --git a/.github/workflows/lima.yml b/.github/workflows/lima.yml
@@ -0,0 +1,57 @@
+name: lima
+
+on:
+  workflow_call:
+    inputs:
+      distro:
+        required: true
+        type: string
+      test:
+        required: true
+        type: string
+      priv:
+        required: false
+        type: string
+      storage:
+        required: false
+        type: string
+      runner:
+        required: true
+        type: string
+      timeout:
+        required: false
+        type: number
+
+permissions: {}
+
+jobs:
+  lima:
+    name: ${{ inputs.test }} ${{ inputs.storage || '' }} ${{ inputs.priv || '' }} ${{ inputs.distro }}
+    runs-on: ${{ inputs.runner }}
+    timeout-minutes: ${{ inputs.timeout || 20 }}
+    permissions: {}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 50
+
+      - name: Fetch base ref for merge-base
+        run: git fetch --depth=50 origin main:refs/remotes/origin/main || true
+
+      - uses: lima-vm/lima-actions/setup@55627e31b78637bf254a8b2a14da8ea7d12564e5  # v1.1.0
+        id: lima
+        with:
+          version: v2.1.1
+
+      - name: Run test on lima
+        run: | # zizmor: ignore[template-injection]
+          ./contrib/ci/ci.sh ${{ inputs.test }} ${{ inputs.storage }} ${{ inputs.priv }} ${{ inputs.distro }}
+
+      - name: Upload journal as artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          name: "journal-${{ inputs.test }}-${{ inputs.storage }}-${{ inputs.priv }}-${{ inputs.distro }}.log"
+          path: "./contrib/ci/journal.log"
+          if-no-files-found: ignore
diff --git a/contrib/ci/ci.sh b/contrib/ci/ci.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" && pwd )
+
+source "$SCRIPT_DIR/lib.sh"
+
+AUTOMATION_RELEASE="${AUTOMATION_RELEASE:-20260520t200858z}"
+LIMA_VM_NAME=buildah-ci
+
+REPO_DIR="$SCRIPT_DIR/../.."
+
+parse_args "$@"
+
+IMAGE="$DISTRO_NAME.x86_64.qcow2.zst"
+
+IMAGE_URL_BASE="${IMAGE_URL_BASE:-https://objectstorage.us-ashburn-1.oraclecloud.com/n/id0lmbbwgcdv/b/podman-ci-vm-images/o/releases}"
+IMAGE_URL="$IMAGE_URL_BASE/$AUTOMATION_RELEASE/$IMAGE"
+
+trap "limactl delete --force $LIMA_VM_NAME" EXIT
+
+limactl --yes start --plain --name=$LIMA_VM_NAME --cpus $(nproc) --memory 8 --disk 150 --nested-virt \
+    --set ".images=[{\"location\":\"$IMAGE_URL\", \"arch\": \"x86_64\"}]" \
+    "$SCRIPT_DIR/template.lima.yml"
+
+limactl copy "$REPO_DIR" $LIMA_VM_NAME:/var/tmp/buildah
+
+set +e
+
+limactl shell --workdir /var/tmp/buildah $LIMA_VM_NAME ./contrib/ci/runner.sh "${@}"
+rc=$?
+
+limactl shell --workdir /var/tmp/buildah $LIMA_VM_NAME sudo contrib/ci/logcollector.sh journal &> "$SCRIPT_DIR/journal.log"
+
+exit $rc