From 0c2015ab8c2ef813e502a73b28037b8d78bde34f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 16:20:17 +0000 Subject: [PATCH 01/24] Initial plan From 9a89c91a130e50beb45405cb7952e92b9a6bfbf6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 16:22:54 +0000 Subject: [PATCH 02/24] Add Podman integration tests for OCI runtime compatibility Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .github/workflows/wc-build-push-test.yml | 18 ++++ .../workflows/wc-integration-test-podman.yml | 82 +++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 .github/workflows/wc-integration-test-podman.yml diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index 9e8777d1..a59ee42e 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -147,6 +147,24 @@ jobs: registry: ${{ inputs.registry }} test-file: ${{ inputs.integration-test-file }} + integration-test-podman: + name: ๐Ÿงช Podman + if: ${{ inputs.integration-test-file }} + needs: build-push + uses: ./.github/workflows/wc-integration-test-podman.yml + permissions: + contents: read + secrets: + DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} + DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} + with: + build-test-runner-labels: ${{ inputs.build-test-runner-labels }} + fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }} + image-basename: ${{ needs.build-push.outputs.image-basename }} + image-digest: ${{ needs.build-push.outputs.digest }} + registry: ${{ inputs.registry }} + test-file: ${{ inputs.integration-test-file }} + acceptance-test: name: ๐Ÿ—๏ธ if: ${{ inputs.test-devcontainer-file && inputs.acceptance-test-path }} diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml new file mode 100644 index 00000000..9d6e1e7c --- /dev/null +++ b/.github/workflows/wc-integration-test-podman.yml @@ -0,0 +1,82 @@ +--- +name: Integration Test (Podman) + +on: + workflow_call: + inputs: + build-test-runner-labels: + required: true + type: string + fully-qualified-image-name: + required: true + type: string + image-basename: + required: true + type: string + image-digest: + required: true + type: string + registry: + required: true + type: string + test-file: + required: true + type: string + secrets: + DOCKER_REGISTRY_PASSWORD: + required: true + DOCKER_REGISTRY_USERNAME: + required: true + +permissions: {} + +jobs: + run-test: + name: Integration Test Podman (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) + strategy: + matrix: + runner: ${{ fromJson(inputs.build-test-runner-labels) }} + runs-on: ${{ matrix.runner }} + permissions: + contents: read + steps: + - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + disable-sudo: false + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Install Podman + run: | + # Install Podman on Ubuntu + sudo apt-get update + sudo apt-get install -y podman + podman --version + - name: Login to container registry + run: | + echo "${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}" | \ + podman login ${{ inputs.registry }} \ + --username "${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}" \ + --password-stdin + - name: Pull container image + run: | + podman pull ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} + - run: echo "arch=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" + id: runner-arch + - name: Run integration tests using Podman + run: | + podman run --rm \ + -v "${{ github.workspace }}:${{ github.workspace }}" \ + -w "${{ github.workspace }}" \ + ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} \ + bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-podman-${RUNNER_ARCH}.xml" + env: + IMAGE_BASENAME: ${{ inputs.image-basename }} + TEST_FILE: ${{ inputs.test-file }} + RUNNER_ARCH: ${{ steps.runner-arch.outputs.arch }} + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + if: ${{ !cancelled() }} + with: + name: test-results-integration-podman-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }} + path: test-report-*.xml From 269bf0d705a35b494c5b461cd1345608438bdd18 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 16:23:46 +0000 Subject: [PATCH 03/24] Pass environment variables to Podman container Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .github/workflows/wc-integration-test-podman.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index 9d6e1e7c..a43cb98d 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -69,6 +69,9 @@ jobs: podman run --rm \ -v "${{ github.workspace }}:${{ github.workspace }}" \ -w "${{ github.workspace }}" \ + -e IMAGE_BASENAME="${IMAGE_BASENAME}" \ + -e TEST_FILE="${TEST_FILE}" \ + -e RUNNER_ARCH="${RUNNER_ARCH}" \ ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} \ bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-podman-${RUNNER_ARCH}.xml" env: From 8a54623ac50241bcc5c9182c5096c2cd4134d205 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 16:25:03 +0000 Subject: [PATCH 04/24] Add comment clarifying Ubuntu runner requirement for Podman Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .github/workflows/wc-integration-test-podman.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index a43cb98d..85f1ecfc 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -49,7 +49,8 @@ jobs: persist-credentials: false - name: Install Podman run: | - # Install Podman on Ubuntu + # Install Podman on Ubuntu (Ubuntu 20.10+ has Podman in default repositories) + # This workflow is designed for Ubuntu runners (ubuntu-latest, ubuntu-24.04-arm) sudo apt-get update sudo apt-get install -y podman podman --version From aa2725512ef28521ec0b7c95c91eca3dab76df09 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 07:01:45 +0000 Subject: [PATCH 05/24] Fix code injection vulnerabilities in Podman workflow Move all template expansions to environment variables and use them in shell commands instead to prevent code injection. Properly quote all variables that can contain spaces. Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .../workflows/wc-integration-test-podman.yml | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index 85f1ecfc..80bdebc4 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -56,29 +56,37 @@ jobs: podman --version - name: Login to container registry run: | - echo "${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}" | \ - podman login ${{ inputs.registry }} \ - --username "${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}" \ + echo "${REGISTRY_PASSWORD}" | \ + podman login "${REGISTRY}" \ + --username "${REGISTRY_USERNAME}" \ --password-stdin + env: + REGISTRY: ${{ inputs.registry }} + REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }} + REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }} - name: Pull container image run: | - podman pull ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} + podman pull "${IMAGE_WITH_DIGEST}" + env: + IMAGE_WITH_DIGEST: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} - run: echo "arch=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" id: runner-arch - name: Run integration tests using Podman run: | podman run --rm \ - -v "${{ github.workspace }}:${{ github.workspace }}" \ - -w "${{ github.workspace }}" \ + -v "${WORKSPACE}:${WORKSPACE}" \ + -w "${WORKSPACE}" \ -e IMAGE_BASENAME="${IMAGE_BASENAME}" \ -e TEST_FILE="${TEST_FILE}" \ -e RUNNER_ARCH="${RUNNER_ARCH}" \ - ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} \ + "${IMAGE_WITH_DIGEST}" \ bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-podman-${RUNNER_ARCH}.xml" env: IMAGE_BASENAME: ${{ inputs.image-basename }} - TEST_FILE: ${{ inputs.test-file }} + IMAGE_WITH_DIGEST: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} RUNNER_ARCH: ${{ steps.runner-arch.outputs.arch }} + TEST_FILE: ${{ inputs.test-file }} + WORKSPACE: ${{ github.workspace }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ !cancelled() }} with: From 2f5b5c1e96d88a236a3a96798762923282bb403a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 20 Feb 2026 12:35:37 +0000 Subject: [PATCH 06/24] Fix DNS resolution issue in Podman tests by using host network Add --network=host flag to podman run command to ensure DNS resolution works properly in containers. This fixes the "failed to lookup address information" errors that were occurring on x64 runners when tests tried to download Windows SDK from aka.ms domains. Co-authored-by: rjaegers <45816308+rjaegers@users.noreply.github.com> --- .github/workflows/wc-integration-test-podman.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index 80bdebc4..961e97cf 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -74,6 +74,7 @@ jobs: - name: Run integration tests using Podman run: | podman run --rm \ + --network=host \ -v "${WORKSPACE}:${WORKSPACE}" \ -w "${WORKSPACE}" \ -e IMAGE_BASENAME="${IMAGE_BASENAME}" \ From 9abfa4a294f018b0b4f47dd9973c4d96b63f9e34 Mon Sep 17 00:00:00 2001 From: "philips-software-forest-releaser[bot]" <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Date: Tue, 10 Feb 2026 08:55:33 +0100 Subject: [PATCH 07/24] chore(deps, rust): update github.vscode-pull-request-github in devcontainer.json (#1146) Update github.vscode-pull-request-github in devcontainer.json Co-authored-by: philips-software-forest-releaser[bot] <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> --- .devcontainer/rust/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/rust/devcontainer.json b/.devcontainer/rust/devcontainer.json index a63269ce..7c55a4d9 100644 --- a/.devcontainer/rust/devcontainer.json +++ b/.devcontainer/rust/devcontainer.json @@ -20,7 +20,7 @@ "extensions": [ "github.copilot@1.388.0", "github.vscode-github-actions@0.31.0", - "github.vscode-pull-request-github@0.126.0", + "github.vscode-pull-request-github@0.128.0", "jetmartin.bats@0.1.10", "kherring.bats-test-runner@0.1.3", "mhutchie.git-graph@1.30.0", From 7857c0b93b6cbe4f38e713146b3b14517a779122 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Feb 2026 17:51:34 +0100 Subject: [PATCH 08/24] chore(deps): bump conan from 2.25.1 to 2.25.2 in /.devcontainer (#1149) Bumps [conan](https://github.com/conan-io/conan) from 2.25.1 to 2.25.2. - [Release notes](https://github.com/conan-io/conan/releases) - [Commits](https://github.com/conan-io/conan/compare/2.25.1...2.25.2) --- updated-dependencies: - dependency-name: conan dependency-version: 2.25.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .devcontainer/cpp/requirements.in | 2 +- .devcontainer/cpp/requirements.txt | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/cpp/requirements.in b/.devcontainer/cpp/requirements.in index 8bb46f45..9a4e1aa8 100644 --- a/.devcontainer/cpp/requirements.in +++ b/.devcontainer/cpp/requirements.in @@ -1,3 +1,3 @@ cmake==4.2.1 -conan==2.25.1 +conan==2.25.2 gcovr==8.6 diff --git a/.devcontainer/cpp/requirements.txt b/.devcontainer/cpp/requirements.txt index 4963e9d9..a27f5e8d 100644 --- a/.devcontainer/cpp/requirements.txt +++ b/.devcontainer/cpp/requirements.txt @@ -144,8 +144,8 @@ colorlog==6.8.2 \ --hash=sha256:3e3e079a41feb5a1b64f978b5ea4f46040a94f11f0e8bbb8261e3dbbeca64d44 \ --hash=sha256:4dcbb62368e2800cb3c5abd348da7e53f6c362dda502ec27c560b2e58a66bd33 # via gcovr -conan==2.25.1 \ - --hash=sha256:1d77d2457dfdbe919a68cee9d96bddde2b3411671a7d9e934df49c49faa2335d +conan==2.25.2 \ + --hash=sha256:3a5214a095cee5c3d21ed45ea31139705703e49fa9c4bb45c4c73f5ee17a1031 # via -r cpp/requirements.in distro==1.8.0 \ --hash=sha256:02e111d1dc6a50abb8eed6bf31c3e48ed8b0830d1ea2a1b78c61765c2513fdd8 \ From aa1f4febcd291757ed035c4a9318ea9be35643ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Feb 2026 18:32:28 +0100 Subject: [PATCH 09/24] ci(deps): bump the github-actions group with 4 updates (#1151) Bumps the github-actions group with 4 updates: [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action), [github/codeql-action](https://github.com/github/codeql-action), [philips-software/amp-devcontainer](https://github.com/philips-software/amp-devcontainer) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `zizmorcore/zizmor-action` from 0.4.1 to 0.5.0 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/135698455da5c3b3e55f73f4419e481ab68cdd95...0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d) Updates `github/codeql-action` from 4.31.10 to 4.32.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/cdefb33c0f6224e58673d9004f47f7cb3e328b89...45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2) Updates `philips-software/amp-devcontainer` from 6.6.2 to 6.8.0 - [Release notes](https://github.com/philips-software/amp-devcontainer/releases) - [Changelog](https://github.com/philips-software/amp-devcontainer/blob/main/CHANGELOG.md) - [Commits](https://github.com/philips-software/amp-devcontainer/compare/03a6ec02581d659aa155a8127b9ecac229560d1d...0b102f3ea8255073eab6cad7b6fb3e7b3dbd1121) Updates `anchore/sbom-action` from 0.21.1 to 0.22.2 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/sbom-action/compare/0b82b0b1a22399a1c542d4d656f70cd903571b5c...28d71544de8eaf1b958d335707167c5f783590ad) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.32.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: philips-software/amp-devcontainer dependency-version: 6.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: anchore/sbom-action dependency-version: 0.22.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/linting-formatting.yml | 4 ++-- .github/workflows/ossf-scorecard.yml | 2 +- .github/workflows/vulnerability-scan.yml | 2 +- .github/workflows/wc-build-push.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 32bfc077..730d91f1 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -34,7 +34,7 @@ jobs: with: fetch-depth: 0 persist-credentials: false - - uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 + - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 with: persona: pedantic # flavors/dotnet is the smallest flavor of MegaLinter that contains the linters @@ -44,7 +44,7 @@ jobs: APPLY_FIXES: all VALIDATE_ALL_CODEBASE: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10 + - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 if: success() || failure() with: sarif_file: megalinter-reports/megalinter-report.sarif diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index b66a33f4..b45477d0 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -33,6 +33,6 @@ jobs: results_format: sarif repo_token: ${{ secrets.SCORECARD_TOKEN }} publish_results: true - - uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10 + - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 with: sarif_file: results.sarif diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index ff77efc3..2493f234 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -26,7 +26,7 @@ jobs: with: image: ghcr.io/${{ github.repository }}-${{ matrix.flavor }}:latest dockerfile: .devcontainer/Dockerfile - - uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10 + - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 if: steps.scan.outputs.sarif != '' with: sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index a8d6e207..e1ee3d2a 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -234,7 +234,7 @@ jobs: name: container-diff-${{ needs.sanitize-image-name.outputs.image-basename }} path: container-diff.json retention-days: 10 - - uses: philips-software/amp-devcontainer/.github/actions/container-size-diff@03a6ec02581d659aa155a8127b9ecac229560d1d # v6.6.2 + - uses: philips-software/amp-devcontainer/.github/actions/container-size-diff@0b102f3ea8255073eab6cad7b6fb3e7b3dbd1121 # v6.8.0 id: container-size-diff with: from-container: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:edge @@ -244,7 +244,7 @@ jobs: header: container-size-diff-${{ needs.sanitize-image-name.outputs.image-basename }} message: | ${{ steps.container-size-diff.outputs.size-diff-markdown }} - - uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0.21.1 + - uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2 with: image: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}@${{ steps.inspect-manifest.outputs.digest }} dependency-snapshot: true From 965666b1cd1800164c15a5105b13c8c3bdb8c7fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Feb 2026 19:22:42 +0100 Subject: [PATCH 10/24] test(deps): bump the npm group with 4 updates (#1150) Bumps the npm group with 4 updates: [@playwright/test](https://github.com/microsoft/playwright), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [dotenv](https://github.com/motdotla/dotenv) and [otpauth](https://github.com/hectorm/otpauth). Updates `@playwright/test` from 1.58.0 to 1.58.1 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](https://github.com/microsoft/playwright/compare/v1.58.0...v1.58.1) Updates `@types/node` from 25.1.0 to 25.2.1 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `dotenv` from 17.2.3 to 17.2.4 - [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md) - [Commits](https://github.com/motdotla/dotenv/compare/v17.2.3...v17.2.4) Updates `otpauth` from 9.4.1 to 9.5.0 - [Release notes](https://github.com/hectorm/otpauth/releases) - [Commits](https://github.com/hectorm/otpauth/compare/v9.4.1...v9.5.0) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.58.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@types/node" dependency-version: 25.2.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: dotenv dependency-version: 17.2.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: otpauth dependency-version: 9.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 58 +++++++++++++++++++++++------------------------ package.json | 8 +++---- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/package-lock.json b/package-lock.json index 47d6f62d..cbc1101f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,11 +8,11 @@ "name": "amp-devcontainer-tests", "version": "1.0.0", "devDependencies": { - "@playwright/test": "^1.58.0", - "@types/node": "^25.1.0", - "dotenv": "^17.2.3", + "@playwright/test": "^1.58.1", + "@types/node": "^25.2.1", + "dotenv": "^17.2.4", "nodemon": "^3.1.11", - "otpauth": "^9.4.1", + "otpauth": "^9.5.0", "playwright-bdd": "^8.4.2" } }, @@ -160,13 +160,13 @@ "license": "MIT" }, "node_modules/@noble/hashes": { - "version": "1.8.0", - "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz", - "integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-2.0.1.tgz", + "integrity": "sha512-XlOlEbQcE9fmuXxrVTXCTlG2nlRXa9Rj3rr5Ue/+tX+nmkgbX720YHh0VR3hBF9xDvwnb8D2shVGOwNx+ulArw==", "dev": true, "license": "MIT", "engines": { - "node": "^14.21.3 || >=16" + "node": ">= 20.19.0" }, "funding": { "url": "https://paulmillr.com/funding/" @@ -211,13 +211,13 @@ } }, "node_modules/@playwright/test": { - "version": "1.58.0", - "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.58.0.tgz", - "integrity": "sha512-fWza+Lpbj6SkQKCrU6si4iu+fD2dD3gxNHFhUPxsfXBPhnv3rRSQVd0NtBUT9Z/RhF/boCBcuUaMUSTRTopjZg==", + "version": "1.58.1", + "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.58.1.tgz", + "integrity": "sha512-6LdVIUERWxQMmUSSQi0I53GgCBYgM2RpGngCPY7hSeju+VrKjq3lvs7HpJoPbDiY5QM5EYRtRX5fvrinnMAz3w==", "dev": true, "license": "Apache-2.0", "dependencies": { - "playwright": "1.58.0" + "playwright": "1.58.1" }, "bin": { "playwright": "cli.js" @@ -237,9 +237,9 @@ } }, "node_modules/@types/node": { - "version": "25.1.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-25.1.0.tgz", - "integrity": "sha512-t7frlewr6+cbx+9Ohpl0NOTKXZNV9xHRmNOvql47BFJKcEG1CxtxlPEEe+gR9uhVWM4DwhnvTF110mIL4yP9RA==", + "version": "25.2.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.2.1.tgz", + "integrity": "sha512-CPrnr8voK8vC6eEtyRzvMpgp3VyVRhgclonE7qYi6P9sXwYb59ucfrnmFBTaP0yUi8Gk4yZg/LlTJULGxvTNsg==", "dev": true, "license": "MIT", "dependencies": { @@ -412,9 +412,9 @@ } }, "node_modules/dotenv": { - "version": "17.2.3", - "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-17.2.3.tgz", - "integrity": "sha512-JVUnt+DUIzu87TABbhPmNfVdBDt18BLOWjMUFJMSi/Qqg7NTYtabbvSNJGOJ7afbRuv9D/lngizHtP7QyLQ+9w==", + "version": "17.2.4", + "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-17.2.4.tgz", + "integrity": "sha512-mudtfb4zRB4bVvdj0xRo+e6duH1csJRM8IukBqfTRvHotn9+LBXB8ynAidP9zHqoRC/fsllXgk4kCKlR21fIhw==", "dev": true, "license": "BSD-2-Clause", "engines": { @@ -692,13 +692,13 @@ } }, "node_modules/otpauth": { - "version": "9.4.1", - "resolved": "https://registry.npmjs.org/otpauth/-/otpauth-9.4.1.tgz", - "integrity": "sha512-+iVvys36CFsyXEqfNftQm1II7SW23W1wx9RwNk0Cd97lbvorqAhBDksb/0bYry087QMxjiuBS0wokdoZ0iUeAw==", + "version": "9.5.0", + "resolved": "https://registry.npmjs.org/otpauth/-/otpauth-9.5.0.tgz", + "integrity": "sha512-Ldhc6UYl4baR5toGr8nfKC+L/b8/RgHKoIixAebgoNGzUUCET02g04rMEZ2ZsPfeVQhMHcuaOgb28nwMr81zCA==", "dev": true, "license": "MIT", "dependencies": { - "@noble/hashes": "1.8.0" + "@noble/hashes": "2.0.1" }, "funding": { "url": "https://github.com/hectorm/otpauth?sponsor=1" @@ -718,13 +718,13 @@ } }, "node_modules/playwright": { - "version": "1.58.0", - "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.0.tgz", - "integrity": "sha512-2SVA0sbPktiIY/MCOPX8e86ehA/e+tDNq+e5Y8qjKYti2Z/JG7xnronT/TXTIkKbYGWlCbuucZ6dziEgkoEjQQ==", + "version": "1.58.1", + "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.1.tgz", + "integrity": "sha512-+2uTZHxSCcxjvGc5C891LrS1/NlxglGxzrC4seZiVjcYVQfUa87wBL6rTDqzGjuoWNjnBzRqKmF6zRYGMvQUaQ==", "dev": true, "license": "Apache-2.0", "dependencies": { - "playwright-core": "1.58.0" + "playwright-core": "1.58.1" }, "bin": { "playwright": "cli.js" @@ -770,9 +770,9 @@ } }, "node_modules/playwright-core": { - "version": "1.58.0", - "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.0.tgz", - "integrity": "sha512-aaoB1RWrdNi3//rOeKuMiS65UCcgOVljU46At6eFcOFPFHWtd2weHRRow6z/n+Lec0Lvu0k9ZPKJSjPugikirw==", + "version": "1.58.1", + "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.1.tgz", + "integrity": "sha512-bcWzOaTxcW+VOOGBCQgnaKToLJ65d6AqfLVKEWvexyS3AS6rbXl+xdpYRMGSRBClPvyj44njOWoxjNdL/H9UNg==", "dev": true, "license": "Apache-2.0", "bin": { diff --git a/package.json b/package.json index 0d134a42..45e9ef47 100644 --- a/package.json +++ b/package.json @@ -2,11 +2,11 @@ "name": "amp-devcontainer-tests", "version": "1.0.0", "devDependencies": { - "@playwright/test": "^1.58.0", - "@types/node": "^25.1.0", - "dotenv": "^17.2.3", + "@playwright/test": "^1.58.1", + "@types/node": "^25.2.1", + "dotenv": "^17.2.4", "nodemon": "^3.1.11", - "otpauth": "^9.4.1", + "otpauth": "^9.5.0", "playwright-bdd": "^8.4.2" }, "scripts": { From 218e65d83233ec260c03052aed1663c26f0e6018 Mon Sep 17 00:00:00 2001 From: "philips-software-forest-releaser[bot]" <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Date: Tue, 17 Feb 2026 10:17:21 +0100 Subject: [PATCH 11/24] chore(deps, base): update g++-14 (#1156) Update g++-14 Co-authored-by: philips-software-forest-releaser[bot] <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> --- .devcontainer/base/apt-requirements.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/base/apt-requirements.json b/.devcontainer/base/apt-requirements.json index 0e65be1d..1e773491 100644 --- a/.devcontainer/base/apt-requirements.json +++ b/.devcontainer/base/apt-requirements.json @@ -1,7 +1,7 @@ { "bash-completion": "1:2.11-8", "ca-certificates": "20240203", - "g++-14": "14.2.0-4ubuntu2~24.04", + "g++-14": "14.2.0-4ubuntu2~24.04.1", "git": "1:2.43.0-1ubuntu7.3", "gnupg2": "2.4.4-2ubuntu17.4", "udev": "255.4-1ubuntu8.12", From ec931320a80dd2906b43623bf22b8f3e0da6f9bb Mon Sep 17 00:00:00 2001 From: "philips-software-forest-releaser[bot]" <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Date: Tue, 17 Feb 2026 11:10:39 +0100 Subject: [PATCH 12/24] chore(deps, cpp): update ms-vscode.cpptools in devcontainer-metadata.json (#1152) Update ms-vscode.cpptools in devcontainer-metadata.json Co-authored-by: philips-software-forest-releaser[bot] <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> --- .devcontainer/cpp/devcontainer-metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/cpp/devcontainer-metadata.json b/.devcontainer/cpp/devcontainer-metadata.json index 177964c2..ce44478c 100644 --- a/.devcontainer/cpp/devcontainer-metadata.json +++ b/.devcontainer/cpp/devcontainer-metadata.json @@ -9,7 +9,7 @@ "marus25.cortex-debug@1.12.1", "mhutchie.git-graph@1.30.0", "ms-vscode.cmake-tools@1.22.27", - "ms-vscode.cpptools@1.30.4", + "ms-vscode.cpptools@1.30.5", "ms-vsliveshare.vsliveshare@1.0.5959", "sonarsource.sonarlint-vscode@4.42.0" ], From 31ea3e8e5d219621f0086768b3ce5ce699feb06e Mon Sep 17 00:00:00 2001 From: "philips-software-forest-releaser[bot]" <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Date: Tue, 17 Feb 2026 12:17:50 +0000 Subject: [PATCH 13/24] chore(deps, rust): update rust-lang.rust-analyzer in devcontainer-metadata.json (#1153) Update rust-lang.rust-analyzer in devcontainer-metadata.json Co-authored-by: philips-software-forest-releaser[bot] <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Co-authored-by: Ron <45816308+rjaegers@users.noreply.github.com> --- .devcontainer/rust/devcontainer-metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/rust/devcontainer-metadata.json b/.devcontainer/rust/devcontainer-metadata.json index 0433ee4f..cdf35ad0 100644 --- a/.devcontainer/rust/devcontainer-metadata.json +++ b/.devcontainer/rust/devcontainer-metadata.json @@ -7,7 +7,7 @@ "extensions": [ "mhutchie.git-graph@1.30.0", "ms-vsliveshare.vsliveshare@1.0.5959", - "rust-lang.rust-analyzer@0.3.2777", + "rust-lang.rust-analyzer@0.3.2795", "tamasfe.even-better-toml@0.21.2", "usernamehw.errorlens@3.28.0" ] From 138b2e5804b4b2c4c78d61ffda662712761d3e7f Mon Sep 17 00:00:00 2001 From: "philips-software-forest-releaser[bot]" <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Date: Tue, 17 Feb 2026 15:54:35 +0100 Subject: [PATCH 14/24] chore(deps, cpp): update alexkrechik.cucumberautocomplete, ms-vscode.cpptools in devcontainer.json (#1154) Update alexkrechik.cucumberautocomplete, ms-vscode.cpptools in devcontainer.json Co-authored-by: philips-software-forest-releaser[bot] <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Co-authored-by: Ron <45816308+rjaegers@users.noreply.github.com> --- .devcontainer/cpp/devcontainer.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.devcontainer/cpp/devcontainer.json b/.devcontainer/cpp/devcontainer.json index 701638bc..02e0c283 100644 --- a/.devcontainer/cpp/devcontainer.json +++ b/.devcontainer/cpp/devcontainer.json @@ -34,7 +34,7 @@ "files.trimTrailingWhitespace": true }, "extensions": [ - "alexkrechik.cucumberautocomplete@3.0.5", + "alexkrechik.cucumberautocomplete@3.1.0", "github.copilot@1.388.0", "github.vscode-github-actions@0.31.0", "github.vscode-pull-request-github@0.128.0", @@ -44,7 +44,7 @@ "ms-azuretools.vscode-docker@2.0.0", "ms-playwright.playwright@1.1.17", "ms-vscode.cmake-tools@1.22.27", - "ms-vscode.cpptools@1.30.4", + "ms-vscode.cpptools@1.30.5", "sonarsource.sonarlint-vscode@4.42.0", "usernamehw.errorlens@3.28.0" ] From e441bffbf7ae61af7b2e0f353c0af10e2940ce05 Mon Sep 17 00:00:00 2001 From: "philips-software-forest-releaser[bot]" <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Date: Wed, 18 Feb 2026 10:07:05 +0000 Subject: [PATCH 15/24] chore(deps, rust): update rust-lang.rust-analyzer in devcontainer.json (#1155) Update rust-lang.rust-analyzer in devcontainer.json Co-authored-by: philips-software-forest-releaser[bot] <80338643+philips-software-forest-releaser[bot]@users.noreply.github.com> Co-authored-by: Ron <45816308+rjaegers@users.noreply.github.com> --- .devcontainer/rust/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/rust/devcontainer.json b/.devcontainer/rust/devcontainer.json index 7c55a4d9..8013c00f 100644 --- a/.devcontainer/rust/devcontainer.json +++ b/.devcontainer/rust/devcontainer.json @@ -25,7 +25,7 @@ "kherring.bats-test-runner@0.1.3", "mhutchie.git-graph@1.30.0", "ms-azuretools.vscode-docker@2.0.0", - "rust-lang.rust-analyzer@0.3.2777", + "rust-lang.rust-analyzer@0.3.2795", "sonarsource.sonarlint-vscode@4.42.0", "tamasfe.even-better-toml@0.21.2", "usernamehw.errorlens@3.28.0" From 1f05c32f5df786d9e50f70abb08428d664fde093 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 16:20:17 +0000 Subject: [PATCH 16/24] Initial plan From 06d1031369b4292de14f1f8e4823de598f9793d7 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 23 Feb 2026 15:05:34 +0100 Subject: [PATCH 17/24] ci: minor updates --- .github/workflows/wc-build-push-test.yml | 2 +- .github/workflows/wc-integration-test-podman.yml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index a59ee42e..34adf76b 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -148,7 +148,7 @@ jobs: test-file: ${{ inputs.integration-test-file }} integration-test-podman: - name: ๐Ÿงช Podman + name: ๐Ÿงช if: ${{ inputs.integration-test-file }} needs: build-push uses: ./.github/workflows/wc-integration-test-podman.yml diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index 961e97cf..3773af50 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -40,7 +40,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: disable-sudo: false egress-policy: audit @@ -49,8 +49,6 @@ jobs: persist-credentials: false - name: Install Podman run: | - # Install Podman on Ubuntu (Ubuntu 20.10+ has Podman in default repositories) - # This workflow is designed for Ubuntu runners (ubuntu-latest, ubuntu-24.04-arm) sudo apt-get update sudo apt-get install -y podman podman --version From 0942a2f9cae7e302ff2bd32e6204aaf4062e6f6f Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 24 Feb 2026 14:23:40 +0000 Subject: [PATCH 18/24] ci: process review comments --- .github/workflows/wc-integration-test-podman.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index 3773af50..5a0ee82d 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -54,10 +54,7 @@ jobs: podman --version - name: Login to container registry run: | - echo "${REGISTRY_PASSWORD}" | \ - podman login "${REGISTRY}" \ - --username "${REGISTRY_USERNAME}" \ - --password-stdin + printf '%s' "${REGISTRY_PASSWORD}" | podman login "${REGISTRY}" --username "${REGISTRY_USERNAME}" --password-stdin env: REGISTRY: ${{ inputs.registry }} REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }} @@ -71,6 +68,8 @@ jobs: id: runner-arch - name: Run integration tests using Podman run: | + set -Eeuo pipefail + podman run --rm \ --network=host \ -v "${WORKSPACE}:${WORKSPACE}" \ @@ -86,6 +85,12 @@ jobs: RUNNER_ARCH: ${{ steps.runner-arch.outputs.arch }} TEST_FILE: ${{ inputs.test-file }} WORKSPACE: ${{ github.workspace }} + - name: Log out of container registry + if: ${{ always() }} + run: | + podman logout "${REGISTRY}" + env: + REGISTRY: ${{ inputs.registry }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ !cancelled() }} with: From 4508d5177f02743a51567a70181374c986cb78f4 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 26 Feb 2026 07:58:19 +0100 Subject: [PATCH 19/24] ci: make podman tests optional --- .github/workflows/continuous-integration.yml | 5 +- .github/workflows/wc-build-push-test.yml | 55 +++++++++---------- ...est.yml => wc-integration-test-docker.yml} | 20 +++---- .../workflows/wc-integration-test-podman.yml | 4 +- 4 files changed, 40 insertions(+), 44 deletions(-) rename .github/workflows/{wc-integration-test.yml => wc-integration-test-docker.yml} (86%) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 184fab9e..bdf13658 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -51,6 +51,8 @@ jobs: packages: write # is needed to push image manifest when using GitHub Container Registry pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments with: + acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }} + acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json build-args: | BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }} devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json @@ -58,8 +60,7 @@ jobs: enable-edge-tag: ${{ github.event_name == 'merge_group' }} image-name: ${{ github.repository }}-${{ matrix.flavor }} integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats - acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }} - test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json + integration-test-podman: true dependency-review: name: ๐Ÿ” Dependency Review diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index 34adf76b..7fa64260 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -4,12 +4,16 @@ name: Build, Push & Test on: workflow_call: inputs: + acceptance-test-devcontainer-file: + description: Path to the devcontainer.json file to use for acceptance tests. + required: false + type: string acceptance-test-path: - description: Path to the Playwright acceptance tests (directory that contains playwright.config.ts) + description: Path to the Playwright acceptance tests (directory that contains playwright.config.ts). required: false type: string build-args: - description: Optional docker build args (newline-separated KEY=VALUE) + description: Optional docker build args (newline-separated KEY=VALUE). required: false type: string build-test-runner-labels: @@ -38,7 +42,7 @@ on: required: true type: string enable-edge-tag: - description: Whether to also build and push an "edge" tag for the image + description: Whether to also build and push an "edge" tag for the image. required: false type: boolean default: false @@ -52,9 +56,14 @@ on: required: true type: string integration-test-file: - description: Path to the BATS test file to run for integration tests + description: Path to the BATS test file to run for integration tests. required: false type: string + integration-test-podman: + description: Enable running the tests using the Podman container runtime, next to the default Docker container runtime. + required: false + type: boolean + default: false registry: description: >- Docker registry to push built containers to. @@ -73,10 +82,6 @@ on: required: false type: string default: '["ubuntu-latest"]' - test-devcontainer-file: - description: Path to the devcontainer.json file to use for acceptance tests - required: false - type: string outputs: digest: value: ${{ jobs.build-push.outputs.digest }} @@ -88,10 +93,10 @@ on: value: ${{ jobs.build-push.outputs.version }} secrets: DOCKER_REGISTRY_PASSWORD: - description: Password or token for Docker login, if not provided the GitHub token will be used + description: Password or token for Docker login, if not provided the GitHub token will be used. required: false DOCKER_REGISTRY_USERNAME: - description: User name for Docker login, if not provided the GitHub actor will be used + description: User name for Docker login, if not provided the GitHub actor will be used. required: false TEST_GITHUB_PASSWORD: required: false @@ -116,7 +121,7 @@ jobs: id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token packages: write # is needed to push image manifest when using GitHub Container Registry pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments - secrets: + secrets: &docker-secrets DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} with: @@ -129,17 +134,15 @@ jobs: runner-labels: ${{ inputs.runner-labels }} build-test-runner-labels: ${{ inputs.build-test-runner-labels }} - integration-test: + integration-test-docker: name: ๐Ÿงช if: ${{ inputs.integration-test-file }} needs: build-push - uses: ./.github/workflows/wc-integration-test.yml + uses: ./.github/workflows/wc-integration-test-docker.yml permissions: contents: read - secrets: - DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} - DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} - with: + secrets: *docker-secrets + with: &integration-test-inputs build-test-runner-labels: ${{ inputs.build-test-runner-labels }} fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }} image-basename: ${{ needs.build-push.outputs.image-basename }} @@ -149,25 +152,17 @@ jobs: integration-test-podman: name: ๐Ÿงช - if: ${{ inputs.integration-test-file }} + if: ${{ inputs.integration-test-file && inputs.integration-test-podman }} needs: build-push uses: ./.github/workflows/wc-integration-test-podman.yml permissions: contents: read - secrets: - DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} - DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} - with: - build-test-runner-labels: ${{ inputs.build-test-runner-labels }} - fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }} - image-basename: ${{ needs.build-push.outputs.image-basename }} - image-digest: ${{ needs.build-push.outputs.digest }} - registry: ${{ inputs.registry }} - test-file: ${{ inputs.integration-test-file }} + secrets: *docker-secrets + with: *integration-test-inputs acceptance-test: name: ๐Ÿ—๏ธ - if: ${{ inputs.test-devcontainer-file && inputs.acceptance-test-path }} + if: ${{ inputs.acceptance-test-devcontainer-file && inputs.acceptance-test-path }} needs: build-push uses: ./.github/workflows/wc-acceptance-test.yml permissions: @@ -179,5 +174,5 @@ jobs: TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} with: image-basename: ${{ needs.build-push.outputs.image-basename }} - devcontainer-file: ${{ inputs.test-devcontainer-file }} + devcontainer-file: ${{ inputs.acceptance-test-devcontainer-file }} acceptance-test-path: ${{ inputs.acceptance-test-path }} diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test-docker.yml similarity index 86% rename from .github/workflows/wc-integration-test.yml rename to .github/workflows/wc-integration-test-docker.yml index f3e8b7c9..01b1dd15 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test-docker.yml @@ -1,9 +1,12 @@ --- -name: Integration Test +name: ๐Ÿณ Integration Test on: workflow_call: inputs: + build-test-runner-labels: + required: true + type: string fully-qualified-image-name: required: true type: string @@ -13,26 +16,23 @@ on: image-digest: required: true type: string - test-file: - required: true - type: string - build-test-runner-labels: + registry: required: true type: string - registry: + test-file: required: true type: string secrets: - DOCKER_REGISTRY_USERNAME: - required: true DOCKER_REGISTRY_PASSWORD: required: true + DOCKER_REGISTRY_USERNAME: + required: true permissions: {} jobs: run-test: - name: Integration Test (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) + name: ๐Ÿณ Integration Test (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} @@ -62,5 +62,5 @@ jobs: - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ !cancelled() }} with: - name: test-results-integration-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }} + name: test-results-integration-docker-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }} path: test-report-*.xml diff --git a/.github/workflows/wc-integration-test-podman.yml b/.github/workflows/wc-integration-test-podman.yml index 5a0ee82d..83a16d78 100644 --- a/.github/workflows/wc-integration-test-podman.yml +++ b/.github/workflows/wc-integration-test-podman.yml @@ -1,5 +1,5 @@ --- -name: Integration Test (Podman) +name: ๐Ÿฆญ Integration Test on: workflow_call: @@ -32,7 +32,7 @@ permissions: {} jobs: run-test: - name: Integration Test Podman (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) + name: ๐Ÿฆญ Integration Test (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} From 2f143c5ed9763705a4902df187b09e37258961e4 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 26 Feb 2026 11:39:41 +0100 Subject: [PATCH 20/24] ci: reduce duplication --- .github/workflows/build-push-test.yml | 55 ++++++++++++++++++++ .github/workflows/continuous-integration.yml | 43 ++------------- .github/workflows/release-build.yml | 42 ++------------- 3 files changed, 62 insertions(+), 78 deletions(-) create mode 100644 .github/workflows/build-push-test.yml diff --git a/.github/workflows/build-push-test.yml b/.github/workflows/build-push-test.yml new file mode 100644 index 00000000..1ffaca52 --- /dev/null +++ b/.github/workflows/build-push-test.yml @@ -0,0 +1,55 @@ +--- +name: Build, Push & Test + +on: + workflow_call: + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +permissions: {} + +jobs: + build-push-base: + name: Build โ†’ Push โ†’ Test (๐Ÿจ base) + uses: ./.github/workflows/wc-build-push-test.yml + permissions: &build-push-test-permissions + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments + with: + dockerfile: .devcontainer/base/Dockerfile + enable-edge-tag: ${{ github.event_name == 'merge_group' }} + image-name: ${{ github.repository }}-base + integration-test-file: test/base/integration-tests.bats + integration-test-podman: true + + build-push-flavors: + name: Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) + needs: build-push-base + strategy: + matrix: + flavor: [cpp, rust] + uses: ./.github/workflows/wc-build-push-test.yml + secrets: + TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} + TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} + TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} + TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} + permissions: *build-push-test-permissions + with: + acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }} + acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json + build-args: | + BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }} + devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json + dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile + enable-edge-tag: ${{ github.event_name == 'merge_group' }} + image-name: ${{ github.repository }}-${{ matrix.flavor }} + integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats + integration-test-podman: true diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index bdf13658..624d595e 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -13,9 +13,9 @@ concurrency: permissions: {} jobs: - build-push-base: - name: Build โ†’ Push โ†’ Test (๐Ÿจ base) - uses: ./.github/workflows/wc-build-push-test.yml + build-push-test: + name: Build โ†’ Push โ†’ Test + uses: ./.github/workflows/build-push-test.yml permissions: actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata @@ -24,43 +24,6 @@ jobs: id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token packages: write # is needed to push image manifest when using GitHub Container Registry pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments - with: - dockerfile: .devcontainer/base/Dockerfile - enable-edge-tag: ${{ github.event_name == 'merge_group' }} - image-name: ${{ github.repository }}-base - integration-test-file: test/base/integration-tests.bats - - build-push-flavors: - name: Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) - needs: build-push-base - strategy: - matrix: - flavor: [cpp, rust] - uses: ./.github/workflows/wc-build-push-test.yml - secrets: - TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} - TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} - TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} - TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} - permissions: - actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets - artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata - attestations: write # is needed by actions/attest-build-provenance to push attestations - contents: write # is needed by anchore/sbom-action for artifact uploads - id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token - packages: write # is needed to push image manifest when using GitHub Container Registry - pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments - with: - acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }} - acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json - build-args: | - BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }} - devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json - dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile - enable-edge-tag: ${{ github.event_name == 'merge_group' }} - image-name: ${{ github.repository }}-${{ matrix.flavor }} - integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats - integration-test-podman: true dependency-review: name: ๐Ÿ” Dependency Review diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 48600189..66032918 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -13,9 +13,9 @@ concurrency: permissions: {} jobs: - build-push-base: - name: Build โ†’ Push โ†’ Test (๐Ÿจ base) - uses: ./.github/workflows/wc-build-push-test.yml + build-push-test: + name: Build โ†’ Push โ†’ Test + uses: ./.github/workflows/build-push-test.yml permissions: actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata @@ -24,40 +24,6 @@ jobs: id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token packages: write # is needed to push image manifest when using GitHub Container Registry pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments - with: - dockerfile: .devcontainer/base/Dockerfile - image-name: ${{ github.repository }}-base - integration-test-file: test/base/integration-tests.bats - - build-push-flavors: - name: Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) - needs: build-push-base - strategy: - matrix: - flavor: [cpp, rust] - uses: ./.github/workflows/wc-build-push-test.yml - secrets: - TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} - TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} - TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} - TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} - permissions: - actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets - artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata - attestations: write # is needed by actions/attest-build-provenance to push attestations - contents: write # is needed by anchore/sbom-action for artifact uploads - id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token - packages: write # is needed to push image manifest when using GitHub Container Registry - pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments - with: - build-args: | - BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }} - devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json - dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile - image-name: ${{ github.repository }}-${{ matrix.flavor }} - integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats - acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }} - test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }} apply-release-notes-template: name: ๐Ÿ“ Apply Release Template @@ -96,7 +62,7 @@ jobs: # Please note that this is an overly broad scope, but GitHub does not # currently provide a more fine-grained permission for release modification. contents: write # is needed to modify a release - needs: [build-push-base, build-push-flavors, apply-release-notes-template] + needs: [build-push-test, apply-release-notes-template] env: CONTAINER_FLAVOR: ${{ matrix.flavor }} REF_NAME: ${{ github.ref_name }} From 5ab54a1fc4c2dc4754760a2c2fcc6a8123f9b7c9 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 26 Feb 2026 11:42:37 +0100 Subject: [PATCH 21/24] ci: fix workflow needs --- .github/workflows/continuous-integration.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 624d595e..161ca83b 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -27,7 +27,7 @@ jobs: dependency-review: name: ๐Ÿ” Dependency Review - needs: build-push-flavors + needs: build-push-test uses: ./.github/workflows/wc-dependency-review.yml permissions: contents: read @@ -39,7 +39,7 @@ jobs: permissions: checks: write # is needed by EnricoMi/publish-unit-test-result-action to add a check run with test results pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs - needs: build-push-flavors + needs: build-push-test if: ${{ !cancelled() }} steps: - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 From 64886020576cd98e6eee3b22f148c9f6e92203d9 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 26 Feb 2026 12:56:42 +0100 Subject: [PATCH 22/24] ci: remove concurrency from workflow_call workflow --- .github/workflows/build-push-test.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/build-push-test.yml b/.github/workflows/build-push-test.yml index 1ffaca52..095eb272 100644 --- a/.github/workflows/build-push-test.yml +++ b/.github/workflows/build-push-test.yml @@ -4,10 +4,6 @@ name: Build, Push & Test on: workflow_call: -concurrency: - group: ${{ github.ref }}-${{ github.workflow }} - cancel-in-progress: true - permissions: {} jobs: From 6c0f10f3719963a784fbd83d00665b2969029cd7 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 26 Feb 2026 13:17:43 +0100 Subject: [PATCH 23/24] ci: pass secrets to workflow --- .github/workflows/build-push-test.yml | 107 ++++++++++--------- .github/workflows/continuous-integration.yml | 5 + .github/workflows/release-build.yml | 5 + 3 files changed, 66 insertions(+), 51 deletions(-) diff --git a/.github/workflows/build-push-test.yml b/.github/workflows/build-push-test.yml index 095eb272..47062663 100644 --- a/.github/workflows/build-push-test.yml +++ b/.github/workflows/build-push-test.yml @@ -1,51 +1,56 @@ ---- -name: Build, Push & Test - -on: - workflow_call: - -permissions: {} - -jobs: - build-push-base: - name: Build โ†’ Push โ†’ Test (๐Ÿจ base) - uses: ./.github/workflows/wc-build-push-test.yml - permissions: &build-push-test-permissions - actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets - artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata - attestations: write # is needed by actions/attest-build-provenance to push attestations - contents: write # is needed by anchore/sbom-action for artifact uploads - id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token - packages: write # is needed to push image manifest when using GitHub Container Registry - pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments - with: - dockerfile: .devcontainer/base/Dockerfile - enable-edge-tag: ${{ github.event_name == 'merge_group' }} - image-name: ${{ github.repository }}-base - integration-test-file: test/base/integration-tests.bats - integration-test-podman: true - - build-push-flavors: - name: Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) - needs: build-push-base - strategy: - matrix: - flavor: [cpp, rust] - uses: ./.github/workflows/wc-build-push-test.yml - secrets: - TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} - TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} - TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} - TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} - permissions: *build-push-test-permissions - with: - acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }} - acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json - build-args: | - BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }} - devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json - dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile - enable-edge-tag: ${{ github.event_name == 'merge_group' }} - image-name: ${{ github.repository }}-${{ matrix.flavor }} - integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats - integration-test-podman: true +--- +name: Build, Push & Test + +on: + workflow_call: + secrets: + TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} + TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} + TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} + TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} + +permissions: {} + +jobs: + build-push-test-base: + name: ๐Ÿจ base + uses: ./.github/workflows/wc-build-push-test.yml + permissions: &build-push-test-permissions + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments + with: + dockerfile: .devcontainer/base/Dockerfile + enable-edge-tag: ${{ github.event_name == 'merge_group' }} + image-name: ${{ github.repository }}-base + integration-test-file: test/base/integration-tests.bats + integration-test-podman: true + + build-push-test-flavors: + name: ๐Ÿจ ${{ matrix.flavor }} + needs: build-push-test-base + strategy: + matrix: + flavor: [cpp, rust] + uses: ./.github/workflows/wc-build-push-test.yml + secrets: + TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} + TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} + TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} + TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} + permissions: *build-push-test-permissions + with: + acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }} + acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json + build-args: | + BASE_IMAGE=${{ needs.build-push-test-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-test-base.outputs.digest }} + devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json + dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile + enable-edge-tag: ${{ github.event_name == 'merge_group' }} + image-name: ${{ github.repository }}-${{ matrix.flavor }} + integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats + integration-test-podman: true diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 161ca83b..e85eadbf 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -24,6 +24,11 @@ jobs: id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token packages: write # is needed to push image manifest when using GitHub Container Registry pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments + secrets: + TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} + TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} + TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} + TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} dependency-review: name: ๐Ÿ” Dependency Review diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 66032918..16078d50 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -24,6 +24,11 @@ jobs: id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token packages: write # is needed to push image manifest when using GitHub Container Registry pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments + secrets: + TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} + TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} + TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} + TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} apply-release-notes-template: name: ๐Ÿ“ Apply Release Template From ca9025cc4034083044e1c6c08794dc040ae5b185 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 26 Feb 2026 13:21:31 +0100 Subject: [PATCH 24/24] ci: correct syntax for passing secrets --- .github/workflows/build-push-test.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-push-test.yml b/.github/workflows/build-push-test.yml index 47062663..155803a1 100644 --- a/.github/workflows/build-push-test.yml +++ b/.github/workflows/build-push-test.yml @@ -4,10 +4,14 @@ name: Build, Push & Test on: workflow_call: secrets: - TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} - TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} - TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} - TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} + TEST_GITHUB_PASSWORD: + required: false + TEST_GITHUB_TOKEN: + required: false + TEST_GITHUB_TOTP_SECRET: + required: false + TEST_GITHUB_USER: + required: false permissions: {}