containers · Luap99 · Aug 27, 2025 · Aug 26, 2025 · Aug 26, 2025 · Aug 26, 2025
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -58,7 +58,7 @@
 gcp_credentials: ENCRYPTED[f448b0e5ed38a52ba93550305f9e38c9b0c03852b9fc3115930f231fc7124b7423e8c912b4d9e002cc34b3a7ac3c145b]
 
 # Default timeout for each task
-timeout_in: 120m
+timeout_in: 20m
 
 # Default VM to use unless set or modified by task
 gce_instance:
@@ -71,8 +71,6 @@
 
 
 storage_linux_testing: &linux_testing
-    depends_on:
-        - storage_lint
     gce_instance:  # Only need to specify differences from defaults (above)
         image_name: "${VM_IMAGE}"
 
@@ -136,30 +134,6 @@
         - env:
             TEST_DRIVER: "btrfs"
 
-
-storage_lint_task:
-    alias: storage_lint
-    name: "Storage: Lint"
-    only_if: *only_if_storage
-
-    env:
-        CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
-    container:
-        image: golang
-    modules_cache:
-        fingerprint_script: cat storage/go.sum
-        folder: $GOPATH/pkg/mod
-    build_script: |
-      apt-get update
-      apt-get install -y libbtrfs-dev libsubid-dev
-    test_script: |
-      cd storage
-      [ -n "${CIRRUS_BASE_SHA}" ] && git fetch origin ${CIRRUS_BASE_SHA} # Make ${CIRRUS_BASE_SHA} resolvable for git-validation
-      make TAGS=regex_precompile local-validate
-      make lint
-      make clean
-
-
 # Update metadata on VM images referenced by this repository state
 images_timestamp_update_task:
     alias: images_timestamp_update
@@ -186,10 +160,9 @@
     script: '/usr/local/bin/entrypoint.sh |& ${_TIMESTAMP}'
 
 
-
-image_validate_task:
-    alias: image_validate
-    name: "Image: Validate"
+image_cross_task:
+    alias: image_cross
+    name: "Image: Cross"
     only_if: &only_if_image >-
         $CIRRUS_PR == '' ||
         changesInclude('.cirrus.yml', 'go.work', 'go.work.sum') ||
@@ -205,23 +178,6 @@
         # Eventually, hard-code FEDORA_CACHE_IMAGE_NAME here again and remove the
         # VM_IMAGE_NAME parameter.
         image_name: ${VM_IMAGE_NAME}
-    env:
-        HOME: "/root"  # default unset, needed by golangci-lint.
-        VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
-    script: |
-        cd image
-        git remote update
-        make tools
-        # TODO: Enable once we are done with monorepo tests.
-        # ${GOBIN}/git-validation -q -run DCO,short-subject,dangling-whitespace -range $(git merge-base origin/${DEST_BRANCH} HEAD)..${CIRRUS_CHANGE_IN_REPO}
-        make validate
-
-
-image_cross_task:
-    alias: image_cross
-    name: "Image: Cross"
-    only_if: *only_if_image
-    gce_instance: *fedora_vm
     env:
         HOME: "/root"  # default unset, needed by golangci-lint.
         VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
@@ -232,8 +188,6 @@
 
 image_test_task:
     alias: image_test
-    depends_on:
-        - image_validate
     only_if: *only_if_image
     gce_instance: *fedora_vm
     env:
@@ -269,8 +223,6 @@
 image_test_skopeo_task:
     alias: image_test_skopeo
     only_if: *only_if_image
-    depends_on:
-        - image_validate
     gce_instance: *fedora_vm
     env:
         HOME: "/root"  # default unset, needed by golangci-lint.
@@ -345,36 +297,21 @@
       # gofix anyway.
       git diff --diff-filter=M --exit-code -- . ":(exclude)*.crt" ":(exclude)*.key" ":(exclude)*.cert"
 
-storage_codespell_task:
-    only_if: *only_if_storage
-    alias: storage_codespell
-    name: "Storage: codespell"
-    container:
-        image: python
-    build_script: pip install codespell
-    test_script: |
-      cd storage
-      codespell
-
-
 # Status aggregator for all tests.  This task simply ensures a defined
 # set of tasks all passed, and allows confirming that based on the status
 # of this task.
 success_task:
    alias: success
    # N/B: The prow merge-bot (tide) is sensitized to this exact name, DO NOT CHANGE IT.
     # Ref: https://github.com/openshift/release/pull/49820
     name: "Total Success"
     depends_on:
-        - storage_lint
         - storage_fedora_testing
         - storage_debian_testing
         - images_timestamp_update
         - storage_cross
         - storage_gofix
-        - storage_codespell
         - common_testing
-        - image_validate
         - image_cross
         - image_test
         - image_test_skopeo

diff --git a/common/.codespelldict → .codespelldict b/common/.codespelldict → .codespelldict
diff --git a/common/.codespellrc → .codespellrc b/common/.codespellrc → .codespellrc
@@ -2,10 +2,10 @@
 [codespell]
 
 # Comma-separated list of files to skip.
-skip = ./vendor,./.git #,bin,vendor,.git,go.sum,changelog.txt,.cirrus.yml,"RELEASE_NOTES.md,*.xz,*.gz,*.tar,*.tgz,bin2img,*ico,*.png,*.1,*.5,copyimg,*.orig,apidoc.go"
+skip = ./.git,./image/signature/fixtures,./image/signature/simplesigning/testdata,./storage/tests/tools/vendor,./storage/AUTHORS
 
 # Comma separated list of words to be ignored. Words must be lowercased.
-ignore-words-list = clos,creat,ro,hastable,shouldnot,mountns,passt
+ignore-words-list = clos,creat,ro,hastable,shouldnot,mountns,passt,te,bu,afile,flate,prevend,Plack,worl
 
 # Custom dictionary file that contains spelling corrections.
 # Run with option '--dictionary=-' to include also default dictionary.

diff --git a/.github/workflows/common-validate.yml b/.github/workflows/common-validate.yml
diff --git a/.github/workflows/image-codespell.yml b/.github/workflows/image-codespell.yml
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -0,0 +1,96 @@
+name: validate
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions: read-all
+
+env:
+  LINT_VERSION: v2.1.6
+
+jobs:
+  codespell:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: install deps
+      # Version of codespell bundled with Ubuntu is way old, so use pip.
+      run: pip install --break-system-packages codespell==v2.4.1
+    - name: run codespell
+      run: codespell --dictionary=-
+
+  lint:
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        working-directory: ./common
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 2
+    - uses: actions/setup-go@v5
+      with:
+        go-version: 1.25.x
+        # By default the go cache will only use go.sum in the root which we don't have,
+        # make it use for all checksum files.
+        # https://github.com/actions/setup-go?tab=readme-ov-file#caching-dependency-files-and-build-outputs
+        cache-dependency-path: "**/go.sum"
+    - name: install deps
+      run: |
+        sudo apt-get -qq update
+        sudo apt-get -qq install libseccomp-dev libgpgme-dev libbtrfs-dev libsubid-dev
+    - name: lint-common
+      uses: golangci/golangci-lint-action@v8
+      with:
+        version: "${{ env.LINT_VERSION }}"
+        args: --verbose
+        working-directory: ./common
+    # Extra linters, only checking new code from a pull request.
+    - name: lint-common-extra
+      uses: golangci/golangci-lint-action@v8
+      with:
+        args: --config=.golangci-extra.yml
+        version: "${{ env.LINT_VERSION }}"
+        only-new-issues: true
+        working-directory: ./common
+    - name: lint-image
+      uses: golangci/golangci-lint-action@v8
+      with:
+        version: "${{ env.LINT_VERSION }}"
+        args: --verbose
+        working-directory: ./image
+    - name: lint-storage
+      uses: golangci/golangci-lint-action@v8
+      with:
+        version: "${{ env.LINT_VERSION }}"
+        args: --verbose
+        working-directory: ./storage
+
+    - name: validate seccomp
+      run: ./tools/validate_seccomp.sh ./pkg/seccomp
+
+  git-validate:
+    # only run this on PRs
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        # By default github actions creates a merge commit which fails the validation,
+        # we only must validate the actual commits of the author.
+        ref: ${{ github.event.pull_request.head.sha }}
+        fetch-depth: ${{ github.event.pull_request.commits }}
+    - uses: actions/setup-go@v5
+      with:
+        go-version: 1.25.x
+        # See comment on lint task
+        cache-dependency-path: "**/go.sum"
+    - name: install deps
+      run: go install github.com/vbatts/git-validation@v1.2.2
+    - name: run git-validation
+      run: git-validation -q -run DCO,short-subject,dangling-whitespace -range "HEAD~${{ github.event.pull_request.commits }}..HEAD"
diff --git a/image/.codespellrc b/image/.codespellrc
diff --git a/image/signature/sigstore/rekor/testdata/start-rekor.sh b/image/signature/sigstore/rekor/testdata/start-rekor.sh
@@ -36,7 +36,7 @@ podman run -d --pod $POD_NAME --name rekor-db-$SUFFIX \
 
 # The db takes a bit to start up, wait until it is ready otherwise the trillian
 # containers fail to start due the missing db connection.
-max_retries=20
+max_retries=40
 retries=0
 while [[ $retries -le $max_retries ]]; do
     out=$(podman logs rekor-db-$SUFFIX 2>&1)
@@ -46,7 +46,9 @@ while [[ $retries -le $max_retries ]]; do
 
     retries=$((retries + 1))
     if [[ $retries -ge $max_retries ]]; then
-        echo "Failed to wait for the database to become ready"
+        echo "Failed to wait for the database to become ready, logs:"
+        echo "$out"
+        podman ps
         podman pod rm -f -t0 $POD_NAME
         exit 1
     fi

diff --git a/storage/.codespellrc b/storage/.codespellrc
diff --git a/storage/contrib/cirrus/build_and_test.sh b/storage/contrib/cirrus/build_and_test.sh
@@ -9,7 +9,6 @@ pwd
 ls -l
 make install.tools
 showrun make local-binary
-showrun make local-cross
 
 case $TEST_DRIVER in
     overlay)