Merge tag 'common/v0.66.1' into main #533
Conversation
The default helper binary directory on Windows was hardcoded. However the new user-scope installer deploys the binaries on a distinct directory. As a consequence `podman machine start` fails because gvproxy/winssh-proxy cannot be found. This problem affects Hyper-V, not WSL. To fix the problem we are using $BINDIR that is used by the function FindHelperBinaries to look in the directory where podman is located. Fixes containers/podman#27603 Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
…es-cp [podman-5.7] Use $BINDIR as the default helper binary directory on Windows
When using http proxy vars in the engine section they can still get leaked because http_proxy defaults to true. Fixes: https://issues.redhat.com/browse/RHEL-127541 Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit d205608) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
[podman-5.7] common: clarify containers.conf doc for env
Bump common to v0.66.1 in preparation for Podman v5.7 Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Merge common/v0.66.1 tag into main so the go module resolver can update newer digest instead of thinking v0.66.1 is newer. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
git-validate is validate is failing as it is linting some of the other merge commits that happen in between it seems, and our github ui merge commits all don't have a sign-off so it fails but somehow it only fails like that for one of the merge commits? I don't get the whitespace error either, I guess I need to rework how the validate task works |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
OK but… why the change to fetch-depth (I assume) fix things?
The validation was passing for me locally.
Apparently if we fetch fewer commits, git show might show a commit (grafted) as adding a full tree instead of a diff.
… and the real underlying cause is that we do have whitespace errors in main:
% git show --check $(git log --oneline README.md | head -n 1 | cut -d ' ' -f 1)
commit ac7a4416ef6fd5069cd9a1ff4dc37cec3377bd59
…
README.md:3: trailing whitespace.
+This repository is a **monorepo** combining several core Go libraries and utilities from the [containers](https://github.com/containers) project.
README.md:5: trailing whitespace.
+It brings together:
README.md:7: trailing whitespace.
+- **[`common`](./common/)** → Shared Go code and configuration used across multiple containers projects.
README.md:8: trailing whitespace.
+- **[`storage`](./storage/)** → A Go library for managing container images, layers, and containers.
README.md:9: trailing whitespace.
+- **[`image`](./image/)** → A Go library for interacting with container images and registries. also on
README.md
SECURITY.md
common/pkg/config/testdata/containers_default.conf
common/pkg/config/testdata/containers_invalid.conf
common/pkg/config/testdata/containers_override2.conf
common/tools/rebuild_quay_ctr_images.sh
storage/.mailmap
storage/docs/containers-storage.md
storage/pkg/locker/README.md
storage/pkg/reexec/README.md
storage/types/storage_broken.conf
I think it all comes down to We would have to fetch main and the PR to get this to work I believe or at least get enough commits so the sparse commit does not get associated with the other unrelated files in git show. I am currently just pushing some changes to test things.
right, we have the full history. |
Oh, so the version of this PR a few hours ago was not actually working, I didn’t notice. So I think I have a complete enough hypothesis:
And the fix to that is to be precise about the set of incoming commits instead of relying on (This is me now paying down the debt from #33 (comment) ) |
|
(It wouldn’t also hurt to fix all of the whitespace errors in |
Do not define GIT_CHECK_EXCLUDE in two places and just define it once and make the action use the Makefile. In addtion we don't want to lint the full set of commits, this seems to cause side effects with merge commits as it lints commits that may no actual be in the PR and thus it can fail. Using "github.event.pull_request.base.sha" is the right base commit we care about and makes the validation work. Thanks to Miloslav for finding that value. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| # We validate all commits as we only fetched the number of commits in the PR above, | ||
| # by default git-validation has some special github action handling but that seems broken. | ||
| run: make .install.gitvalidation && git-validation -no-github | ||
| run: make .install.gitvalidation && make git-validation |
There was a problem hiding this comment.
(I’d be inclined to do make git-validation EPOCH_TEST_COMMIT=… to make the consumer and option passing explicit, but the comment + unique variable name work perfectly fine as is.)
There was a problem hiding this comment.
FWIW, I explicitly made the decision to do it that way because github actions is full of fotguns.
${{ github.event.pull_request.base.sha }} is resolved before it get passes to the shell if we do it in the shell line. That means if an attacker controls the value they can inject custom code, i.e. just end the quote in the value.
Now of course none of this applies here as, a) this is a pull request target where users can just modify the code anyway and b) it should be somewhat safe that we always get a hash there that an attcker can not swap. That said I think it is best practise to avoid the ${{ }} block inside the script section for this reason.
There was a problem hiding this comment.
That means if an attacker controls the value they can inject custom code, i.e. just end the quote in the value
Oh… now I remember that coming up :) Thanks for the reminder.
4 participants
As normal we need to make the go module resolver aware that we are indeed newer on main.