github.com/containers/podman/v5@v5.1.0-rc1/.cirrus.yml

---

# Main collection of env. vars to set for all tasks and scripts.
env:
    ####
    #### Global variables used for all tasks
    ####
    # Name of the ultimate destination branch for this CI run, PR or post-merge.
    DEST_BRANCH: "main"
    # Sane (default) value for GOPROXY and GOSUMDB.
    GOPROXY: "https://proxy.golang.org,direct"
    GOSUMDB: "sum.golang.org"
    # Overrides default location (/tmp/cirrus) for repo clone
    GOPATH: &gopath "/var/tmp/go"
    GOCACHE: "${GOPATH}/cache"
    GOSRC: &gosrc "/var/tmp/go/src/github.com/containers/podman"
    CIRRUS_WORKING_DIR: *gosrc
    # The default is 'sh' if unspecified
    CIRRUS_SHELL: "/bin/bash"
    # Save a little typing (path relative to $CIRRUS_WORKING_DIR)
    SCRIPT_BASE: "./contrib/cirrus"
    # Runner statistics log file path/name
    STATS_LOGFILE_SFX: 'runner_stats.log'
    STATS_LOGFILE: '$GOSRC/${CIRRUS_TASK_NAME}-${STATS_LOGFILE_SFX}'

    ####
    #### Cache-image names to test with (double-quotes around names are critical)
    ####
    FEDORA_NAME: "fedora-40"
    FEDORA_AARCH64_NAME: "${FEDORA_NAME}-aarch64"
    PRIOR_FEDORA_NAME: "fedora-39"
    RAWHIDE_NAME: "rawhide"
    DEBIAN_NAME: "debian-13"

    # Image identifiers
    IMAGE_SUFFIX: "c20240513t140131z-f40f39d13"

    # EC2 images
    FEDORA_AMI: "fedora-aws-${IMAGE_SUFFIX}"
    FEDORA_AARCH64_AMI: "fedora-podman-aws-arm64-${IMAGE_SUFFIX}"
    # GCP Images
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
    RAWHIDE_CACHE_IMAGE_NAME: "rawhide-${IMAGE_SUFFIX}"
    DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
    # Container FQIN's
    FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}"
    WINDOWS_AMI: "win-server-wsl-${IMAGE_SUFFIX}"
    ####
    #### Control variables that determine what to run and how to run it.
    #### N/B: Required ALL of these are set for every single task.
    ####
    TEST_FLAVOR:             # int, sys, ext_svc, validate, automation, etc.
    TEST_ENVIRON: host       # 'host', or 'container'.
    PODBIN_NAME: podman      # 'podman' or 'remote'
    PRIV_NAME: root          # 'root' or 'rootless'
    DISTRO_NV:               # any {PRIOR_,}{FEDORA,DEBIAN}_NAME value
    VM_IMAGE_NAME:           # One of the "Google-cloud VM Images" (above)
    CTR_FQIN:                # One of the "Container FQIN's" (above)
    CI_DESIRED_DATABASE: sqlite # 'sqlite' or 'boltdb'
    CI_DESIRED_STORAGE: overlay # overlay or vfs

    # Curl-command prefix for downloading task artifacts, simply add the
    # the url-encoded task name, artifact name, and path as a suffix.
    ART_URL: https://api.cirrus-ci.com/v1/artifact/build/${CIRRUS_BUILD_ID}
    ARTCURL: >-
        curl --retry 5 --retry-delay 8 --fail --location -O
        --url ${ART_URL}


# Default timeout for each task
timeout_in: 60m


gcp_credentials: ENCRYPTED[a28959877b2c9c36f151781b0a05407218cda646c7d047fc556e42f55e097e897ab63ee78369dae141dcf0b46a9d0cdd]

aws_credentials: ENCRYPTED[4ca070bffe28eb9b27d63c568b52970dd46f119c3a83b8e443241e895dbf1737580b4d84eed27a311a2b74287ef9f79f]


# N/B: This matrix of build tasks are critical to CI, along with the following
# aarch64 task. They build binaries for all CI platforms, and versions. On
# success, the contents of the repository are preserved as an artifact for
# consumption by most subsequent CI tasks.  This saves about 3-5 minutes of
# otherwise duplicative effort in most tasks.
build_task:
    alias: 'build'
    name: 'Build for $DISTRO_NV'
    gce_instance: &standardvm
        image_project: libpod-218412
        zone: "us-central1-a"
        cpu: 2
        memory: "4Gb"
        # Required to be 200gig, do not modify - has i/o performance impact
        # according to gcloud CLI tool warning messages.
        disk: 200
        image_name: "${VM_IMAGE_NAME}"  # from stdenvars
    matrix: &platform_axis
        # Ref: https://cirrus-ci.org/guide/writing-tasks/#matrix-modification
        - env: &stdenvars
              DISTRO_NV: ${FEDORA_NAME}
              # Not used here, is used in other tasks
              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
              # ID for re-use of build output
              CI_DESIRED_RUNTIME: crun
        - env:
              DISTRO_NV: ${PRIOR_FEDORA_NAME}
              VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
              CI_DESIRED_RUNTIME: crun
              CI_DESIRED_DATABASE: boltdb
              CI_DESIRED_STORAGE: vfs
        - env:
              <<: *stdenvars
              DISTRO_NV: ${RAWHIDE_NAME}
              VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
              CTR_FQIN: ""
        - env:
              DISTRO_NV: ${DEBIAN_NAME}
              VM_IMAGE_NAME: ${DEBIAN_CACHE_IMAGE_NAME}
              CI_DESIRED_RUNTIME: runc
              CI_DESIRED_NETWORK: netavark
              # Ignore cgroups-v1 warnings on debian
              PODMAN_IGNORE_CGROUPSV1_WARNING: true
    env:
        TEST_FLAVOR: build
    # NOTE: The default way Cirrus-CI clones is *NOT* compatible with
    #       environment expectations in contrib/cirrus/lib.sh.  Specifically
    #       the 'origin' remote must be defined, and all remote branches/tags
    #       must be available for reference from CI scripts.
    clone_script: &full_clone |
          set -exo pipefail
          cd /
          rm -rf $CIRRUS_WORKING_DIR
          mkdir -p $CIRRUS_WORKING_DIR
          git clone --recursive --branch=$DEST_BRANCH https://x-access-token:${CIRRUS_REPO_CLONE_TOKEN}@github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
          cd $CIRRUS_WORKING_DIR
          git remote update origin
          if [[ -n "$CIRRUS_PR" ]]; then # running for a PR
              git fetch origin pull/$CIRRUS_PR/head:pull/$CIRRUS_PR
              git checkout pull/$CIRRUS_PR
          else
              git reset --hard $CIRRUS_CHANGE_IN_REPO
          fi
    # Attempt to prevent flakes by confirming basic environment expectations,
    # network service connectivity and essential container image availability.
    prebuild_script: &prebuild $SCRIPT_BASE/prebuild.sh
    # Standard setup stage call, used by nearly every task in CI.
    setup_script: &setup '$GOSRC/$SCRIPT_BASE/setup_environment.sh'
    # Attempt to prevent flakes by confirming automation environment and
    # all required external/3rd-party services are available and functional.
    # Standard main execution stage call, used by nearly every task in CI.
    main_script: &main '/usr/bin/time --verbose --output="$STATS_LOGFILE" $GOSRC/$SCRIPT_BASE/runner.sh'
    # Attempt to catch code-quality and vendoring problems early.
    postbuild_script: &postbuild $SCRIPT_BASE/postbuild.sh
    # Cirrus-CI is very slow uploading one file at time, and the repo contains
    # thousands of files.  Speed this up by archiving into tarball first.
    repo_prep_script: &repo_prep >-
        tar cjf /tmp/repo.tbz -C $GOSRC . && mv /tmp/repo.tbz $GOSRC/
    repo_artifacts: &repo_artifacts
        path: ./repo.tbz
        type: application/octet-stream
    always: &runner_stats
        runner_stats_artifacts:
            path: ./*-${STATS_LOGFILE_SFX}
            type: text/plain


# Confirm the result of building on at least one platform appears sane.
# This confirms the binaries can be executed, checks --help vs docs, and
# other essential post-build validation checks.
validate_task:
    name: "Validate ${DISTRO_NV} Build"
    alias: validate
    # This task is primarily intended to catch human-errors early on, in a
    # PR.  Skip it for branch-push, branch-create, and tag-push to improve
    # automation reliability/speed in those contexts.  Any missed errors due
    # to nonsequential PR merging practices, will be caught on a future PR,
    # build or test task failures.
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: &is_pr "$CIRRUS_PR != ''"
    depends_on:
        - build
    # golangci-lint is a very, very hungry beast.
    gce_instance: &bigvm
        <<: *standardvm
        cpu: 8
        memory: "16Gb"
    matrix:
        - env:
            <<: *stdenvars
            VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
            DISTRO_NV: ${FEDORA_NAME}
        - env:
            <<: *stdenvars
            VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
            DISTRO_NV: ${RAWHIDE_NAME}
    env:
        TEST_FLAVOR: validate
    # N/B: This script depends on ${DISTRO_NV} being defined for the task.
    clone_script: &get_gosrc |
        cd /tmp
        echo "$ARTCURL/Build%20for%20${DISTRO_NV}/repo/repo.tbz"
        time $ARTCURL/Build%20for%20${DISTRO_NV}/repo/repo.tbz
        time tar xjf /tmp/repo.tbz -C $GOSRC
    setup_script: *setup
    main_script: *main
    always: *runner_stats


build_aarch64_task:
    alias: 'build_aarch64'
    name: 'Build for $DISTRO_NV'
    ec2_instance: &standard_build_ec2_aarch64
        image: ${VM_IMAGE_NAME}
        type: ${EC2_INST_TYPE}
        region: us-east-1
        architecture: arm64  # CAUTION: This has to be "arm64", not "aarch64".
    env: &stdenvars_aarch64
        EC2_INST_TYPE: "t4g.xlarge"
        DISTRO_NV: ${FEDORA_AARCH64_NAME}
        VM_IMAGE_NAME: ${FEDORA_AARCH64_AMI}
        CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
        CI_DESIRED_RUNTIME: crun
        TEST_FLAVOR: build
    clone_script: *full_clone
    prebuild_script: *prebuild
    setup_script: *setup
    postbuild_script: *postbuild
    main_script: *main
    # Cirrus-CI is very slow uploading one file at time, and the repo contains
    # thousands of files.  Speed this up by archiving into tarball first.
    repo_prep_script: &repo_prep_aarch64 >-
        tar cjf /tmp/repo.tbz -C $GOSRC . && mv /tmp/repo.tbz $GOSRC/
    repo_artifacts: &repo_artifacts_aarch64
        path: ./repo.tbz
        type: application/octet-stream
    always: *runner_stats


# Confirm the result of building on at least one platform appears sane.
# This confirms the binaries can be executed, checks --help vs docs, and
# other essential post-build validation checks.
validate_aarch64_task:
    name: "Validate $DISTRO_NV Build"
    alias: validate_aarch64
    # This task is primarily intended to catch human-errors early on, in a
    # PR.  Skip it for branch-push, branch-create, and tag-push to improve
    # automation reliability/speed in those contexts.  Any missed errors due
    # to nonsequential PR merging practices, will be caught on a future PR,
    # build or test task failures.
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *is_pr
    depends_on:
        - build_aarch64
    ec2_instance: *standard_build_ec2_aarch64
    env:
        <<: *stdenvars_aarch64
        TEST_FLAVOR: validate
        DISTRO_NV: ${FEDORA_AARCH64_NAME}
    # N/B: This script depends on ${DISTRO_NV} being defined for the task.
    clone_script: &get_gosrc_aarch64 |
        cd /tmp
        echo "$ARTCURL/build_aarch64/repo/repo.tbz"
        time $ARTCURL/build_aarch64/repo/repo.tbz
        time tar xjf /tmp/repo.tbz -C $GOSRC
    setup_script: *setup
    main_script: *main
    always: *runner_stats


# There are several other important variations of podman which
# must always build successfully.  Most of them are handled in
# this task, though a few need dedicated tasks which follow.
alt_build_task:
    name: "$ALT_NAME"
    alias: alt_build
    # Don't create task for [CI:DOCS], or rhel-release builds
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: &no_rhel_release |
        $CIRRUS_BRANCH !=~ 'v[0-9\.]+-rhel' &&
        $CIRRUS_BASE_BRANCH !=~ 'v[0-9\.]+-rhel'
    env:
        <<: *stdenvars
        TEST_FLAVOR: "altbuild"
    gce_instance: *standardvm
    matrix:
      - env:
            ALT_NAME: 'Build Each Commit'
      - env:
            # TODO: Replace with task using `winmake` to build
            # binary and archive installation zip file.
            ALT_NAME: 'Windows Cross'
      - env:
            ALT_NAME: 'Alt Arch. x86 Cross'
      - env:
            ALT_NAME: 'Alt Arch. ARM Cross'
      - env:
            ALT_NAME: 'Alt Arch. MIPS Cross'
      - env:
            ALT_NAME: 'Alt Arch. MIPS64 Cross'
      - env:
            ALT_NAME: 'Alt Arch. Other Cross'
    # This task cannot make use of the shared repo.tbz artifact.
    clone_script: *full_clone
    setup_script: *setup
    main_script: *main
    # Produce a new repo.tbz artifact for consumption by 'artifacts' task.
    repo_prep_script: *repo_prep
    repo_artifacts: *repo_artifacts
    always: *runner_stats


# Confirm building the remote client, natively on a Mac OS-X VM.
osx_alt_build_task:
    name: "OSX Cross"
    alias: osx_alt_build
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *no_rhel_release  # RHEL never releases podman mac installer binary
    persistent_worker: &mac_pw
        labels:
            os: darwin
            arch: arm64
            purpose: prod
    env: &mac_env
        CIRRUS_SHELL: "/bin/bash"  # sh is the default
        CIRRUS_WORKING_DIR: "$HOME/ci/task-${CIRRUS_TASK_ID}"  # Isolation: $HOME will be set to "ci" dir.
        # Prevent cache-pollution fron one task to the next.
        GOPATH: "$CIRRUS_WORKING_DIR/.go"
        GOCACHE: "$CIRRUS_WORKING_DIR/.go/cache"
        GOENV: "$CIRRUS_WORKING_DIR/.go/support"
        GOSRC: "$HOME/ci/task-${CIRRUS_TASK_ID}"
    clone_script: *full_clone
    # This host is/was shared with potentially many other CI tasks.
    # The previous task may have been canceled or aborted.
    prep_script: &mac_cleanup "contrib/cirrus/mac_cleanup.sh"
    lint_script:
        - make golangci-lint
    basic_build_script:
        - make .install.ginkgo
        - make podman-remote
        - make podman-mac-helper
    build_pkginstaller_script:
        - pushd contrib/pkginstaller
        - make ARCH=amd64 NO_CODESIGN=1 pkginstaller
        - make ARCH=aarch64 NO_CODESIGN=1 pkginstaller
        - make ARCH=universal NO_CODESIGN=1 pkginstaller
        - popd
    build_amd64_script:
        - make podman-remote-release-darwin_amd64.zip
    # Building arm podman needs to be the last thing built in this task
    # The Mac tests rely this Podman binary to run, and the CI Mac is ARM-based
    build_arm64_script:
        - make podman-remote-release-darwin_arm64.zip
    # Produce a new repo.tbz artifact for consumption by dependent tasks.
    repo_prep_script: *repo_prep
    repo_artifacts: *repo_artifacts
    # This host is/was shared with potentially many other CI tasks.
    # Ensure nothing is left running while waiting for the next task.
    always:
        task_cleanup_script: *mac_cleanup


# Build freebsd release natively on a FreeBSD VM.
freebsd_alt_build_task:
    name: "FreeBSD Cross"
    alias: freebsd_alt_build
    # Only run on 'main' and PRs against 'main'
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: |
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:MACHINE.*' &&
        ( $CIRRUS_BRANCH == 'main' || $CIRRUS_BASE_BRANCH == 'main' )
    env:
        <<: *stdenvars
        # Functional FreeBSD builds must be built natively since they depend on CGO
        DISTRO_NV: freebsd-13
        VM_IMAGE_NAME: notyet
        CTR_FQIN: notyet
        CIRRUS_SHELL: "/bin/sh"
        TEST_FLAVOR: "altbuild"
        ALT_NAME: 'FreeBSD Cross'
    freebsd_instance:
        image_family: freebsd-13-3
    setup_script:
        - pkg install -y gpgme bash go-md2man gmake gsed gnugrep go pkgconf
    build_amd64_script:
        - gmake podman-release
    # This task cannot make use of the shared repo.tbz artifact and must
    # produce a new repo.tbz artifact for consumption by 'artifacts' task.
    repo_prep_script: *repo_prep
    repo_artifacts: *repo_artifacts


# Status aggregator for all builds.  This task simply makes dependency
# management easier, and results in a simpler graph that using YAML
# anchors/aliases.
build_success_task:
    name: "Total Build Success"
    alias: build_success
    depends_on:
        - build
        - validate
        - build_aarch64
        - validate_aarch64
        - alt_build
        - osx_alt_build
        - freebsd_alt_build
    env:
        CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
    container: &smallcontainer
        image: ${CTR_FQIN}
        # Resources are limited across ALL currently executing tasks
        # ref: https://cirrus-ci.org/guide/linux/#linux-containers
        cpu: 1
        memory: 1
    clone_script:  &noop mkdir -p "$CIRRUS_WORKING_DIR"
    script: *noop


# Exercise the "libpod" API with a small set of common
# operations to ensure they are functional.
bindings_task:
    name: "Test Bindings"
    alias: bindings
    # Don't create task for PRs using [CI:DOCS] or [CI:BUILD]
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: >-
        $CIRRUS_PR != '' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:MACHINE.*'
    depends_on: &build
        - build_success
    gce_instance: *standardvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: bindings
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: &logs_artifacts
        <<: *runner_stats
        # Required for `contrib/cirrus/logformatter` to work properly
        html_artifacts:
            path: ./*.html
            type: text/html
        server_log_artifacts:
            path: ./podman-server.log
            type: text/plain
        df_script: '$SCRIPT_BASE/logcollector.sh df'
        audit_log_script: '$SCRIPT_BASE/logcollector.sh audit'
        journal_script: '$SCRIPT_BASE/logcollector.sh journal'
        podman_system_info_script: '$SCRIPT_BASE/logcollector.sh podman'
        time_script: '$SCRIPT_BASE/logcollector.sh time'


# Build the "libpod" API documentation `swagger.yaml` and
# publish it to google-cloud-storage (GCS).
swagger_task:
    name: "Test Swagger"
    alias: swagger
    # Don't create task for [CI:BUILD]
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: |
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:MACHINE.*'
    depends_on: *build
    gce_instance: *standardvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: swagger
        CTR_FQIN: 'quay.io/libpod/gcsupld:${IMAGE_SUFFIX}'
        GCPJSON: ENCRYPTED[927dc01e755eaddb4242b0845cf86c9098d1e3dffac38c70aefb1487fd8b4fe6dd6ae627b3bffafaba70e2c63172664e]
        GCPNAME: ENCRYPTED[c145e9c16b6fb88d476944a454bf4c1ccc84bb4ecaca73bdd28bdacef0dfa7959ebc8171a27b2e4064d66093b2cdba49]
        GCPPROJECT: 'libpod-218412'
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always:
        <<: *runner_stats
        swagger_artifacts:
            path: ./swagger.yaml
            type: text/plain


win_installer_task:
    name: "Verify Win Installer Build"
    alias: win_installer
    only_if:  # RHEL never releases podman windows installer binary
      $CIRRUS_TAG == '' &&
      $CIRRUS_BRANCH !=~ 'v[0-9\.]+-rhel' &&
      $CIRRUS_BASE_BRANCH !=~ 'v[0-9\.]+-rhel'
    depends_on: *build
    ec2_instance: &windows
        image: "${WINDOWS_AMI}"
        type: m5.large
        region: us-east-1
        platform: windows
    env: &winenv
        CIRRUS_WORKING_DIR: &wincwd "${LOCALAPPDATA}\\cirrus-ci-build"
        CIRRUS_SHELL: powershell
        PATH: "${PATH};C:\\ProgramData\\chocolatey\\bin"
        DISTRO_NV: "windows"
        PRIV_NAME: "rootless"
        # Fake version, we are only testing the installer functions, so version doesn't matter
        WIN_INST_VER: 9.9.9
    # It's HIGHLY desireable to use the same binary throughout CI.  Otherwise, if
    # there's a toolchain or build-environment specific problem, it can be incredibly
    # difficult (and non-obvious) to debug.
    clone_script: &winclone |
        $ErrorActionPreference = 'Stop'
        $ProgressPreference = 'SilentlyContinue'
        New-Item -ItemType Directory -Force -Path "$ENV:CIRRUS_WORKING_DIR"
        Set-Location "$ENV:CIRRUS_WORKING_DIR"
        $uri = "${ENV:ART_URL}/Windows Cross/repo/repo.tbz"
        Write-Host "Downloading $uri"
        For($i = 0;;) {
            Try {
                Invoke-WebRequest -UseBasicParsing -ErrorAction Stop -OutFile "repo.tbz2" `
                  -Uri "$uri"
                Break
            } Catch {
                if (++$i -gt 6) {
                    throw $_.Exception
                }
                Write-Host "Download failed - retrying:" $_.Exception.Response.StatusCode
                Start-Sleep -Seconds 10
            }
        }
        arc unarchive repo.tbz2 .\
        if ($LASTEXITCODE -ne 0) {
            throw "Unarchive repo.tbz2 failed"
            Exit 1
        }
        Get-ChildItem -Path .\repo
    main_script: ".\\repo\\contrib\\cirrus\\win-installer-main.ps1"


# Verify podman is compatible with the docker python-module.
docker-py_test_task:
    name: Docker-py Compat.
    alias: docker-py_test
    # Don't create task for tags, branches, or PRs w/ [CI:<magic>]
    # N/B: for PRs $CIRRUS_BRANCH == 'pull/<number>'
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: &not_tag_branch_build_docs_machine >-
        $CIRRUS_PR != '' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:MACHINE.*'
    depends_on: *build
    gce_instance: *standardvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: docker-py
        TEST_ENVIRON: container
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *runner_stats


# Does exactly what it says, execute the podman unit-tests on Fedora.
unit_test_task:
    name: "Unit tests on $DISTRO_NV"
    alias: unit_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_branch_build_docs_machine
    depends_on: *build
    matrix:
        - env: *stdenvars
        # Special-case: Rootless on latest Fedora (standard) VM
        - name: "Rootless unit on $DISTRO_NV"
          env:
              <<: *stdenvars
              PRIV_NAME: rootless
    gce_instance: *standardvm
    env:
        TEST_FLAVOR: unit
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts


apiv2_test_task:
    name: "APIv2 test on $DISTRO_NV ($PRIV_NAME)"
    alias: apiv2_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_branch_build_docs_machine
    depends_on: *build
    gce_instance: *standardvm
    # Test is normally pretty quick, about 10-minutes.  If it hangs,
    # don't make developers wait the full 1-hour timeout.
    timeout_in: 20m
    env:
        <<: *stdenvars
        TEST_FLAVOR: apiv2
    matrix:
      - env:
          PRIV_NAME: root
      - env:
          PRIV_NAME: rootless
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts


compose_test_task:
    name: "$TEST_FLAVOR test on $DISTRO_NV ($PRIV_NAME)"
    alias: compose_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_branch_build_docs_machine
    depends_on: *build
    gce_instance: *standardvm
    matrix:
      - env:
            PRIV_NAME: root
      - env:
            PRIV_NAME: rootless
    env:
        <<: *stdenvars
        TEST_FLAVOR: compose_v2
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts


# versions, as root, without involving the podman-remote client.
local_integration_test_task: &local_integration_test_task
    # Integration-test task name convention:
    # <int.|sys.> <podman|remote> <Distro NV> <root|rootless>
    name: &std_name_fmt "$TEST_FLAVOR $PODBIN_NAME $DISTRO_NV $PRIV_NAME $TEST_ENVIRON ${CI_DESIRED_DATABASE}"
    alias: local_integration_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_branch_build_docs_machine
    depends_on: *build
    matrix: *platform_axis
    gce_instance: *standardvm
    timeout_in: 50m
    env:
        TEST_FLAVOR: int
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: &int_logs_artifacts
        <<: *logs_artifacts
        ginkgo_node_logs_artifacts:
            path: ./test/e2e/ginkgo-node-*.log
            type: text/plain
        ginkgo_json_artifacts:
            path: ./ginkgo-e2e.json
            type: application/json


# Nearly identical to `local_integration_test` except all operations
# are performed through the podman-remote client vs a podman "server"
# running on the same host.
remote_integration_test_task:
    <<: *local_integration_test_task
    alias: remote_integration_test
    env:
        TEST_FLAVOR: int
        PODBIN_NAME: remote


# Run the complete set of integration tests from inside a container.
# This verifies all/most operations function with "podman-in-podman".
container_integration_test_task:
    name: *std_name_fmt
    alias: container_integration_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_branch_build_docs_machine
    depends_on: *build
    matrix: &fedora_vm_axis
        - env:
              DISTRO_NV: ${FEDORA_NAME}
              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
              CI_DESIRED_RUNTIME: crun
        - env:
              DISTRO_NV: ${PRIOR_FEDORA_NAME}
              VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
              CI_DESIRED_RUNTIME: crun
              CI_DESIRED_DATABASE: boltdb
    gce_instance: *standardvm
    timeout_in: 50m
    env:
        TEST_FLAVOR: int
        TEST_ENVIRON: container
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *int_logs_artifacts


# Execute most integration tests as a regular (non-root) user.
rootless_integration_test_task:
    name: *std_name_fmt
    alias: rootless_integration_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_branch_build_docs_machine
    depends_on: *build
    matrix: *platform_axis
    gce_instance: *standardvm
    timeout_in: 50m
    env:
        TEST_FLAVOR: int
        PRIV_NAME: rootless
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *int_logs_artifacts


podman_machine_task:
    name: *std_name_fmt
    alias: podman_machine
    # Only run for PRs and never [CI:DOCS] or [CI:BUILD]
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: &machine_cron_not_tag_build_docs >-
        ($CIRRUS_PR != '' &&
         $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
         $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*'
        ) || $CIRRUS_CRON == "main"
    depends_on: *build
    ec2_instance:
        image: "${VM_IMAGE_NAME}"
        type: "${EC2_INST_TYPE}"
        region: us-east-1
    env:
      EC2_INST_TYPE: "m5zn.metal"  # Bare-metal instance is required
      TEST_FLAVOR: "machine-linux"
      PRIV_NAME: "rootless"  # intended use-case
      DISTRO_NV: "${FEDORA_NAME}"
      VM_IMAGE_NAME: "${FEDORA_AMI}"
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *int_logs_artifacts


podman_machine_aarch64_task:
    name: *std_name_fmt
    alias: podman_machine_aarch64
    only_if: *machine_cron_not_tag_build_docs
    depends_on: *build
    ec2_instance:
        <<: *standard_build_ec2_aarch64
    env:
        TEST_FLAVOR: "machine-linux"
        EC2_INST_TYPE: c6g.metal
        PRIV_NAME: "rootless"  # intended use-case
        DISTRO_NV: "${FEDORA_AARCH64_NAME}"
        VM_IMAGE_NAME: "${FEDORA_AARCH64_AMI}"
    clone_script: *get_gosrc_aarch64
    setup_script: *setup
    main_script: *main
    always: *int_logs_artifacts


podman_machine_windows_task:
    name: *std_name_fmt
    alias: podman_machine_windows
    # Only run for non-docs/copr PRs and non-release branch builds
    # and never for tags.  Docs: ./contrib/cirrus/CIModes.md
    only_if: *machine_cron_not_tag_build_docs
    depends_on: *build
    ec2_instance:
        <<: *windows
        type: m5zn.metal
        platform: windows
    env: *winenv
    matrix:
      - env:
          TEST_FLAVOR: "machine-wsl"
      - env:
          TEST_FLAVOR: "machine-hyperv"
    clone_script: *winclone
    main_script: ".\\repo\\contrib\\cirrus\\win-podman-machine-main.ps1"
    always:
        # Required for `contrib/cirrus/logformatter` to work properly
        html_artifacts:
            path: ./*.html
            type: text/html


podman_machine_mac_task:
    name: *std_name_fmt
    alias: podman_machine_mac
    only_if: *machine_cron_not_tag_build_docs
    depends_on: *build
    persistent_worker: *mac_pw
    env:
        <<: *mac_env
        # Consumed by podman-machine ginkgo tests
        CONTAINERS_MACHINE_PROVIDER: "applehv"
        # TODO: Should not require a special image, for now it does.
        # Simply remove the line below when a mac image is GA.
        # MACHINE_IMAGE: "https://fedorapeople.org/groups/podman/testing/applehv/arm64/fedora-coreos-38.20230925.dev.0-applehv.aarch64.raw.gz"
        # Values necessary to populate std_name_fmt alias
        TEST_FLAVOR: "machine-mac"
        DISTRO_NV: "darwin"
        PRIV_NAME: "rootless"  # intended use-case
    clone_script:  # artifacts from osx_alt_build_task
        - mkdir -p $CIRRUS_WORKING_DIR
        - cd $CIRRUS_WORKING_DIR
        - $ARTCURL/OSX%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
    # This host is/was shared with potentially many other CI tasks.
    # The previous task may have been canceled or aborted.
    prep_script: *mac_cleanup
    setup_script: "contrib/cirrus/mac_setup.sh"
    env_script: "contrib/cirrus/mac_env.sh"
    # TODO: Timeout bumped b/c initial image download (~5min) and VM
    #       resize (~2min) causes test-timeout (90s default).  Should
    #       tests deal with this internally?
    test_script:
        - "contrib/cirrus/mac_runner.sh"
    # This host is/was shared with potentially many other CI tasks.
    # Ensure nothing is left running while waiting for the next task.
    always:
        # Required for `contrib/cirrus/logformatter` to work properly
        html_artifacts:
            path: ./*.html
            type: text/html
        task_cleanup_script: *mac_cleanup


# Always run subsequent to integration tests.  While parallelism is lost
# with runtime, debugging system-test failures can be more challenging
# for some golang developers.  Otherwise the following tasks run across
# the same matrix as the integration-tests (above).
local_system_test_task: &local_system_test_task
    name: *std_name_fmt
    alias: local_system_test
    # Don't create task for tags, or if using [CI:*] magic
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: &not_tag_magic >-
        $CIRRUS_TAG == '' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:MACHINE.*'
    depends_on: *build
    matrix: *platform_axis
    gce_instance: *standardvm
    env:
        TEST_FLAVOR: sys
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts


local_system_test_aarch64_task: &local_system_test_task_aarch64
    name: *std_name_fmt
    alias: local_system_test_aarch64
    # Don't create task for tags, or if using [CI:DOCS], [CI:BUILD]
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_magic
    depends_on: *build
    persistent_worker: *mac_pw
    ec2_instance: *standard_build_ec2_aarch64
    env:
        <<: *stdenvars_aarch64
        TEST_FLAVOR: sys
        DISTRO_NV: ${FEDORA_AARCH64_NAME}
    clone_script: *get_gosrc_aarch64
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts


remote_system_test_task:
    <<: *local_system_test_task
    alias: remote_system_test
    env:
        TEST_FLAVOR: sys
        PODBIN_NAME: remote


remote_system_test_aarch64_task:
    <<: *local_system_test_task_aarch64
    alias: remote_system_test_aarch64
    env:
        TEST_FLAVOR: sys
        PODBIN_NAME: remote


rootless_remote_system_test_task:
    matrix:
        # Minimal sanity testing: only the latest Fedora
        - env:
              DISTRO_NV: ${FEDORA_NAME}
              # Not used here, is used in other tasks
              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
              CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
              CI_DESIRED_RUNTIME: crun
    <<: *local_system_test_task
    alias: rootless_remote_system_test
    gce_instance: *standardvm
    env:
        TEST_FLAVOR: sys
        PODBIN_NAME: remote
        PRIV_NAME: rootless


rootless_system_test_task:
    name: *std_name_fmt
    alias: rootless_system_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_magic
    depends_on: *build
    matrix: *platform_axis
    gce_instance: *standardvm
    env:
        TEST_FLAVOR: sys
        PRIV_NAME: rootless
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts


minikube_test_task:
    name: *std_name_fmt
    alias: minikube_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_magic
    depends_on: *build
    gce_instance: *standardvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: minikube
        PRIV_NAME: rootless
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts

farm_test_task:
    name: *std_name_fmt
    alias: farm_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_magic
    depends_on: *build
    gce_instance: *standardvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: farm
        PRIV_NAME: rootless
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts

buildah_bud_test_task:
    name: *std_name_fmt
    alias: buildah_bud_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_magic
    depends_on: *build
    env:
        <<: *stdenvars
        TEST_FLAVOR: bud
    matrix:
        - env:
            PODBIN_NAME: podman
        - env:
            PODBIN_NAME: remote
    gce_instance: *standardvm
    timeout_in: 45m
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *int_logs_artifacts

upgrade_test_task:
    name: "Upgrade test: from $PODMAN_UPGRADE_FROM"
    alias: upgrade_test
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: *not_tag_magic
    depends_on: *build
    matrix:
        - env:
              # 2024-02: as long as possible/reasonable, try to keep
              #   one version < 4.8 so we can test boltdb. v4.3.1 is
              #   the lowest we can go right now, builds before that
              #   have netavark <1.4 which hangs on f39 kernel (#21863).
              PODMAN_UPGRADE_FROM: v4.3.1
        - env:
              PODMAN_UPGRADE_FROM: v4.8.0
    gce_instance: *standardvm
    env:
        TEST_FLAVOR: upgrade_test
        DISTRO_NV: ${FEDORA_NAME}
        VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
        # Never force a DB, let the old version decide its default
        CI_DESIRED_DATABASE:
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main
    always: *logs_artifacts


# This task is critical.  It updates the "last-used by" timestamp stored
# in metadata for all VM images.  This mechanism functions in tandem with
# an out-of-band pruning operation to remove disused VM images.
meta_task:
    name: "VM img. keepalive"
    alias: meta
    container:
        cpu: 2
        memory: 2
        image: quay.io/libpod/imgts:latest
    env:
        # Space-separated list of images used by this repository state
        IMGNAMES: >-
            ${FEDORA_CACHE_IMAGE_NAME}
            ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
            ${RAWHIDE_CACHE_IMAGE_NAME}
            ${DEBIAN_CACHE_IMAGE_NAME}
        EC2IMGNAMES: >-
          ${FEDORA_AARCH64_AMI}
          ${FEDORA_AMI}
          ${WINDOWS_AMI}
        BUILDID: "${CIRRUS_BUILD_ID}"
        REPOREF: "${CIRRUS_REPO_NAME}"
        AWSINI: ENCRYPTED[21b2db557171b11eb5abdbccae593f48c9caeba86dfcc4d4ff109edee9b4656ab6720a110dadfcd51e88cc59a71cc7af]
        GCPJSON: ENCRYPTED[3a198350077849c8df14b723c0f4c9fece9ebe6408d35982e7adf2105a33f8e0e166ed3ed614875a0887e1af2b8775f4]
        GCPNAME: ENCRYPTED[2f9738ef295a706f66a13891b40e8eaa92a89e0e87faf8bed66c41eca72bf76cfd190a6f2d0e8444c631fdf15ed32ef6]
        GCPPROJECT: libpod-218412
    clone_script: *noop
    script: /usr/local/bin/entrypoint.sh


# Status aggregator for all tests.  This task ensures a defined set of tasks
# all passed, and allows confirming that based on the status of this task.
success_task:
    # N/B: The prow merge-bot (tide) is sensitized to this exact name, DO NOT CHANGE IT.
    # Ref: https://github.com/openshift/release/pull/48855
    name: "Total Success"
    alias: success
    # N/B: ALL tasks must be listed here, minus their '_task' suffix.
    depends_on:
        - build_success
        - bindings
        - swagger
        - win_installer
        - docker-py_test
        - unit_test
        - apiv2_test
        - compose_test
        - local_integration_test
        - remote_integration_test
        - container_integration_test
        - rootless_integration_test
        - podman_machine
        - podman_machine_aarch64
        - podman_machine_windows
        - podman_machine_mac
        - local_system_test
        - local_system_test_aarch64
        - remote_system_test
        - remote_system_test_aarch64
        - rootless_remote_system_test
        - rootless_system_test
        - local_system_test
        - local_system_test_aarch64
        - remote_system_test
        - rootless_remote_system_test
        - rootless_system_test
        - minikube_test
        - farm_test
        - buildah_bud_test
        - upgrade_test
        - meta
    env:
        CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
    container: *smallcontainer
    clone_script: *noop
    script: |
        if [[ "$CIRRUS_CHANGE_TITLE" =~ CI:MACHINE ]] && [[ -n "$CIRRUS_PR" ]]; then
            echo "Error: Risk of untested change merge."
            echo "Please remove [CI:MACHINE] from title."
            exit 1
        fi

# WARNING: Most of the artifacts captured here are also have their
# permalinks present in the `DOWNLOADS.md` file.  Any changes made
# here, should probably be reflected in that document.
artifacts_task:
    name: "Artifacts"
    alias: artifacts
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: >-
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
        $CIRRUS_BRANCH !=~ 'v[0-9\.]+-rhel' &&
        $CIRRUS_BASE_BRANCH !=~ 'v[0-9\.]+-rhel'
    depends_on:
        - success
    # This task is a secondary/convenience for downstream consumers, don't
    # block development progress if there is a failure in a PR, only break
    # when running on branches or tags.
    allow_failures: $CIRRUS_PR != ''
    container: *smallcontainer
    env:
        CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
        TEST_ENVIRON: container
    # In order to keep the download URL and Cirrus-CI artifact.zip contents
    # simple, nothing should exist in $CIRRUS_WORKING_DIR except for artifacts.
    clone_script: *noop
    fedora_binaries_script:
        - mkdir -p /tmp/fed
        - cd /tmp/fed
        - $ARTCURL/Build%20for%20${FEDORA_NAME}/repo/repo.tbz
        - tar xjf repo.tbz
        - cp ./bin/* $CIRRUS_WORKING_DIR/
    alt_binaries_intel_script:
        - mkdir -p /tmp/alt
        - cd /tmp/alt
        - $ARTCURL/Alt%20Arch.%20x86%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
        - mv ./*.tar.gz $CIRRUS_WORKING_DIR/
    alt_binaries_arm_script:
        - mkdir -p /tmp/alt
        - cd /tmp/alt
        - $ARTCURL/Alt%20Arch.%20ARM%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
        - mv ./*.tar.gz $CIRRUS_WORKING_DIR/
    alt_binaries_mips_script:
        - mkdir -p /tmp/alt
        - cd /tmp/alt
        - $ARTCURL/Alt%20Arch.%20MIPS%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
        - mv ./*.tar.gz $CIRRUS_WORKING_DIR/
    alt_binaries_mips64_script:
        - mkdir -p /tmp/alt
        - cd /tmp/alt
        - $ARTCURL/Alt%20Arch.%20MIPS64%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
        - mv ./*.tar.gz $CIRRUS_WORKING_DIR/
    alt_binaries_other_script:
        - mkdir -p /tmp/alt
        - cd /tmp/alt
        - $ARTCURL/Alt%20Arch.%20Other%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
        - mv ./*.tar.gz $CIRRUS_WORKING_DIR/
    win_binaries_script:
        - mkdir -p /tmp/win
        - cd /tmp/win
        - $ARTCURL/Windows%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
        - mv ./podman-remote*.zip $CIRRUS_WORKING_DIR/
    osx_binaries_script:
        - mkdir -p /tmp/osx
        - cd /tmp/osx
        - $ARTCURL/OSX%20Cross/repo/repo.tbz
        - tar xjf repo.tbz
        - mv ./podman-remote-release-darwin_*.zip $CIRRUS_WORKING_DIR/
        - mv ./contrib/pkginstaller/out/podman-installer-macos-*.pkg $CIRRUS_WORKING_DIR/
    always:
      contents_script: ls -la $CIRRUS_WORKING_DIR
      # Produce downloadable files and an automatic zip-file accessible
      # by a consistent URL, based on contents of $CIRRUS_WORKING_DIR
      # Ref: https://cirrus-ci.org/guide/writing-tasks/#latest-build-artifacts
      binary_artifacts:
          path: ./*
          type: application/octet-stream


# When a new tag is pushed, confirm that the code and commits
# meet criteria for an official release.
release_task:
    name: "Verify Release"
    alias: release
    # This should _only_ run for new tags
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: $CIRRUS_TAG != ''
    depends_on:
        - build_success
        - success
    gce_instance: *standardvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: release
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main


# When preparing to release a new version, this task may be manually
# activated at the PR stage to verify the build is proper for a potential
# podman release.
#
# Note: This cannot use a YAML alias on 'release_task' as of this
# comment, it is incompatible with 'trigger_type: manual'
release_test_task:
    name: "Optional Release Test"
    alias: release_test
    # Release-PRs always include "release" or "Bump" in the title
    # Docs: ./contrib/cirrus/CIModes.md
    only_if: $CIRRUS_CHANGE_TITLE =~ '.*((release)|(bump)).*'
    # Allow running manually only as part of release-related builds
    # see RELEASE_PROCESS.md
    trigger_type: manual
    depends_on:
        - build_success
        - success
    gce_instance: *standardvm
    env:
        <<: *stdenvars
        TEST_FLAVOR: release
    clone_script: *get_gosrc
    setup_script: *setup
    main_script: *main