podman.yml

name: Podman

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - .github/workflows/podman.yml

concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: true

permissions:
  id-token: write
  attestations: write

env:
  GO_VERSION: 1.23
  PODMAN_VERSION: 5.3.2

jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-24.04
            name: x86_64-unknown-linux-gnu
            goos: linux
            goarch: amd64
            debarch: amd64
            glibc: 2.38
          - os: ubuntu-24.04-arm
            name: aarch64-unknown-linux-gnu
            goos: linux
            goarch: arm64
            debarch: arm64
            glibc: 2.38
          - os: ubuntu-22.04-arm
            name: aarch64-unknown-linux-gnu35
            goos: linux
            goarch: arm64
            debarch: arm64
            glibc: 2.35

    runs-on: ${{ matrix.os }}
    env:
      GOOS: ${{ matrix.goos }}
      GOARCH: ${{ matrix.goarch }}
    steps:
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout podman source
        uses: actions/checkout@v4
        with:
          repository: containers/podman
          ref: v${{ env.PODMAN_VERSION }}

      - if: endsWith(matrix.os, '24.04')
        run: |
          sudo apt update
          sudo apt install -y netavark
      - if: endsWith(matrix.os, '22.04')
        run: |
          echo 'deb http://ports.ubuntu.com/ubuntu-ports/ noble universe' | sudo tee /etc/apt/sources.list.d/noble.list
          sudo apt update
          sudo apt install -y netavark
          sudo rm /etc/apt/sources.list.d/noble.list
          sudo apt update

      - name: Install podman dependencies
        run: |
          sudo apt install -y \
            btrfs-progs \
            build-essential \
            conmon \
            crun \
            git \
            golang-go \
            go-md2man \
            iptables \
            libapparmor-dev \
            libassuan-dev \
            libbtrfs-dev \
            libc6-dev \
            libdevmapper-dev \
            libglib2.0-dev \
            libgpgme-dev \
            libgpg-error-dev \
            libprotobuf-dev \
            libprotobuf-c-dev \
            libseccomp-dev \
            libselinux1-dev \
            libsystemd-dev \
            pkg-config \
            uidmap \
            zstd
          sudo sysctl kernel.unprivileged_userns_clone=1

      - run: make BUILDTAGS="apparmor cni seccomp systemd exclude_graphdriver_devicemapper" PREFIX=/usr
      - run: mkdir podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}
      - run: make DESTDIR=$(pwd)/podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }} install
      - run: tar -caf podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}.tar.zst podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}

      - name: Make deb
        run: |
          mkdir -p podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}/DEBIAN
          cat <<EOF > podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}/DEBIAN/control
          Package: podman
          Version: ${{env.PODMAN_VERSION}}
          Architecture: ${{ matrix.debarch }}
          Priority: optional
          Section: universe/admin
          Maintainer: BES <support@bes.au>
          Bugs: https://github.com/containers/podman/issues
          Depends: conmon, crun | runc, golang-github-containers-common, libc6 (>= ${{ matrix.glibc }}), libdevmapper1.02.1 (>= 2:1.02.97), libseccomp2 (>= 2.5.0), libsqlite3-0 (>= 3.36.0), libsubid4 (>= 1:4.11.1)
          Recommends: buildah (>= 1.31), libgpgme11t64 (>= 1.4.1), catatonit | tini | dumb-init, dbus-user-session, passt, slirp4netns, uidmap
          Suggests: containers-storage, docker-compose, podman-compose, iptables
          Homepage: https://github.com/containers/podman
          Description: tool to manage containers and pods
          EOF
          dpkg-deb --root-owner-group -b podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}

      - uses: actions/attest-build-provenance@v1
        with:
          subject-path: podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}.*
      - uses: actions/upload-artifact@v4
        with:
          name: podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}
          path: podman-${{ matrix.name }}-${{ env.PODMAN_VERSION }}.*
          if-no-files-found: error

  upload:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # OIDC token for AWS login
    steps:
      - uses: actions/download-artifact@v4
        with:
          pattern: podman-*
          merge-multiple: true

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ap-southeast-2
          role-to-assume: arn:aws:iam::143295493206:role/gha-tamanu-tools-upload
          role-session-name: GHA@3PB=Podman

      - name: Upload
        run: |
          for f in podman-*; do
            aws s3 cp $f s3://bes-ops-tools/podman/${{ env.PODMAN_VERSION }}/$f --no-progress
          done

      - name: Clear cache
        run: aws cloudfront create-invalidation --distribution-id=EDAG0UBS1MN74 --paths '/podman/*'