From d0a12ddf3803ade7a88a25058bacd28e84477c69 Mon Sep 17 00:00:00 2001 From: bootc-dev Bot Date: Tue, 2 Dec 2025 15:56:32 +0000 Subject: [PATCH] Sync common files from infra repository Synchronized from bootc-dev/infra@10decade10bbbb5d7dea158661b612eb743ebad7. Signed-off-by: bootc-dev Bot --- .bootc-dev-infra-commit.txt | 2 +- .claude/CLAUDE.md | 1 + .devcontainer/devcontainer.json | 28 ++++++ .gemini/config.yaml | 4 + .github/actions/bootc-ubuntu-setup/action.yml | 91 +++++++++++++++++++ .github/actions/setup-rust/action.yml | 20 ++++ .github/workflows/openssf-scorecard.yml | 50 ++++++++++ .github/workflows/rebase.yml | 45 +++++++++ AGENTS.md | 29 ++++++ 9 files changed, 269 insertions(+), 1 deletion(-) create mode 120000 .claude/CLAUDE.md create mode 100644 .devcontainer/devcontainer.json create mode 100644 .github/actions/bootc-ubuntu-setup/action.yml create mode 100644 .github/actions/setup-rust/action.yml create mode 100644 .github/workflows/openssf-scorecard.yml create mode 100644 .github/workflows/rebase.yml create mode 100644 AGENTS.md diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt index c945bb1..1158b0a 100644 --- a/.bootc-dev-infra-commit.txt +++ b/.bootc-dev-infra-commit.txt @@ -1 +1 @@ -3249ff02e990cb856da25dcf44add398202088c0 +10decade10bbbb5d7dea158661b612eb743ebad7 diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md new file mode 120000 index 0000000..be77ac8 --- /dev/null +++ b/.claude/CLAUDE.md @@ -0,0 +1 @@ +../AGENTS.md \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..26e62a2 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,28 @@ +{ + "name": "bootc-devenv-debian", + // TODO override this back to prod image + "image": "ghcr.io/bootc-dev/devenv-debian", + "customizations": { + "vscode": { + // Abitrary, but most of our code is in one of these two + "extensions": [ + "rust-lang.rust-analyzer", + "golang.Go" + ] + } + }, + "features": {}, + "runArgs": [ + // Because we want to be able to run podman and also use e.g. /dev/kvm + // among other things + "--privileged" + ], + "postCreateCommand": { + // Our init script + "devenv-init": "sudo /usr/local/bin/devenv-init.sh" + }, + "remoteEnv": { + "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin" + } +} + diff --git a/.gemini/config.yaml b/.gemini/config.yaml index 3c7c033..080ba11 100644 --- a/.gemini/config.yaml +++ b/.gemini/config.yaml @@ -1,3 +1,7 @@ +# NOTE: This file is canonically maintained in +# +# DO NOT EDIT +# # This config mainly overrides `summary: false` by default # as it's really noisy. have_fun: true diff --git a/.github/actions/bootc-ubuntu-setup/action.yml b/.github/actions/bootc-ubuntu-setup/action.yml new file mode 100644 index 0000000..5bfcbb2 --- /dev/null +++ b/.github/actions/bootc-ubuntu-setup/action.yml @@ -0,0 +1,91 @@ +name: 'Bootc Ubuntu Setup' +description: 'Default host setup' +inputs: + libvirt: + description: 'Install libvirt and virtualization stack' + required: false + default: 'false' +runs: + using: 'composite' + steps: + # The default runners have TONS of crud on them... + - name: Free up disk space on runner + shell: bash + run: | + set -xeuo pipefail + sudo df -h + unwanted_pkgs=('^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*' + azure-cli google-chrome-stable firefox mono-devel) + unwanted_dirs=(/usr/share/dotnet /opt/ghc /usr/local/lib/android /opt/hostedtoolcache/CodeQL) + # Start background removal operations as systemd units; if this causes + # races in the future around disk space we can look at waiting for cleanup + # before starting further jobs, but right now we spent a lot of time waiting + # on the network and scripts and such below, giving these plenty of time to run. + n=0 + runcleanup() { + sudo systemd-run -r -u action-cleanup-${n} -- "$@" + n=$(($n + 1)) + } + runcleanup docker image prune --all --force + for x in ${unwanted_dirs[@]}; do + runcleanup rm -rf "$x" + done + # Apt removals in foreground, as we can't parallelize these + for x in ${unwanted_pkgs[@]}; do + /bin/time -f '%E %C' sudo apt-get remove -y $x + done + # We really want support for heredocs + - name: Update podman and install just + shell: bash + run: | + set -eux + # Require the runner is ubuntu-24.04 + IDV=$(. /usr/lib/os-release && echo ${ID}-${VERSION_ID}) + test "${IDV}" = "ubuntu-24.04" + # plucky is the next release + echo 'deb http://azure.archive.ubuntu.com/ubuntu plucky universe main' | sudo tee /etc/apt/sources.list.d/plucky.list + /bin/time -f '%E %C' sudo apt update + # skopeo is currently older in plucky for some reason hence --allow-downgrades + /bin/time -f '%E %C' sudo apt install -y --allow-downgrades crun/plucky podman/plucky skopeo/plucky just + # This is the default on e.g. Fedora derivatives, but not Debian + - name: Enable unprivileged /dev/kvm access + shell: bash + run: | + set -xeuo pipefail + echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules + sudo udevadm control --reload-rules + sudo udevadm trigger --name-match=kvm + ls -l /dev/kvm + # Used by a few workflows, but generally useful + - name: Set architecture variable + id: set_arch + shell: bash + run: echo "ARCH=$(arch)" >> $GITHUB_ENV + # Install libvirt stack if requested + - name: Install libvirt and virtualization stack + if: ${{ inputs.libvirt == 'true' }} + shell: bash + run: | + set -xeuo pipefail + export BCVK_VERSION=0.8.0 + /bin/time -f '%E %C' sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system + # Something in the stack is overriding this, but we want session right now for bcvk + echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV + td=$(mktemp -d) + cd $td + # Install bcvk + target=bcvk-$(arch)-unknown-linux-gnu + /bin/time -f '%E %C' curl -LO https://github.com/bootc-dev/bcvk/releases/download/v${BCVK_VERSION}/${target}.tar.gz + tar xzf ${target}.tar.gz + sudo install -T ${target} /usr/bin/bcvk + cd - + rm -rf "$td" + + # Also bump the default fd limit as a workaround for https://github.com/bootc-dev/bcvk/issues/65 + sudo sed -i -e 's,^\* hard nofile 65536,* hard nofile 524288,' /etc/security/limits.conf + - name: Cleanup status + shell: bash + run: | + set -xeuo pipefail + systemctl list-units 'action-cleanup*' + df -h diff --git a/.github/actions/setup-rust/action.yml b/.github/actions/setup-rust/action.yml new file mode 100644 index 0000000..f2f5e06 --- /dev/null +++ b/.github/actions/setup-rust/action.yml @@ -0,0 +1,20 @@ +name: 'Setup Rust' +description: 'Install Rust toolchain with caching and nextest' +runs: + using: 'composite' + steps: + - name: Install Rust toolchain + uses: dtolnay/rust-toolchain@stable + - name: Install nextest + uses: taiki-e/install-action@v2 + with: + tool: nextest + - name: Setup Rust cache + uses: Swatinem/rust-cache@v2 + with: + cache-all-crates: true + # Only generate caches on push to git main + save-if: ${{ github.ref == 'refs/heads/main' }} + # Suppress actually using the cache for builds running from + # git main so that we avoid incremental compilation bugs + lookup-only: ${{ github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml new file mode 100644 index 0000000..2166beb --- /dev/null +++ b/.github/workflows/openssf-scorecard.yml @@ -0,0 +1,50 @@ +# Upstream https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml +# Tweaked to not pin actions by SHA digest as I think that's overkill noisy security theater. +name: OpenSSF Scorecard analysis +on: + push: + branches: + - main + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-24.04 + permissions: + # Needed for Code scanning upload + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@v2.4.3 + with: + results_file: results.sarif + results_format: sarif + # Scorecard team runs a weekly scan of public GitHub repos, + # see https://github.com/ossf/scorecard#public-data. + # Setting `publish_results: true` helps us scale by leveraging your workflow to + # extract the results instead of relying on our own infrastructure to run scans. + # And it's free for you! + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: results.sarif + diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml new file mode 100644 index 0000000..ab42fbc --- /dev/null +++ b/.github/workflows/rebase.yml @@ -0,0 +1,45 @@ +name: Automatic Rebase +on: + pull_request: + types: [labeled] + +permissions: + contents: read + +jobs: + rebase: + name: Rebase + if: github.event.label.name == 'needs-rebase' + runs-on: ubuntu-latest + steps: + - name: Generate Actions Token + id: token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + + - name: Checkout + uses: actions/checkout@v5 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + + - name: Automatic Rebase + uses: peter-evans/rebase@v3 + with: + token: ${{ steps.token.outputs.token }} + + - name: Remove needs-rebase label + if: always() + uses: actions/github-script@v8 + with: + github-token: ${{ steps.token.outputs.token }} + script: | + await github.rest.issues.removeLabel({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + name: 'needs-rebase' + }); diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..6f7982c --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,29 @@ + + +# Instructions for AI agents + +## CRITICAL instructions for generating commits + +### Signed-off-by + +Human review is required for all code that is generated +or assisted by a large language model. If you +are a LLM, you MUST NOT include a `Signed-off-by` +on any automatically generated git commits. Only explicit +human action or request should include a Signed-off-by. +If for example you automatically create a pull request +and the DCO check fails, tell the human to review +the code and give them instructions on how to add +a signoff. + +### Attribution + +When generating substantial amounts of code, you SHOULD +include an `Assisted-by: TOOLNAME (MODELNAME)`. For example, +`Assisted-by: Goose (Sonnet 4.5)`. + +## Follow other guidelines + +Look at the project README.md and look for guidelines +related to contribution, such as a CONTRIBUTING.md +and follow those.