Sync upstream (dfe41808) — needs conflict resolution#45
Open
cloud-api-adaptor-upstream-sync[bot] wants to merge 78 commits into
Open
Sync upstream (dfe41808) — needs conflict resolution#45cloud-api-adaptor-upstream-sync[bot] wants to merge 78 commits into
cloud-api-adaptor-upstream-sync[bot] wants to merge 78 commits into
Conversation
Move the cluster provisioning to BYOM to remove the dependency on the deprecated Docker provider. Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
This commit adds extensive unit test coverage for the libvirt cloud provider, while preserving all existing tests from the main branch. New unit tests added (using mocks): - TestGetGuestForArchType (6 subtests) - TestLookupMachine (5 subtests) - TestGetCanonicalMachineName (7 subtests) - TestCreateCloudInitISO (3 subtests) - TestGetLaunchSecurityTypeInvalidURI - TestCreateDomainXMLs390xWithMocks (mock-based unit test) - TestCreateDomainXMLaarch64WithMocks (mock-based unit test) - TestCreateDomainXMLx86_64 (3 subtests) - TestCreateDomainXML (3 subtests) - TestVerifyDomainXMLIOMMU (4 subtests) - Combined TestCreateDomainXMLs390x and TestCreateDomainXMLaarch64 into TestCreateDomainXMLArchitectures - Combined TestCreateDomainXMLs390xWithMocks and TestCreateDomainXMLaarch64WithMocks into TestCreateDomainXMLArchitecturesWithMocks - Improves code maintainability and reduces duplication Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
- Refactor TestCloudInit to use verifyISOContents helper and tabular format - Combined TestCreateCloudInitWithEmptyData, TestCreateCloudInitWithLargeData, TestCreateCloudInitWithSpecialCharacters, and TestCreateCloudInitVerifyVendorData into TestCreateCloudInitVariations - Add TestCreateCloudInitErrorHandling for boundary condition testing - All tests now use verifyISOContents helper for consistent ISO validation - Improves code maintainability and reduces duplication Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
- Add tests for Manager.ParseCmd() flag registration - Add tests for Manager configuration with values - Add tests for Manager.LoadEnv() and GetConfig() - Add tests for Manager.NewProvider() with valid/invalid configs - Add tests for default constants validation - Add tests for launch security, firmware, and data directory configuration - Covers all Manager initialization and configuration scenarios Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.29 to 1.7.32. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.7.29...v1.7.32) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-version: 1.7.32 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Now that agent-ctl tags based on sha, we can switch to use the main kata-containers version, rather than having a separate one. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bump components to match the kata 3.31.0 release Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update to pick up the 3.31.0 release Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Pin kata-deploy to the 3.31.0 version in prep of the 0.21.0 release Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.3 to 0.5.6. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bump the go module to remediate CVEs: - GO-2026-5026 - GO-2026-4883 Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bump the go module to remediate CVEs: - GO-2026-5013 - GO-2026-5017 - GO-2026-5018 - GO-2026-5019 - GO-2026-5020 Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update the helm charts with the latest image of CAA Signed-off-by: stevenhorsman <steven@uk.ibm.com>
But the appVersion to 0.21 to match the release and bump the version in peer-pods, peerpod-ctrl and webhook Signed-off-by: stevenhorsman <steven@uk.ibm.com>
The `kubectl apply` of the cert-manager manifest occasionally fails with an etcd timeout: ``` Error from server: error when creating ".../cert-manager.yaml": etcdserver: request timed out. ``` The manifest creates a large batch of resources (6 CRDs, RBAC, deployments, webhook configs) in a single apply, and individual writes can occasionally exceed the API server's request timeout under transient cluster load. Wrap the apply in a retry loop (3 attempts, 10s backoff). `kubectl apply` is idempotent, so retrying after a partial failure simply creates the missing resources without disturbing the ones already applied. On the observed failing run, everything except (likely) the last webhook config got created, and the retry will fill in the gap. For `kubectl wait`, the Endpoints object isn't created by the cert-manager manifest directly. It's created by the kube-controller-manager's endpoints controller after the Service is created and once matching pods exist. Right after `kubectl apply` returns, there's a brief window where the Service exists but its Endpoints object hasn't been populated yet. The apply just finished, so `kubectl wait` raced ahead of the controller. Assisted-by: IBM Bob Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
The podvm-ubuntu-mkosi job calls podvm_mkosi_ubuntu.yaml which requires artifact-metadata: write permission for the actions/attest@v4.1.0 action to write attestation metadata. Without this permission, the workflow fails with "The nested job 'build-image' is requesting 'artifact-metadata: write', but is only allowed 'artifact-metadata: none'." This matches the permission already granted to the podvm-mkosi job on line 84. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Also added MKOSI_VERSION environment variable to image build steps in both podvm_mkosi.yaml and podvm_mkosi_ubuntu.yaml workflows to ensure the mkosi version from versions.yaml is explicitly passed to make commands, maintaining consistency with the binaries build step. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
The image target was calling mkosi with '--image system' argument which is not supported in mkosi v26, causing build failures with: "mkosi: error: argument verb: invalid Verb value: 'system'" This argument was a remnant from mkosi v22 that wasn't removed during the v26 upgrade. The image-debug and image-sftp targets were already correct, so this change aligns the image target with them. Fixes the s390x production image builds. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
The cross-build script was failing on ARM64 native builds because it compared ARCH=arm64 with uname -m=aarch64, which didn't match, causing it to incorrectly attempt cross-compilation and fail with: "E: Unable to locate package qemu-system-aarch64" Added replacement pattern to handle this Co-authored-by: Magnus Kulke <magnuskulke@microsoft.com> Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
Implement IRSA support for the AWS provider to enable workload identity authentication on EKS, eliminating the need for static credentials stored in Kubernetes secrets. NewEC2Client now supports three authentication methods: 1. Static credentials (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY) 2. Shared AWS profile (AWS_PROFILE, currently, only non-containerized CAA binary execution is supported) 3. Default credential chain (for IRSA support) The default credential chain automatically supports IRSA via AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN Entrypoint validation updated to accept either: - Both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (static credentials) - AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN (IRSA) Fixes: confidential-containers#3027 Signed-off-by: Snir Schreiber <ssheribe@redhat.com> Assisted-by: Claude AI
Add unit tests to verify the two authentication paths in NewEC2Client: 1. Static credentials (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY) 2. Default credential chain (IRSA, IMDS, environment variables, etc.) Tests cover: - Static credentials path with both access key and secret key - Default credential chain path when no static credentials provided - Partial credentials (only access key) falls through to default chain Assisted-by: Claude AI Signed-off-by: Snir Schreiber <ssheribe@redhat.com>
Added comprehensive guide for configuring IRSA with cloud-api-adaptor and peerpod-ctrl on Amazon EKS. The guide covers: - IAM trust policy configuration - Kubernetes service account annotations - Deployment configuration examples - Troubleshooting steps Assisted-by: Claude AI Signed-off-by: Snir Schreiber <ssheribe@redhat.com>
It looks like when the arm "support" for podvm builds was added, it wasn't updated to use the native arm runner, so update this, for simpler workflows Signed-off-by: stevenhorsman <steven@uk.ibm.com>
In case we want to support cross-compilation in future e.g. for local dev, fix up the logic. The cross-build script was using architecture names directly as QEMU package names, but Debian/Ubuntu package names don't always match: - x86_64 → qemu-system-x86 (not qemu-system-x86_64) - aarch64 → qemu-system-arm (not qemu-system-aarch64) - s390x → qemu-system-s390x (matches) Added architecture-to-package mapping for Debian/Ubuntu systems to use correct package names. Package names verified against Ubuntu 24.04. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Assisted-by: IBM Bob
As we are doing a 0.21.1 release, we should update the charts to match this version. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This reverts commit a1633eb. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This reverts commit 02bb592. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update the CITATION.cff for the 0.21.1 release Signed-off-by: stevenhorsman <steven@uk.ibm.com>
debian:trixie-slim ships without CA certificates. The dev build got them transitively via openssh-client, but the release build only installed iptables, causing Go TLS verification to fail against ec2.<region>.amazonaws.com with x509: certificate signed by unknown authority. Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@b5d41d4...eb5cf3a) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Implements comprehensive yet focused unit tests for the inMemoryImage implementation in the libvirt provider. Tests cover: - Image creation from byte arrays (text, empty, binary data) - Size calculation functionality - String representation - Import operations with success and error handling Test coverage: - TestInMemoryImage: Validates creation, size(), and string() methods - TestInMemoryImageImport: Tests importImage with various scenarios Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
Remove all CI/CD workflows related to csi-wrapper component as part of the csi-wrapper removal process. This includes: - Dedicated csi_wrapper_images.yaml workflow - csi-wrapper jobs from build.yaml - csi-wrapper jobs from release.yaml - csi-wrapper jobs from publish_images_on_push.yaml Signed-off-by: stevenhorsman <steven@uk.ibm.com> Assisted-By: IBM Bob
Remove all documentation references to the csi-wrapper component: - Remove CSI Wrapper section from main README - Remove CSI wrapper architecture documentation - Remove csi-wrapper from release process documentation Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
Remove the csi-wrapper component entirely from the codebase. This includes all source code, examples, CRDs, and related files. The csi-wrapper provided CSI volume support for peer pods but is no longer needed as part of the project simplification effort. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Assisted-By: IBM Bob
Update IBM Cloud import script to download mkosi-based podvm images using oras instead of the packer-specific download-image.sh script. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-by: IBM Bob
Remove legacy packer-based podvm build workflows in favor of mkosi-based builds. The following workflows are removed: - podvm_builder.yaml - podvm_binaries.yaml - podvm.yaml Also update e2e_run_all.yaml and podvm_publish.yaml to remove references to the deleted workflows. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Assisted-by: IBM Bob
Remove the podvm targets from the Makefile as: - We already have separate makefiles for the podvm builds, so it's just adding indirection - They are mostly outdated packer-based build targets Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Remove packer-based build system and consolidate on mkosi approach. Restructure binaries build to avoid circular dependencies by: - Moving Dockerfiles to podvm-mkosi directory - Renaming Docker build target to podvm-binaries - Including Makefile.inc to inherit binaries target - Updating workflows to use new target name This completes the migration from packer to mkosi for podvm image builds. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Assisted-by: IBM Bob
Remove packer-specific AWS image build directory. Users should use mkosi-based builds and convert to AMI format as needed. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Assisted-by: IBM Bob
Remove download-image.sh script that was specific to packer-based image downloads. mkosi images are oras artifacts and should be downloaded using oras pull directly. Also update consuming-prebuilt-podvm-images.md to remove packer section and references to download-image.sh. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update documentation to reflect removal of packer-based builds and replace packer build instructions with mkosi-based instructions Generated-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Azure is using mkosi image now, so update the old log trace Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps the libvirt group with 2 updates in the /src/cloud-api-adaptor directory: [libvirt.org/go/libvirt](https://gitlab.com/libvirt/libvirt-go-module) and [libvirt.org/go/libvirtxml](https://gitlab.com/libvirt/libvirt-go-xml-module). Bumps the libvirt group with 2 updates in the /src/cloud-providers directory: [libvirt.org/go/libvirt](https://gitlab.com/libvirt/libvirt-go-module) and [libvirt.org/go/libvirtxml](https://gitlab.com/libvirt/libvirt-go-xml-module). Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) --- updated-dependencies: - dependency-name: libvirt.org/go/libvirt dependency-version: 1.12003.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt - dependency-name: libvirt.org/go/libvirt dependency-version: 1.12003.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt - dependency-name: libvirt.org/go/libvirtxml dependency-version: 1.12002.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt - dependency-name: libvirt.org/go/libvirtxml dependency-version: 1.12002.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt ... Signed-off-by: dependabot[bot] <support@github.com>
Set zizmor-action to have `advanced-security: false`, so it will not upload results to Advanced Security, and will instead print them to the console for job reporting. Also turn on zizmor github annotations to try and highlight any issues in code being actively updated. Drive-by: bump runner to ubuntu-24.04 to stay more up-to-date Signed-off-by: stevenhorsman <steven@uk.ibm.com>
At least for amd64 and arm64 artifacts we should make sure that the builds weren't done on self-hosted runners. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
Bump go version and dockerfiles to resolve CVEs: - GO-2026-5037 - GO-2026-5038 - GO-2026-5039 Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
The workflows are dead code. azure e2e tests will have to be rebuilt based on existing libvirt and aws ci machinery. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
…l-containers#3132) * refactor: merge podvm mkosi tree --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Implements comprehensive yet focused unit tests for the libvirt provider implementation with emphasis on maintainability and clarity. Test coverage includes: - Provider initialization with various configurations - IP address handling (multiple, empty, nil) - Instance creation with custom specs and launch security - Instance deletion with error cases (empty ID) - Configuration validation for all required fields - Cloud config generation error handling Tests covered: - TestNewProvider: Provider creation with invalid URI - TestGetIPs: IP address retrieval scenarios - TestDeleteInstanceEmptyID: Empty instanceID validation - TestCreateInstanceCloudConfigError: Cloud config error handling - TestProviderConfigVerifier: Configuration validation - TestTeardown: Provider cleanup All tests are unit tests that run without requiring libvirt environment, ensuring consistent test coverage across all environments. Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
Enable virtio-balloon for s390x by changing MemBalloon Model from "none" to "virtio" with IOMMU driver support. This matches the aarch64 implementation and brings s390x to feature parity with other architectures. The virtio-balloon driver is architecture-independent and s390x's virtio-ccw transport supports all virtio devices. IOMMU is required for s390x virtio devices. This enables dynamic memory reclamation from peer pod VMs, improving resource utilization on s390x hosts. Assisted-by: IBM Bob <noreply@ibm.com> Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
Implements transparent block volume support for confidential containers running as Peer Pods. The CSI block driver writes volume metadata (mountInfo.json) that the cloud-api-adaptor reads at pod creation time. Volumes are attached as managed disks to the PodVM and detected inside the guest by probing provider-specific device paths with a sysfs HCTL fallback. Signed-off-by: Mohammed Adnan <muhammedadnan50007@gmail.com>
Move inputs.podvm_image to PODVM_IMAGE environment variable to prevent code injection. Also add quotes around PODVM_IMAGE variable to fix shellcheck SC2086. Remove template expansion from line 188 to prevent code injection. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Move template expressions to environment variables to prevent code injection. Changes: - inputs.registry → REGISTRY (line 170) - inputs.arch → ARCH (line 174) - inputs.image_tag → IMAGE_TAG (lines 179, 180) Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix template injection in three more workflows: - azure-e2e-test.yml:159 - Move matrix.parameters.jitter to JITTER env var - build.yaml:57 - Move matrix.type to BUILD_TYPE env var - test-images.yaml:60 - Move matrix.targets to MATRIX_TARGET env var These changes prevent code injection via template expansion by moving untrusted inputs to environment variables instead of inline expansion. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix workflow security issues identified by zizmor scan: 1. Added job names to 7 workflows (Notices) - actionlint.yaml: run-actionlint job - build.yaml: webhook and cloud-provider jobs - e2e_on_pull.yaml: authorize job - e2e_run_all.yaml: libvirt_e2e_arch_prep job - podvm_smoketest.yaml: build and test jobs - test-images.yaml: list-dockerfiles job 2. Added concurrency limits to 4 workflows (Warnings) - podvm_mkosi.yaml - podvm_smoketest.yaml - scorecard.yaml - test-images.yaml 3. Added explanatory comments for permissions in 13 instances (Warnings) - daily-e2e-tests.yaml - e2e_on_pull.yaml - e2e_run_all.yaml (4 instances) - lib-codeql.yaml - lint.yaml - podvm_publish.yaml - publish_images_on_push.yaml (2 instances) - release.yaml (2 instances) - scorecard.yaml - test-images.yaml - webhook_image.yaml 4. Fixed secrets environment issue (Warning) - test-images.yaml: Added production environment for secret access These changes improve workflow security and clarity without affecting functionality. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Without an explicit <cpu> element, the guest CPU has no named model contract. host-model causes libvirt to resolve the best matching IBM Z model (e.g. gen17a on z17), ensuring live migration safety between hosts of the same generation, full feature support of the respective generation, and consistent behaviour with the x86_64 and aarch64 implementations. Also adds CPU mode assertions to TestCreateDomainXMLArchitecturesWithMocks for s390x and aarch64. Assisted-by: IBM Bob <noreply@ibm.com> Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
… updates Bumps the aws-sdk-go-v2 group with 6 updates in the /src/cloud-api-adaptor directory: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.7` | `1.41.12` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.17` | `1.32.23` | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.299.1` | `1.305.2` | | [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) | `1.83.0` | `1.84.5` | | [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) | `1.53.10` | `1.54.3` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.100.1` | `1.103.2` | Bumps the aws-sdk-go-v2 group with 3 updates in the /src/cloud-providers directory: [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2` from 1.41.7 to 1.41.12 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.7...v1.41.12) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.23 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.23) Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.299.1 to 1.305.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/ec2/v1.299.1...service/ec2/v1.305.2) Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.83.0 to 1.84.5 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.83.0...service/eks/v1.84.5) Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.53.10 to 1.54.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/ecs/v1.53.10...service/s3/v1.54.3) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.100.1 to 1.103.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.100.1...service/s3/v1.103.2) Updates `github.com/aws/aws-sdk-go-v2` from 1.41.7 to 1.41.12 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.7...v1.41.12) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.23 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.23) Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.299.1 to 1.305.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/ec2/v1.299.1...service/ec2/v1.305.2) Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.19.16 to 1.19.22 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@credentials/v1.19.16...credentials/v1.19.22) Updates `github.com/aws/aws-sdk-go-v2/feature/ec2/imds` from 1.18.23 to 1.18.28 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.18.23...config/v1.18.28) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-version: 1.305.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/eks dependency-version: 1.84.5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/iam dependency-version: 1.54.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.103.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-version: 1.305.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/credentials dependency-version: 1.19.22 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/feature/ec2/imds dependency-version: 1.18.28 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.0 to 4.36.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
The podvm_mkosi.yaml workflow's concurrency group didn't vary based on inputs, causing builds with different architectures to cancel each other when called from e2e_run_all.yaml. Updated the concurrency group to include all inputs using toJSON(), ensuring each unique combination of inputs gets its own concurrency group. Update podvm_mkosi_ubuntu.yaml to match for robustness Generated-By: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upstream sync — manual merge needed
Upstream has new commits to merge into
vijay/sync-cohere-test, but there are conflicts.Upstream HEAD:
dfe41808How to resolve
The sync branch already contains the upstream commits (it points at
origin/main). To make it mergeable intovijay/sync-cohere-test,merge cohere into the sync branch and resolve conflicts there:
Your IDE will show the native merge conflict UI with accept-theirs /
accept-ours / accept-both options for each conflict. Once the push
succeeds, the PR will become mergeable.
Review checklist
Note
High Risk
Large CI and provider removals (docker, Azure e2e/podvm pipelines, CSI) plus PodVM path changes can break forks or custom workflows that still depend on those paths; release and e2e coverage shifts materially.
Overview
This PR brings in a large upstream alignment focused on simplifying how PodVM images are built and which providers and CI paths the project maintains.
PodVM build path is unified under
src/cloud-api-adaptor/podvm(replacingpodvm-mkosiin docs, smoketests, and workflows). Mkosi workflows now runmake podvm-binariesinpodvm/, and the Fedora mkosi workflow no longer builds or publishes a separate docker-provider OCI image from that job.Removed or retired surface area includes the docker cloud provider (code, Helm provider, e2e workflow, and dev
BUILTIN_CLOUD_PROVIDERSentry), CSI wrapper (README, release tags, publish/release workflows, and thebuild.yamlcsi-wrapper job), Packer-based AWS podvm image tooling and rootpacker-check/ lint packer job, and Azure-specific callable workflows for podvm image build, release, and e2e. Legacy podvm_builder / podvm_binaries / podvm packer-style publish jobs are dropped frome2e_run_allandpodvm_publishin favor of mkosi-only publishing.CI and tooling get broad GitHub Actions bumps (
actions/checkoutv6.0.3, docker buildx/login, CodeQL, zizmor, stale, build-push-action), clearer job names and permission comments, concurrency on several workflows, and removal of docker e2e from PR label triggers. Release/docs drop docker provider Helm pinning and csi-wrapper from the release process; CITATION.cff moves to 0.21.1. Minor fixes includegovulncheckskipping modules with no Go packages, CAA release image addingca-certificates, and golang base image bump in the Dockerfile.Reviewed by Cursor Bugbot for commit dfe4180. Bugbot is set up for automated code reviews on this repo. Configure here.