Skip to content

ci: stop duplicate PR builds; pin actions to SHAs#564

Closed
thomasdesr wants to merge 58 commits into
GoogleContainerTools:mainfrom
anyscale:thomas/dedupe-pr-ci
Closed

ci: stop duplicate PR builds; pin actions to SHAs#564
thomasdesr wants to merge 58 commits into
GoogleContainerTools:mainfrom
anyscale:thomas/dedupe-pr-ci

Conversation

@thomasdesr

Copy link
Copy Markdown

The unit-test workflow triggered on every push and every pull request, so same-repo PR branches ran each build twice: once for the push event and once for the pull_request event.

  • Limit the push trigger to main. pull_request still covers PRs, and merges to main keep their post-merge build.
  • Fix the concurrency cancel-in-progress ref: it compared against refs/heads/master, but the default branch is main, so builds on main were cancellable. They no longer are.
  • Pin setup-go, setup-crane, and checkout to commit SHAs and set persist-credentials: false on checkout. These were pre-existing zizmor findings in this file; it now reports none.

If any required status check comes from the push-triggered runs on PR branches, it will stop appearing once this lands; require the pull_request checks instead.

thomasdesr and others added 30 commits June 29, 2026 11:06
…eContainerTools#538)

Co-authored-by: Eric Higgins <eric-higgins-ai@users.noreply.github.com>
Upstream-PR: GoogleContainerTools#538
…Tools#543)

Co-authored-by: Tom van der Woerdt <TvdW@users.noreply.github.com>
Upstream-PR: GoogleContainerTools#543
)

Co-authored-by: Benjamin Peterson <benjaminp@users.noreply.github.com>
Upstream-PR: GoogleContainerTools#485
Also pulls spf13/pflag v1.0.9.

Co-authored-by: dependabot[bot] <support@github.com>
Upstream-PR: GoogleContainerTools#536
Co-authored-by: dependabot[bot] <support@github.com>
Upstream-PR: GoogleContainerTools#540
…ols#488)

Co-authored-by: dependabot[bot] <support@github.com>
Upstream-PR: GoogleContainerTools#488
Co-authored-by: dependabot[bot] <support@github.com>
Upstream-PR: GoogleContainerTools#513
Co-authored-by: dependabot[bot] <support@github.com>
Upstream-PR: GoogleContainerTools#561
)

Co-authored-by: dependabot[bot] <support@github.com>
Upstream-PR: GoogleContainerTools#556
Adopt clean-merge upstream PRs (batch 1)
…ontainerTools#555)

Adopt upstream security fix that confines tar driver path resolution to
the extracted image root, preventing tar-slip and symlink-escape attacks
where archive entries reference paths outside the image filesystem.

Upstream-PR: GoogleContainerTools#555
Co-authored-by: Francesco Sabiu <fsabiu@users.noreply.github.com>
FileExistenceTest.Validate() constructed an fmt.Errorf for the empty-Path
case but never returned it, so the function fell through to return nil. A
test definition missing the required `path` field passed validation and was
executed (driver.StatFile("")) instead of being skipped with a clear error,
unlike the matching FileContentTest.Validate which returns the error.

Add the missing return and a table test covering missing-name, missing-path,
and valid cases. Clears the 'result of fmt.Errorf call not used' go vet finding.
fix: surface dropped error in file_existence check
…rTools#554)

Adopt upstream support for loading an OCI image layout directory through
the tar driver, rebased on the GoogleContainerTools#555 root-confinement changes. The tar
driver now accepts an OCI layout via DriverConfig.OCILayout: it loads the
single image from the layout, extracts its filesystem, and serves reads
through the existing root-confined path resolver.

Adds ImageFromOCILayout and ImageFromV1 in internal/pkgutil, with unit
tests covering filesystem extraction, single-image layout loading, a
missing layout path, and rejection of multi-entry layouts. The original
PR shipped no Go tests; these are added here.

Drops the MODULE.bazel.lock dependency bumps bundled in the upstream PR;
those belong to the bazel cluster.

Upstream-PR: GoogleContainerTools#554
Co-authored-by: Malte Poll <malt3@users.noreply.github.com>
Adds a drop_capabilities option to containerRunOptions, wiring it to
HostConfig.CapDrop. Renames the Capabilities struct field to CapAdd
(yaml tag stays "capabilities" for config compatibility) and adds the
new CapDrop field (yaml "drop_capabilities").

Reconciled with GoogleContainerTools#538: hostConfig() continues to set the deprecated
HostConfig.Capabilities field (honored on docker API <1.40) from the
renamed CapAdd, alongside HostConfig.CapAdd and HostConfig.CapDrop.

Upstream-PR: GoogleContainerTools#390
Allow specifying namespaced kernel parameters (--sysctl) in
containerRunOptions, wired into the Docker HostConfig.

Upstream-PR: GoogleContainerTools#480
…ls#548)

Adds a network run option (yaml: network) that maps to the container's
HostConfig.NetworkMode, allowing tests to select bridge/host/none network
modes. Refactors hostConfig() into a single composable builder so run
options and runtime are no longer mutually exclusive, fixing a latent bug
where fields were dropped when both were set.

Upstream-PR: GoogleContainerTools#548
…GoogleContainerTools#559)

On Windows the extensionless toolchain binary triggers an "Open With"
dialog, so Bazel reports the structure test as PASSED while running zero
tests (silent false-pass, issue GoogleContainerTools#557). Declare a .exe symlink and use it
as test_bin before its consumers, gated on the existing is_windows
computation (which is hoisted up and de-duplicated). Linux/macOS are
unaffected.

Co-authored-by: peakschris <77508021+peakschris@users.noreply.github.com>
Upstream-PR: GoogleContainerTools#559
…#503)

Adapts upstream PR GoogleContainerTools#503 ("Add support for multi-arch image indexes") to
the fork. Upstream placed the index-selection logic inline in test.go,
but the fork's GoogleContainerTools#554 since centralized OCI-layout loading into
pkgutil.ImageFromOCILayout (shared by the Docker daemon path and the Tar
driver). The platform-based selection is added there instead, so both
drivers gain multi-arch support. ImageFromOCILayout now takes a platform
string; callers pass opts.Platform / args.Platform.

Two fork-authored changes beyond the upstream diff:

- Nil-platform guard: v1.Descriptor.Platform is a nil-able *v1.Platform
  (OCI permits an index descriptor with no platform), and Satisfies has
  a value receiver, so the upstream desc.Platform.Satisfies(...) call
  panics with a nil dereference on such descriptors. findImageInIndex
  now skips any descriptor whose Platform is nil. Covered by a unit test
  that panics without the guard and passes with it.

- parsePlatform replaced with go-containerregistry's v1.ParsePlatform,
  which accepts variants (e.g. linux/arm/v7) that the hand-rolled parser
  rejected.

Also fixes the bundled shell test: numeric comparison uses -lt instead
of the string operator <, and the multi-arch temp dir no longer clobbers
the $tmp used by the following tar-driver test.

Co-authored-by: Joel Sing <jsing@canva.com>
Upstream-PR: GoogleContainerTools#503
…t (upstream GoogleContainerTools#539)

Adds a --test-report-format flag (json|junit) so the test report file format
is independent of stdout. Previously --test-report forced JSON output and
silenced human-readable stdout. ProcessResults now writes the machine report
to a separate reportOut writer while stdout keeps its configured format.

Also switches the Bazel rule from --output junit to --test-report-format junit
so `bazel test` failures show full detail on stdout (captured as test.log)
instead of only "FAIL", while still writing JUnit XML to $XML_OUTPUT_FILE.

Adds unit tests for the dual-output and no-report paths (upstream shipped none).

Co-authored-by: Vincent Rose <vinnybod@users.noreply.github.com>
Upstream-PR: GoogleContainerTools#539
Bump the go directive (required by the containerd v1.7.33 / x/crypto
v0.47.0 dependency bumps) and align the integration-tests workflow
setup-go pin to ^1.24. go 1.24's stricter printf analyzer now treats
non-constant format strings as vet build failures, so wrap the five
affected call sites with an explicit "%s" format (or the non-f log
variant) to keep go test green.
…VE fixes

containerd v1.7.33 picks up CVE-2026-53488/47262 and the go-jose fix
(stays in the 1.7.x patch series). x/crypto v0.47.0 picks up the SSH
GSSAPI DoS and agent panic fixes. go mod tidy pulled the expected
transitive bumps (x/sys, x/net, x/text, etc.); docker/docker,
docker/cli, go-containerregistry, and fsouza/go-dockerclient are
unchanged.

Upstream-PR: GoogleContainerTools#562
Upstream-PR: GoogleContainerTools#541
…leContainerTools#511)

Make the Go source buildable and testable via Bazel using rules_go and
gazelle, alongside the existing container_structure_test rule wiring.

- Add bazel_dep on rules_go 0.61.1 and gazelle 0.51.3.
- Wire gazelle's go_deps extension from go.mod and use_repo the direct
  module dependencies.
- Add a root gazelle target with the module prefix; exclude bazel/ so the
  hand-written rule BUILD files are not clobbered.
- Disable proto rule generation for github.com/docker/docker so gazelle
  uses its checked-in plugin.pb.go instead of recompiling the .proto via
  protoc (which would pull in the protobuf C++ toolchain).
- Generate BUILD.bazel for cmd/, pkg/, internal/, testutil/.
- Regenerate MODULE.bazel.lock.

Co-authored-by: njlr <github@njlr.dev>
Upstream-PR: GoogleContainerTools#511
…nerTools#511)

Add a Bazel build/test step to the PR unit test workflow so the newly
generated Go go_library/go_binary/go_test targets are covered by CI. The
existing bazel.yaml workflow only runs in bazel/test (the rule consumer),
so //... at the repo root was previously unexercised.

Scoped to ubuntu-latest; the macos-12 leg is known to hang.

Co-authored-by: njlr <github@njlr.dev>
Upstream-PR: GoogleContainerTools#511
The bazel/test rule smoke-test runs against the pinned prebuilt release
(repositories.bzl _VERSION=v1.22.0), which predates the sysctls field
added in GoogleContainerTools#480, so it could not parse the fixture and //:test failed on
every commit since e9291d6. The fixture validates rule wiring, not new
binary features, so it must only use fields the pinned release supports.
The sysctls feature itself (pkg/types + docker driver) is unaffected.
The bazel/test smoke-test used a structure_test_toolchain backed by the
downloaded v1.22.0 release (repositories.bzl _VERSION) while consuming
HEAD's rule via local_path_override. HEAD's rule passes
--test-report-format junit (GoogleContainerTools#539), which the pinned release rejects, so
//:test failed on every commit. Pinning the fixture to old-binary fields
masked the mismatch instead of testing HEAD's rule against HEAD's binary.

Wire a from-source toolchain and make smoke resolution prefer it:

- bazel/BUILD.bazel: add //bazel:from_source_structure_test (a
  structure_test_toolchain whose binary is the rules_go go_binary
  //cmd/container-structure-test) plus its //bazel:..._toolchain target.
  The download path (repositories.bzl) is untouched; real consumers still
  get the release toolchain.
- bazel/test/MODULE.bazel: register the from-source toolchain first so
  resolution prefers it over the registered release toolchains (the root
  module's registrations precede its dependencies'), and depend on
  rules_go under its io_bazel_rules_go name so Go build settings such as
  --@io_bazel_rules_go//go/config:pure resolve in this root module.
- MODULE.bazel + .bazelrc + bazel/test/.bazelrc: isolate the go_deps
  extension usage. The docker proto-disable gazelle_override is forbidden
  in non-root modules; isolation lets it apply when bazel/test consumes
  this module as a dependency to build the from-source binary.
  --experimental_isolated_extension_usages enables the isolate flag.
- bazel/test/.bazelversion: 6.1.1 -> 7.4.1; 6.1.1 cannot resolve the
  cross-module rules_go apparent name needed to build the Go binary.
- bazel/test/test.yaml: restore the sysctls fixture (dropped in c7a5500
  because the old release could not parse it). HEAD's binary supports
  containerRunOptions.sysctls, so the smoke-test exercises it again.
The bazel/test smoke-test registered the from-source structure_test toolchain
(which compiles HEAD's //cmd/container-structure-test go_binary) only in
MODULE.bazel. Under --enable_bzlmod=false --enable_workspace, MODULE.bazel is
ignored, so toolchain resolution fell back to the downloaded v1.22.0 release
registered by container_structure_test_register_toolchain in WORKSPACE.bazel.
HEAD's rule passes --test-report-format junit (GoogleContainerTools#539), which the release binary
rejects, so //:test failed in WORKSPACE mode:

  level=fatal msg="unknown flag: --test-report-format"

Wire the from-source toolchain into WORKSPACE mode so it is preferred there too:

- bazel/test/WORKSPACE.bazel: register
  @container_structure_test//bazel:from_source_structure_test_toolchain ahead
  of the release toolchains (earliest matching registration wins in WORKSPACE
  mode, mirroring the bzlmod ordering). The repo is bzlmod-only (empty root
  WORKSPACE.bazel), so reconstruct the rules_go + gazelle + go_deps wiring the
  root MODULE.bazel provides under bzlmod. Pin rules_go 0.55.1 (bzlmod uses
  0.61.1): rules_go 0.61's bool_setting(scope=...) is only accepted in WORKSPACE
  mode on Bazel >= 8.3, so it fails on the 8.0.0rc1 CI leg; 0.55.1 predates the
  scope attribute. Register Go SDK 1.24.12 (gazelle's bundled tools require it)
  and point gazelle's repo-config scan at WORKSPACE.bazel (default @//:WORKSPACE
  does not exist).
- bazel/test/go_deps.bzl: generated go_repository macro for the go.mod tree,
  with com_github_docker_docker carrying gazelle:proto disable_global to mirror
  the bzlmod gazelle_override (docker ships a pre-generated plugin.pb.go).
- bazel/test/README.md: document that both module systems now build the binary
  from source; drop the obsolete manual binary-swap instructions.

The download/release path in repositories.bzl is untouched: real WORKSPACE
consumers still get the release toolchain via
container_structure_test_register_toolchain and need no rules_go.

Verified //:test PASSES selecting the from-source toolchain in both bzlmod and
WORKSPACE mode on bazel 8.0.0rc1 and 7.4.1 (clean --expunge).
The step exists to verify the Go code builds/tests via rules_go+gazelle (GoogleContainerTools#511).
Running //... from the root also pulled in //bazel/test (the rule's smoke test,
already covered as its own module by the dedicated Bazel workflow, and lacking
the from-source toolchain in the root context) and //bazel/docs:update_test
(stardoc doc-freshness, stale after the .bzl changes in GoogleContainerTools#543/GoogleContainerTools#539 and unrelated
to this step). Scope to //cmd //pkg //internal //testutil.
…GoogleContainerTools#539; restore CI doc-freshness check

The platform attr lost its default="linux/amd64" in GoogleContainerTools#543 (now optional with
implicit empty default), leaving bazel/docs/defs.md stale. //bazel/docs:update_test
was failing on the drift, which is why the integration-tests Bazel step had been
scoped down to exclude //bazel/docs. Hand-updated defs.md (stardoc cannot build
locally on the Nix macOS env, which lacks Xcode CLT) and re-added the doc-freshness
check as a separate line so it cannot silently rot again.
The macos-12 matrix entry pointed at a retired runner, so the
PR unit tests (macos-12) job never started and hung ~24h before
being cancelled, perma-blocking the run's overall status.

macos-12 and macos-13 are both retired, and GitHub's Apple Silicon
macOS runners cannot run colima (no nested virtualization,
HV_UNSUPPORTED). macos-15-intel is the only GitHub-hosted macOS
runner that can run a Docker daemon. Set Docker up there via the
SHA-pinned douglascamata/setup-docker-macos-action, which installs
colima + the Docker CLI and sets the active docker context, so
make test reaches the daemon without a hardcoded DOCKER_HOST socket
path. The macOS step now gates on runner.os == 'macOS'; the bazel
step stays ubuntu-only.
Bump go-containerregistry to v0.20.7, which transitively pulls
docker/docker v28.5.2+incompatible and docker/cli v29.0.3+incompatible
(replacing v27.1.1 / v25.0.3). docker v28 drops the heavy
containerd/containerd v1.7.33 dependency in favor of
containerd/errdefs; OpenTelemetry, klauspost/compress, vbatts/tar-split
and friends move forward accordingly.

Upstream-PR: GoogleContainerTools#535
Upstream-PR: GoogleContainerTools#506
Upstream-PR: GoogleContainerTools#550
Independent of the docker v28 stack bump: go-dockerclient v1.11.2 already
compiles against docker v28.5.2, so this is a clean follow-on upgrade
(adds moby/go-archive v0.1.0, moby/sys/user v0.4.0).

Upstream-PR: GoogleContainerTools#531
Mirror the bumped go.mod tree into bazel/test/go_deps.bzl via
`bazel run //:gazelle -- update-repos -from_file=go.mod
-to_macro=bazel/test/go_deps.bzl%go_dependencies -prune`. The
com_github_docker_docker proto-disable build_directives and the
@bazel_gazelle load reference are preserved. bzlmod's use_repo
(MODULE.bazel) needs no change since the direct dependency set is
unchanged; `bazelisk mod tidy` reports no drift.

Upstream-PR: GoogleContainerTools#535
Upstream-PR: GoogleContainerTools#531
The macOS leg's setup configures colima's docker CLI *context*, but the
container-structure-test binary uses go-dockerclient, which reads DOCKER_HOST and
ignores docker contexts -- so it fell back to /var/run/docker.sock (absent under
colima) and every docker-driver test failed (tar/host drivers passed). Export
DOCKER_HOST from colima's context endpoint.
These cases need QEMU/binfmt emulation + a multi-platform image store and assert
the Linux Docker daemon's exact error wording. colima's Docker on macOS provides
none of those, so they failed there while every native/driver/OCI/run-opts case
passed (16/18). Gate them behind a Linux uname check; the native-platform case
still runs everywhere. Keeps full cross-platform coverage on the Linux leg.
host_driver.go constructed unversioned.EnvVar with positional fields, the sole
'go vet ./...' finding (composite literal uses unkeyed fields). Name the fields;
go vet ./... now exits clean.
The tar driver extracts the image filesystem to disk and inspects it as
the (often non-root) test user. A directory shipped without the owner
execute bit (e.g. /licenses at 0644) could neither be populated during
extraction nor traversed during assertions, so any fileExistenceTest on a
file inside it failed with "permission denied" before any assertion ran.

The temp-permission logic only forced the owner *write* bit; it never
added owner *execute*, and the deferred restore put the restrictive mode
back before the driver read anything. Force owner rwx on extracted
directories, and on restore keep the owner-execute bit so the tree stays
traversable. Directories that already have owner-execute (the universal
0755/0555 case) are untouched; a directory shipped without it is reported
with that bit added, the minimum needed for a non-root process to inspect
its contents.
When using the docker driver with OCI images, the bazel launcher loads an
image under a dynamic tag (cst.oci.local/$DIGEST:$DIGEST) but never
removes it from the Docker daemon after the test completes. This causes
disk space to accumulate as large OCI images are left orphaned.

Add a cleanup trap that runs on EXIT to remove only the image this run
loaded, using the captured TEST_TAG. The trap:
- Runs on both success and failure (EXIT fires in both cases)
- Is skipped only if docker rmi fails (|| true prevents errors)
- Properly preserves the test's exit code via explicit exit $?

Fixes issue GoogleContainerTools#560
Previously, convertSliceToMap would panic when encountering environment
variable entries without an '=' character. This could occur when a container
config has a bare environment variable (e.g., 'FOO' with no value).

The fix checks the length of the split pair and treats missing values as
empty strings, which matches Docker's handling of such variables.

Fixes GoogleContainerTools#280
Enable exposed ports metadata tests to match ports declared with a protocol
(e.g. '53/udp'). Previously, drivers stripped the protocol from ports, so
test expectations like '53/udp' would never match.

Changes:
- Remove protocol stripping in drivers (host, tar, docker): preserve the
  protocol suffix in normalized port lists
- Add PortInList utility function with smart protocol matching:
  - Bare port '53' matches any protocol ('53/tcp', '53/udp')
  - Qualified port '53/udp' matches only exact protocol
  - Backward compatible with existing bare port tests
- Update metadata test to use PortInList for port matching
- Add comprehensive tests covering exact match, bare port, protocol
  mismatch, and multiple port scenarios

Fixes GoogleContainerTools#240
Addresses code review finding: add comprehensive tests for the UnexposedPorts
path which represents half of the port matching logic usage.

New test cases cover:
- Port not exposed with exact protocol
- Bare port not exposed
- Bare port exposed (test should fail)
- Exact protocol port exposed (test should fail)
- Protocol mismatch passes unexposed test
- Multiple unexposed ports with partial exposure

All tests pass, ensuring UnexposedPorts logic correctly mirrors
ExposedPorts behavior with protocol awareness.
…gleContainerTools#276)

The tar driver extracts the image and chmods each regular file to its
recorded mode as the (often non-root) test user. On some platforms
(notably macOS/BSD) a non-root user cannot set the setuid/setgid/sticky
bits via chmod, which returns EPERM and aborts extraction before any
assertion runs (upstream GoogleContainerTools#276).

Retry the chmod without the special bits when the initial call fails, so
extraction proceeds. Where the OS permits the special bits (e.g. Linux)
the first chmod succeeds and they are preserved.

Note: this is defensive. The failure does not reproduce on our macOS
(chmod succeeds here) or Linux, so the fallback path is not exercised by
the test; the added test only asserts that setuid files extract cleanly.
- Upgrade github.com/fsouza/go-dockerclient from v1.12.3 to v1.13.2
- v1.13.2 includes Docker Engine v29 support (from upstream PR #1166)
- Bump Go version from 1.24.0 to 1.25.5 (required by updated dependencies)
- Update transitive dependencies:
  - moby/sys/sequential v0.6.0 → v0.7.0
  - docker/go-connections v0.5.0 → v0.7.0
  - moby/go-archive v0.1.0 → v0.2.0
  - moby/moby/api v1.55.0 (new)
  - moby/moby/client v0.5.0 (new)
  - pgregory.net/rapid v1.2.0 (new, transitive test dependency)
- Regenerate Bazel dependencies (bazel/test/go_deps.bzl)
- All existing unit tests pass; no API changes required in docker_driver.go
go-dockerclient v1.13.2 (landed for Docker v29 support) declares
`go 1.25.5`. rules_go 0.61.1 defaults to go 1.25.0, so bazel's go_deps
fetch failed with "requires go >= 1.25.5 (running go 1.25.0)" across the
PR-unit Bazel step and every bazel/test smoke job.

Pin the SDK to 1.25.5 in both module systems: a go_sdk.download in the
root MODULE.bazel (bzlmod) and bump go_register_toolchains in
bazel/test/WORKSPACE.bazel (1.24.12 -> 1.25.5). Verified locally: root
bzlmod build of //cmd + //pkg and the bazel/test smoke //:test pass in
both bzlmod and workspace modes.
The @v7 reusable workflow hardcoded Bazel 8.0.0rc1 as the second matrix
version. 8.0.0rc1 sets an obsolete GOEXPERIMENT (coverageredesign) when
building the go 1.25.5 stdlib (required by go-dockerclient v1.13.2),
failing the WORKSPACE-mode smoke test. v7.7.0 pins stable Bazel 8.0.0,
which handles go 1.25.5 correctly (verified locally: bazel/test //:test
passes under 8.0.0 in both bzlmod and workspace modes).

Follow-up: re-evaluate the full matrix (bazel/test/.bazelversion 7.4.1,
rules_go WORKSPACE 0.55.1 vs bzlmod 0.61.1) against the current ecosystem.
Bazel 8 stopped auto-registering the builtin sh toolchain in WORKSPACE
mode, so the bazel/test smoke sh_test failed toolchain resolution for
@bazel_tools//tools/sh:toolchain_type on the "Bazel 8.0.0 x WORKSPACE"
CI leg. Add rules_shell v0.8.0 and register its toolchains in the smoke
module's WORKSPACE.bazel.

The failure is specific to the fresh CI Linux environment and does not
reproduce locally (macOS resolves a host sh toolchain), so this is
verified by CI rather than locally; a clean-cache local build confirms
rules_shell fetches (sha ok) and the smoke test still passes with no
regression to the 7.4.1-workspace or bzlmod legs.
The container_structure_test rule declared @bazel_tools//tools/sh:toolchain_type
in its `toolchains` list, but the implementation never consumes it (it uses only
the jq and structure_test toolchains; the launcher is written via
ctx.actions.write(is_executable=True) and exec'd by its shebang, and a custom
test=True rule runs DefaultInfo.executable directly — the sh toolchain is only
needed by native sh_test/sh_binary).

Bazel 8 removed auto-registration of that legacy toolchain in WORKSPACE mode, so
resolving the declared-but-unused type failed ("No matching toolchains found for
@@bazel_tools//tools/sh:toolchain_type") on the Bazel 8 x WORKSPACE CI leg and
for real WORKSPACE consumers on Bazel 8. Removing the unused declaration fixes it
at the source with no consumer-side registration and no new dependency. The prior
rules_shell attempt was reverted (it registered a different toolchain type).

Verified locally (clean cache): bazel/test //:test passes under bzlmod, and under
--enable_workspace on both 8.0.0 and 7.4.1. The Bazel-8 x WORKSPACE failure does
not reproduce on macOS (host sh toolchain is found), so CI on Linux is the
authoritative verifier.
rules_go 0.55.1 fails to build the go 1.25.5 stdlib (required by
go-dockerclient v1.13.2 / Docker v29) because it still sets the
`coverageredesign` GOEXPERIMENT that go 1.25 removed, failing the
Bazel 8.0.0 x WORKSPACE CI leg with "unknown GOEXPERIMENT coverageredesign".

0.60.0 is the newest rules_go release in the viable window: coverageredesign
support landed in 0.56.0 (commit 2af3f27a), and the bool_setting(scope=...)
that requires Bazel >= 8.3 in WORKSPACE mode landed in 0.61.1 (commit
9dd98204). So 0.56.0..0.61.0 support go 1.25.5 AND analyze in WORKSPACE mode
on Bazel 7.4.1 and 8.0.0; 0.60.0 maximizes the go-version ceiling within it.
bzlmod stays on 0.61.1 (unaffected). Integrity independently verified.

Verified locally (clean cache): //:test builds and passes under --enable_workspace
on both 8.0.0 and 7.4.1. The coverageredesign failure is fresh-Linux-specific and
does not reproduce on macOS, so CI is the authoritative verifier of the fix.
…eContainerTools#17, #9)

Clears GHSA-mh2q-q3fh-2475 (otel multi-value baggage DoS) and
GHSA-p436-gjf2-799p (docker/cli plugin search-path LPE on Windows). Both are
`// indirect` and not reachable in cst's execution path (cst is a docker client
via go-dockerclient), so this is alert hygiene. MVS also advanced
otel/metric, otel/trace, and auto/sdk cohesively. Bazel WORKSPACE go_deps.bzl
regenerated; root MODULE.bazel.lock already consistent (bazelisk mod tidy no-op).
Removes EOL docker/docker v28.5.2 from dependency graph entirely. go-cr v0.21.7
migrated to moby/moby/api + moby/moby/client, clearing six Dependabot moby alerts.

Changes:
- Upgrade go-containerregistry to v0.21.7
- Remove docker/docker and docker/distribution indirect dependencies
- Update bazel deps for both bzlmod (MODULE.bazel) and WORKSPACE systems
- Remove gazelle_override for docker/docker since it's no longer a dependency
- Update go.mod and go.sum

All tests pass. Build succeeds. go mod graph confirms docker/docker absence.
The unit-test workflow triggered on all pushes and pull requests, so
every same-repo PR branch ran each build twice. Limit the push trigger
to main, keeping pull_request for PR coverage, and update the
concurrency cancel-in-progress ref from master to main (the default
branch) so main builds are never cancelled.

Also fix pre-existing zizmor findings in this file: pin setup-go,
setup-crane, and checkout to commit SHAs, and set
persist-credentials: false on checkout.
@google-cla

google-cla Bot commented Jul 6, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@thomasdesr

Copy link
Copy Markdown
Author

🤖 Opened against the wrong repo (meant for the anyscale fork), sorry for the noise.

@thomasdesr thomasdesr closed this Jul 6, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for OCI layouts and multi-arch image indexes, adds new container run options (such as network, sysctls, and drop capabilities), and updates the Bazel integration to use Bzlmod. It also enhances the CLI with a new --test-report-format flag and secures the Tar driver against directory traversal escapes. The review feedback highlights two important issues: a potential regression where an empty platform string causes platform parsing to fail on multi-arch layouts, and a resource leak in the integration test script where a temporary directory is not cleaned up.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +235 to +239
if desc.MediaType.IsIndex() {
requirements, err := v1.ParsePlatform(platform)
if err != nil {
return nil, v1.Descriptor{}, errors.Wrapf(err, "parsing platform %q", platform)
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

If platform is empty (which is now the default in both the Bazel rule and the CLI), v1.ParsePlatform("") will fail with an error.

To prevent this regression and support running tests on multi-arch OCI layouts without requiring an explicit platform flag, we should default platform to a sensible value (such as "linux/" + runtime.GOARCH) when it is empty.

Please import "runtime" and default the platform when empty.

	if desc.MediaType.IsIndex() {
		if platform == "" {
			platform = "linux/" + runtime.GOARCH
		}
		requirements, err := v1.ParsePlatform(platform)
		if err != nil {
			return nil, v1.Descriptor{}, errors.Wrapf(err, "parsing platform %q", platform)
		}
	}

Comment on lines +300 to +301
echo "PASS: oci image index test case"
fi

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The temporary directory tmp_index created via mktemp -d on line 288 is never deleted, which leaks temporary directories on the host machine.

Please clean it up after the test completes.

Suggested change
echo "PASS: oci image index test case"
fi
echo "PASS: oci image index test case"
fi
rm -rf "$tmp_index"

@thomasdesr thomasdesr deleted the thomas/dedupe-pr-ci branch July 6, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants