ci: stop duplicate PR builds; pin actions to SHAs#564
Conversation
…eContainerTools#538) Co-authored-by: Eric Higgins <eric-higgins-ai@users.noreply.github.com> Upstream-PR: GoogleContainerTools#538
…Tools#543) Co-authored-by: Tom van der Woerdt <TvdW@users.noreply.github.com> Upstream-PR: GoogleContainerTools#543
) Co-authored-by: Benjamin Peterson <benjaminp@users.noreply.github.com> Upstream-PR: GoogleContainerTools#485
Also pulls spf13/pflag v1.0.9. Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#536
Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#540
…eContainerTools#494) Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#494
…ols#488) Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#488
Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#513
…Tools#551) Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#551
Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#561
) Co-authored-by: dependabot[bot] <support@github.com> Upstream-PR: GoogleContainerTools#556
Adopt clean-merge upstream PRs (batch 1)
…ontainerTools#555) Adopt upstream security fix that confines tar driver path resolution to the extracted image root, preventing tar-slip and symlink-escape attacks where archive entries reference paths outside the image filesystem. Upstream-PR: GoogleContainerTools#555 Co-authored-by: Francesco Sabiu <fsabiu@users.noreply.github.com>
FileExistenceTest.Validate() constructed an fmt.Errorf for the empty-Path
case but never returned it, so the function fell through to return nil. A
test definition missing the required `path` field passed validation and was
executed (driver.StatFile("")) instead of being skipped with a clear error,
unlike the matching FileContentTest.Validate which returns the error.
Add the missing return and a table test covering missing-name, missing-path,
and valid cases. Clears the 'result of fmt.Errorf call not used' go vet finding.
fix: surface dropped error in file_existence check
…ment Adopt GoogleContainerTools#555: constrain tar driver paths to image root
…rTools#554) Adopt upstream support for loading an OCI image layout directory through the tar driver, rebased on the GoogleContainerTools#555 root-confinement changes. The tar driver now accepts an OCI layout via DriverConfig.OCILayout: it loads the single image from the layout, extracts its filesystem, and serves reads through the existing root-confined path resolver. Adds ImageFromOCILayout and ImageFromV1 in internal/pkgutil, with unit tests covering filesystem extraction, single-image layout loading, a missing layout path, and rejection of multi-entry layouts. The original PR shipped no Go tests; these are added here. Drops the MODULE.bazel.lock dependency bumps bundled in the upstream PR; those belong to the bazel cluster. Upstream-PR: GoogleContainerTools#554 Co-authored-by: Malte Poll <malt3@users.noreply.github.com>
Adds a drop_capabilities option to containerRunOptions, wiring it to HostConfig.CapDrop. Renames the Capabilities struct field to CapAdd (yaml tag stays "capabilities" for config compatibility) and adds the new CapDrop field (yaml "drop_capabilities"). Reconciled with GoogleContainerTools#538: hostConfig() continues to set the deprecated HostConfig.Capabilities field (honored on docker API <1.40) from the renamed CapAdd, alongside HostConfig.CapAdd and HostConfig.CapDrop. Upstream-PR: GoogleContainerTools#390
Allow specifying namespaced kernel parameters (--sysctl) in containerRunOptions, wired into the Docker HostConfig. Upstream-PR: GoogleContainerTools#480
…ls#548) Adds a network run option (yaml: network) that maps to the container's HostConfig.NetworkMode, allowing tests to select bridge/host/none network modes. Refactors hostConfig() into a single composable builder so run options and runtime are no longer mutually exclusive, fixing a latent bug where fields were dropped when both were set. Upstream-PR: GoogleContainerTools#548
…GoogleContainerTools#559) On Windows the extensionless toolchain binary triggers an "Open With" dialog, so Bazel reports the structure test as PASSED while running zero tests (silent false-pass, issue GoogleContainerTools#557). Declare a .exe symlink and use it as test_bin before its consumers, gated on the existing is_windows computation (which is hoisted up and de-duplicated). Linux/macOS are unaffected. Co-authored-by: peakschris <77508021+peakschris@users.noreply.github.com> Upstream-PR: GoogleContainerTools#559
…#503) Adapts upstream PR GoogleContainerTools#503 ("Add support for multi-arch image indexes") to the fork. Upstream placed the index-selection logic inline in test.go, but the fork's GoogleContainerTools#554 since centralized OCI-layout loading into pkgutil.ImageFromOCILayout (shared by the Docker daemon path and the Tar driver). The platform-based selection is added there instead, so both drivers gain multi-arch support. ImageFromOCILayout now takes a platform string; callers pass opts.Platform / args.Platform. Two fork-authored changes beyond the upstream diff: - Nil-platform guard: v1.Descriptor.Platform is a nil-able *v1.Platform (OCI permits an index descriptor with no platform), and Satisfies has a value receiver, so the upstream desc.Platform.Satisfies(...) call panics with a nil dereference on such descriptors. findImageInIndex now skips any descriptor whose Platform is nil. Covered by a unit test that panics without the guard and passes with it. - parsePlatform replaced with go-containerregistry's v1.ParsePlatform, which accepts variants (e.g. linux/arm/v7) that the hand-rolled parser rejected. Also fixes the bundled shell test: numeric comparison uses -lt instead of the string operator <, and the multi-arch temp dir no longer clobbers the $tmp used by the following tar-driver test. Co-authored-by: Joel Sing <jsing@canva.com> Upstream-PR: GoogleContainerTools#503
…t (upstream GoogleContainerTools#539) Adds a --test-report-format flag (json|junit) so the test report file format is independent of stdout. Previously --test-report forced JSON output and silenced human-readable stdout. ProcessResults now writes the machine report to a separate reportOut writer while stdout keeps its configured format. Also switches the Bazel rule from --output junit to --test-report-format junit so `bazel test` failures show full detail on stdout (captured as test.log) instead of only "FAIL", while still writing JUnit XML to $XML_OUTPUT_FILE. Adds unit tests for the dual-output and no-report paths (upstream shipped none). Co-authored-by: Vincent Rose <vinnybod@users.noreply.github.com> Upstream-PR: GoogleContainerTools#539
Bump the go directive (required by the containerd v1.7.33 / x/crypto v0.47.0 dependency bumps) and align the integration-tests workflow setup-go pin to ^1.24. go 1.24's stricter printf analyzer now treats non-constant format strings as vet build failures, so wrap the five affected call sites with an explicit "%s" format (or the non-f log variant) to keep go test green.
…VE fixes containerd v1.7.33 picks up CVE-2026-53488/47262 and the go-jose fix (stays in the 1.7.x patch series). x/crypto v0.47.0 picks up the SSH GSSAPI DoS and agent panic fixes. go mod tidy pulled the expected transitive bumps (x/sys, x/net, x/text, etc.); docker/docker, docker/cli, go-containerregistry, and fsouza/go-dockerclient are unchanged. Upstream-PR: GoogleContainerTools#562 Upstream-PR: GoogleContainerTools#541
…leContainerTools#511) Make the Go source buildable and testable via Bazel using rules_go and gazelle, alongside the existing container_structure_test rule wiring. - Add bazel_dep on rules_go 0.61.1 and gazelle 0.51.3. - Wire gazelle's go_deps extension from go.mod and use_repo the direct module dependencies. - Add a root gazelle target with the module prefix; exclude bazel/ so the hand-written rule BUILD files are not clobbered. - Disable proto rule generation for github.com/docker/docker so gazelle uses its checked-in plugin.pb.go instead of recompiling the .proto via protoc (which would pull in the protobuf C++ toolchain). - Generate BUILD.bazel for cmd/, pkg/, internal/, testutil/. - Regenerate MODULE.bazel.lock. Co-authored-by: njlr <github@njlr.dev> Upstream-PR: GoogleContainerTools#511
…nerTools#511) Add a Bazel build/test step to the PR unit test workflow so the newly generated Go go_library/go_binary/go_test targets are covered by CI. The existing bazel.yaml workflow only runs in bazel/test (the rule consumer), so //... at the repo root was previously unexercised. Scoped to ubuntu-latest; the macos-12 leg is known to hang. Co-authored-by: njlr <github@njlr.dev> Upstream-PR: GoogleContainerTools#511
The bazel/test rule smoke-test runs against the pinned prebuilt release (repositories.bzl _VERSION=v1.22.0), which predates the sysctls field added in GoogleContainerTools#480, so it could not parse the fixture and //:test failed on every commit since e9291d6. The fixture validates rule wiring, not new binary features, so it must only use fields the pinned release supports. The sysctls feature itself (pkg/types + docker driver) is unaffected.
The bazel/test smoke-test used a structure_test_toolchain backed by the downloaded v1.22.0 release (repositories.bzl _VERSION) while consuming HEAD's rule via local_path_override. HEAD's rule passes --test-report-format junit (GoogleContainerTools#539), which the pinned release rejects, so //:test failed on every commit. Pinning the fixture to old-binary fields masked the mismatch instead of testing HEAD's rule against HEAD's binary. Wire a from-source toolchain and make smoke resolution prefer it: - bazel/BUILD.bazel: add //bazel:from_source_structure_test (a structure_test_toolchain whose binary is the rules_go go_binary //cmd/container-structure-test) plus its //bazel:..._toolchain target. The download path (repositories.bzl) is untouched; real consumers still get the release toolchain. - bazel/test/MODULE.bazel: register the from-source toolchain first so resolution prefers it over the registered release toolchains (the root module's registrations precede its dependencies'), and depend on rules_go under its io_bazel_rules_go name so Go build settings such as --@io_bazel_rules_go//go/config:pure resolve in this root module. - MODULE.bazel + .bazelrc + bazel/test/.bazelrc: isolate the go_deps extension usage. The docker proto-disable gazelle_override is forbidden in non-root modules; isolation lets it apply when bazel/test consumes this module as a dependency to build the from-source binary. --experimental_isolated_extension_usages enables the isolate flag. - bazel/test/.bazelversion: 6.1.1 -> 7.4.1; 6.1.1 cannot resolve the cross-module rules_go apparent name needed to build the Go binary. - bazel/test/test.yaml: restore the sysctls fixture (dropped in c7a5500 because the old release could not parse it). HEAD's binary supports containerRunOptions.sysctls, so the smoke-test exercises it again.
The bazel/test smoke-test registered the from-source structure_test toolchain (which compiles HEAD's //cmd/container-structure-test go_binary) only in MODULE.bazel. Under --enable_bzlmod=false --enable_workspace, MODULE.bazel is ignored, so toolchain resolution fell back to the downloaded v1.22.0 release registered by container_structure_test_register_toolchain in WORKSPACE.bazel. HEAD's rule passes --test-report-format junit (GoogleContainerTools#539), which the release binary rejects, so //:test failed in WORKSPACE mode: level=fatal msg="unknown flag: --test-report-format" Wire the from-source toolchain into WORKSPACE mode so it is preferred there too: - bazel/test/WORKSPACE.bazel: register @container_structure_test//bazel:from_source_structure_test_toolchain ahead of the release toolchains (earliest matching registration wins in WORKSPACE mode, mirroring the bzlmod ordering). The repo is bzlmod-only (empty root WORKSPACE.bazel), so reconstruct the rules_go + gazelle + go_deps wiring the root MODULE.bazel provides under bzlmod. Pin rules_go 0.55.1 (bzlmod uses 0.61.1): rules_go 0.61's bool_setting(scope=...) is only accepted in WORKSPACE mode on Bazel >= 8.3, so it fails on the 8.0.0rc1 CI leg; 0.55.1 predates the scope attribute. Register Go SDK 1.24.12 (gazelle's bundled tools require it) and point gazelle's repo-config scan at WORKSPACE.bazel (default @//:WORKSPACE does not exist). - bazel/test/go_deps.bzl: generated go_repository macro for the go.mod tree, with com_github_docker_docker carrying gazelle:proto disable_global to mirror the bzlmod gazelle_override (docker ships a pre-generated plugin.pb.go). - bazel/test/README.md: document that both module systems now build the binary from source; drop the obsolete manual binary-swap instructions. The download/release path in repositories.bzl is untouched: real WORKSPACE consumers still get the release toolchain via container_structure_test_register_toolchain and need no rules_go. Verified //:test PASSES selecting the from-source toolchain in both bzlmod and WORKSPACE mode on bazel 8.0.0rc1 and 7.4.1 (clean --expunge).
The step exists to verify the Go code builds/tests via rules_go+gazelle (GoogleContainerTools#511). Running //... from the root also pulled in //bazel/test (the rule's smoke test, already covered as its own module by the dedicated Bazel workflow, and lacking the from-source toolchain in the root context) and //bazel/docs:update_test (stardoc doc-freshness, stale after the .bzl changes in GoogleContainerTools#543/GoogleContainerTools#539 and unrelated to this step). Scope to //cmd //pkg //internal //testutil.
…GoogleContainerTools#539; restore CI doc-freshness check The platform attr lost its default="linux/amd64" in GoogleContainerTools#543 (now optional with implicit empty default), leaving bazel/docs/defs.md stale. //bazel/docs:update_test was failing on the drift, which is why the integration-tests Bazel step had been scoped down to exclude //bazel/docs. Hand-updated defs.md (stardoc cannot build locally on the Nix macOS env, which lacks Xcode CLT) and re-added the doc-freshness check as a separate line so it cannot silently rot again.
The macos-12 matrix entry pointed at a retired runner, so the PR unit tests (macos-12) job never started and hung ~24h before being cancelled, perma-blocking the run's overall status. macos-12 and macos-13 are both retired, and GitHub's Apple Silicon macOS runners cannot run colima (no nested virtualization, HV_UNSUPPORTED). macos-15-intel is the only GitHub-hosted macOS runner that can run a Docker daemon. Set Docker up there via the SHA-pinned douglascamata/setup-docker-macos-action, which installs colima + the Docker CLI and sets the active docker context, so make test reaches the daemon without a hardcoded DOCKER_HOST socket path. The macOS step now gates on runner.os == 'macOS'; the bazel step stays ubuntu-only.
Bump go-containerregistry to v0.20.7, which transitively pulls docker/docker v28.5.2+incompatible and docker/cli v29.0.3+incompatible (replacing v27.1.1 / v25.0.3). docker v28 drops the heavy containerd/containerd v1.7.33 dependency in favor of containerd/errdefs; OpenTelemetry, klauspost/compress, vbatts/tar-split and friends move forward accordingly. Upstream-PR: GoogleContainerTools#535 Upstream-PR: GoogleContainerTools#506 Upstream-PR: GoogleContainerTools#550
Independent of the docker v28 stack bump: go-dockerclient v1.11.2 already compiles against docker v28.5.2, so this is a clean follow-on upgrade (adds moby/go-archive v0.1.0, moby/sys/user v0.4.0). Upstream-PR: GoogleContainerTools#531
Mirror the bumped go.mod tree into bazel/test/go_deps.bzl via `bazel run //:gazelle -- update-repos -from_file=go.mod -to_macro=bazel/test/go_deps.bzl%go_dependencies -prune`. The com_github_docker_docker proto-disable build_directives and the @bazel_gazelle load reference are preserved. bzlmod's use_repo (MODULE.bazel) needs no change since the direct dependency set is unchanged; `bazelisk mod tidy` reports no drift. Upstream-PR: GoogleContainerTools#535 Upstream-PR: GoogleContainerTools#531
The macOS leg's setup configures colima's docker CLI *context*, but the container-structure-test binary uses go-dockerclient, which reads DOCKER_HOST and ignores docker contexts -- so it fell back to /var/run/docker.sock (absent under colima) and every docker-driver test failed (tar/host drivers passed). Export DOCKER_HOST from colima's context endpoint.
These cases need QEMU/binfmt emulation + a multi-platform image store and assert the Linux Docker daemon's exact error wording. colima's Docker on macOS provides none of those, so they failed there while every native/driver/OCI/run-opts case passed (16/18). Gate them behind a Linux uname check; the native-platform case still runs everywhere. Keeps full cross-platform coverage on the Linux leg.
host_driver.go constructed unversioned.EnvVar with positional fields, the sole 'go vet ./...' finding (composite literal uses unkeyed fields). Name the fields; go vet ./... now exits clean.
The tar driver extracts the image filesystem to disk and inspects it as the (often non-root) test user. A directory shipped without the owner execute bit (e.g. /licenses at 0644) could neither be populated during extraction nor traversed during assertions, so any fileExistenceTest on a file inside it failed with "permission denied" before any assertion ran. The temp-permission logic only forced the owner *write* bit; it never added owner *execute*, and the deferred restore put the restrictive mode back before the driver read anything. Force owner rwx on extracted directories, and on restore keep the owner-execute bit so the tree stays traversable. Directories that already have owner-execute (the universal 0755/0555 case) are untouched; a directory shipped without it is reported with that bit added, the minimum needed for a non-root process to inspect its contents.
When using the docker driver with OCI images, the bazel launcher loads an image under a dynamic tag (cst.oci.local/$DIGEST:$DIGEST) but never removes it from the Docker daemon after the test completes. This causes disk space to accumulate as large OCI images are left orphaned. Add a cleanup trap that runs on EXIT to remove only the image this run loaded, using the captured TEST_TAG. The trap: - Runs on both success and failure (EXIT fires in both cases) - Is skipped only if docker rmi fails (|| true prevents errors) - Properly preserves the test's exit code via explicit exit $? Fixes issue GoogleContainerTools#560
Previously, convertSliceToMap would panic when encountering environment variable entries without an '=' character. This could occur when a container config has a bare environment variable (e.g., 'FOO' with no value). The fix checks the length of the split pair and treats missing values as empty strings, which matches Docker's handling of such variables. Fixes GoogleContainerTools#280
Enable exposed ports metadata tests to match ports declared with a protocol
(e.g. '53/udp'). Previously, drivers stripped the protocol from ports, so
test expectations like '53/udp' would never match.
Changes:
- Remove protocol stripping in drivers (host, tar, docker): preserve the
protocol suffix in normalized port lists
- Add PortInList utility function with smart protocol matching:
- Bare port '53' matches any protocol ('53/tcp', '53/udp')
- Qualified port '53/udp' matches only exact protocol
- Backward compatible with existing bare port tests
- Update metadata test to use PortInList for port matching
- Add comprehensive tests covering exact match, bare port, protocol
mismatch, and multiple port scenarios
Fixes GoogleContainerTools#240
Addresses code review finding: add comprehensive tests for the UnexposedPorts path which represents half of the port matching logic usage. New test cases cover: - Port not exposed with exact protocol - Bare port not exposed - Bare port exposed (test should fail) - Exact protocol port exposed (test should fail) - Protocol mismatch passes unexposed test - Multiple unexposed ports with partial exposure All tests pass, ensuring UnexposedPorts logic correctly mirrors ExposedPorts behavior with protocol awareness.
…gleContainerTools#276) The tar driver extracts the image and chmods each regular file to its recorded mode as the (often non-root) test user. On some platforms (notably macOS/BSD) a non-root user cannot set the setuid/setgid/sticky bits via chmod, which returns EPERM and aborts extraction before any assertion runs (upstream GoogleContainerTools#276). Retry the chmod without the special bits when the initial call fails, so extraction proceeds. Where the OS permits the special bits (e.g. Linux) the first chmod succeeds and they are preserved. Note: this is defensive. The failure does not reproduce on our macOS (chmod succeeds here) or Linux, so the fallback path is not exercised by the test; the added test only asserts that setuid files extract cleanly.
- Upgrade github.com/fsouza/go-dockerclient from v1.12.3 to v1.13.2 - v1.13.2 includes Docker Engine v29 support (from upstream PR #1166) - Bump Go version from 1.24.0 to 1.25.5 (required by updated dependencies) - Update transitive dependencies: - moby/sys/sequential v0.6.0 → v0.7.0 - docker/go-connections v0.5.0 → v0.7.0 - moby/go-archive v0.1.0 → v0.2.0 - moby/moby/api v1.55.0 (new) - moby/moby/client v0.5.0 (new) - pgregory.net/rapid v1.2.0 (new, transitive test dependency) - Regenerate Bazel dependencies (bazel/test/go_deps.bzl) - All existing unit tests pass; no API changes required in docker_driver.go
go-dockerclient v1.13.2 (landed for Docker v29 support) declares `go 1.25.5`. rules_go 0.61.1 defaults to go 1.25.0, so bazel's go_deps fetch failed with "requires go >= 1.25.5 (running go 1.25.0)" across the PR-unit Bazel step and every bazel/test smoke job. Pin the SDK to 1.25.5 in both module systems: a go_sdk.download in the root MODULE.bazel (bzlmod) and bump go_register_toolchains in bazel/test/WORKSPACE.bazel (1.24.12 -> 1.25.5). Verified locally: root bzlmod build of //cmd + //pkg and the bazel/test smoke //:test pass in both bzlmod and workspace modes.
The @v7 reusable workflow hardcoded Bazel 8.0.0rc1 as the second matrix version. 8.0.0rc1 sets an obsolete GOEXPERIMENT (coverageredesign) when building the go 1.25.5 stdlib (required by go-dockerclient v1.13.2), failing the WORKSPACE-mode smoke test. v7.7.0 pins stable Bazel 8.0.0, which handles go 1.25.5 correctly (verified locally: bazel/test //:test passes under 8.0.0 in both bzlmod and workspace modes). Follow-up: re-evaluate the full matrix (bazel/test/.bazelversion 7.4.1, rules_go WORKSPACE 0.55.1 vs bzlmod 0.61.1) against the current ecosystem.
Bazel 8 stopped auto-registering the builtin sh toolchain in WORKSPACE mode, so the bazel/test smoke sh_test failed toolchain resolution for @bazel_tools//tools/sh:toolchain_type on the "Bazel 8.0.0 x WORKSPACE" CI leg. Add rules_shell v0.8.0 and register its toolchains in the smoke module's WORKSPACE.bazel. The failure is specific to the fresh CI Linux environment and does not reproduce locally (macOS resolves a host sh toolchain), so this is verified by CI rather than locally; a clean-cache local build confirms rules_shell fetches (sha ok) and the smoke test still passes with no regression to the 7.4.1-workspace or bzlmod legs.
…E mode" This reverts commit e8b99a8.
The container_structure_test rule declared @bazel_tools//tools/sh:toolchain_type
in its `toolchains` list, but the implementation never consumes it (it uses only
the jq and structure_test toolchains; the launcher is written via
ctx.actions.write(is_executable=True) and exec'd by its shebang, and a custom
test=True rule runs DefaultInfo.executable directly — the sh toolchain is only
needed by native sh_test/sh_binary).
Bazel 8 removed auto-registration of that legacy toolchain in WORKSPACE mode, so
resolving the declared-but-unused type failed ("No matching toolchains found for
@@bazel_tools//tools/sh:toolchain_type") on the Bazel 8 x WORKSPACE CI leg and
for real WORKSPACE consumers on Bazel 8. Removing the unused declaration fixes it
at the source with no consumer-side registration and no new dependency. The prior
rules_shell attempt was reverted (it registered a different toolchain type).
Verified locally (clean cache): bazel/test //:test passes under bzlmod, and under
--enable_workspace on both 8.0.0 and 7.4.1. The Bazel-8 x WORKSPACE failure does
not reproduce on macOS (host sh toolchain is found), so CI on Linux is the
authoritative verifier.
rules_go 0.55.1 fails to build the go 1.25.5 stdlib (required by go-dockerclient v1.13.2 / Docker v29) because it still sets the `coverageredesign` GOEXPERIMENT that go 1.25 removed, failing the Bazel 8.0.0 x WORKSPACE CI leg with "unknown GOEXPERIMENT coverageredesign". 0.60.0 is the newest rules_go release in the viable window: coverageredesign support landed in 0.56.0 (commit 2af3f27a), and the bool_setting(scope=...) that requires Bazel >= 8.3 in WORKSPACE mode landed in 0.61.1 (commit 9dd98204). So 0.56.0..0.61.0 support go 1.25.5 AND analyze in WORKSPACE mode on Bazel 7.4.1 and 8.0.0; 0.60.0 maximizes the go-version ceiling within it. bzlmod stays on 0.61.1 (unaffected). Integrity independently verified. Verified locally (clean cache): //:test builds and passes under --enable_workspace on both 8.0.0 and 7.4.1. The coverageredesign failure is fresh-Linux-specific and does not reproduce on macOS, so CI is the authoritative verifier of the fix.
…eContainerTools#17, #9) Clears GHSA-mh2q-q3fh-2475 (otel multi-value baggage DoS) and GHSA-p436-gjf2-799p (docker/cli plugin search-path LPE on Windows). Both are `// indirect` and not reachable in cst's execution path (cst is a docker client via go-dockerclient), so this is alert hygiene. MVS also advanced otel/metric, otel/trace, and auto/sdk cohesively. Bazel WORKSPACE go_deps.bzl regenerated; root MODULE.bazel.lock already consistent (bazelisk mod tidy no-op).
Removes EOL docker/docker v28.5.2 from dependency graph entirely. go-cr v0.21.7 migrated to moby/moby/api + moby/moby/client, clearing six Dependabot moby alerts. Changes: - Upgrade go-containerregistry to v0.21.7 - Remove docker/docker and docker/distribution indirect dependencies - Update bazel deps for both bzlmod (MODULE.bazel) and WORKSPACE systems - Remove gazelle_override for docker/docker since it's no longer a dependency - Update go.mod and go.sum All tests pass. Build succeeds. go mod graph confirms docker/docker absence.
The unit-test workflow triggered on all pushes and pull requests, so every same-repo PR branch ran each build twice. Limit the push trigger to main, keeping pull_request for PR coverage, and update the concurrency cancel-in-progress ref from master to main (the default branch) so main builds are never cancelled. Also fix pre-existing zizmor findings in this file: pin setup-go, setup-crane, and checkout to commit SHAs, and set persist-credentials: false on checkout.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
🤖 Opened against the wrong repo (meant for the anyscale fork), sorry for the noise. |
There was a problem hiding this comment.
Code Review
This pull request introduces support for OCI layouts and multi-arch image indexes, adds new container run options (such as network, sysctls, and drop capabilities), and updates the Bazel integration to use Bzlmod. It also enhances the CLI with a new --test-report-format flag and secures the Tar driver against directory traversal escapes. The review feedback highlights two important issues: a potential regression where an empty platform string causes platform parsing to fail on multi-arch layouts, and a resource leak in the integration test script where a temporary directory is not cleaned up.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if desc.MediaType.IsIndex() { | ||
| requirements, err := v1.ParsePlatform(platform) | ||
| if err != nil { | ||
| return nil, v1.Descriptor{}, errors.Wrapf(err, "parsing platform %q", platform) | ||
| } |
There was a problem hiding this comment.
If platform is empty (which is now the default in both the Bazel rule and the CLI), v1.ParsePlatform("") will fail with an error.
To prevent this regression and support running tests on multi-arch OCI layouts without requiring an explicit platform flag, we should default platform to a sensible value (such as "linux/" + runtime.GOARCH) when it is empty.
Please import "runtime" and default the platform when empty.
if desc.MediaType.IsIndex() {
if platform == "" {
platform = "linux/" + runtime.GOARCH
}
requirements, err := v1.ParsePlatform(platform)
if err != nil {
return nil, v1.Descriptor{}, errors.Wrapf(err, "parsing platform %q", platform)
}
}| echo "PASS: oci image index test case" | ||
| fi |
There was a problem hiding this comment.
The temporary directory tmp_index created via mktemp -d on line 288 is never deleted, which leaks temporary directories on the host machine.
Please clean it up after the test completes.
| echo "PASS: oci image index test case" | |
| fi | |
| echo "PASS: oci image index test case" | |
| fi | |
| rm -rf "$tmp_index" |
The unit-test workflow triggered on every push and every pull request, so same-repo PR branches ran each build twice: once for the push event and once for the pull_request event.
pushtrigger tomain.pull_requeststill covers PRs, and merges to main keep their post-merge build.cancel-in-progressref: it compared againstrefs/heads/master, but the default branch ismain, so builds on main were cancellable. They no longer are.setup-go,setup-crane, andcheckoutto commit SHAs and setpersist-credentials: falseon checkout. These were pre-existing zizmor findings in this file; it now reports none.If any required status check comes from the push-triggered runs on PR branches, it will stop appearing once this lands; require the pull_request checks instead.