Conversation
This was referenced May 30, 2026
mvillmow
force-pushed
the
501-impl
branch
2 times, most recently
from
0fe9afc to
f5c240a
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
mvillmow
commented
Jun 19, 2026
mvillmow
left a comment
mvillmow
left a comment
Collaborator
Author
There was a problem hiding this comment.
Failed to parse structured output from analysis
mvillmow
commented
Jun 19, 2026
mvillmow
left a comment
mvillmow
left a comment
Collaborator
Author
There was a problem hiding this comment.
NOGO: CI never builds/starts the dev container; GIT_COMMIT/BUILD_UID/BUILD_GID unset so exec hits a missing/garbled container; host/container build split defeats the goal.
mvillmow
added a commit
that referenced
this pull request
Jun 19, 2026
…s, lint boundary - Add podman-version.env with pinned apt version (5.0.2+ds1-4ubuntu1) for Renovate-friendly version management - Source version pin in install step to prevent runner-image drift - Export GIT_COMMIT/BUILD_UID/BUILD_GID to $GITHUB_ENV so docker-compose.yml image tag and user: directive resolve correctly - Add actions/cache + podman save/load for dev image to avoid rebuilding on every CI run (keys on Containerfile/docker-compose.yml/conanfile.py hash) - Add explicit podman-compose up -d dev + readiness poll (10×2s) so build failures abort loudly instead of surfacing as confusing exec errors - Add cap_add: SYS_PTRACE and security_opt: seccomp:unconfined to dev service in docker-compose.yml for ASan/TSan sanitizer builds - Stabilize dev image tag to :latest and container_name to projectkeystone-dev - Wrap Configure CMake and Build with clang-tidy steps in podman-compose exec -T dev to maintain environment parity with make deps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mvillmow
commented
Jun 19, 2026
mvillmow
left a comment
mvillmow
left a comment
Collaborator
Author
There was a problem hiding this comment.
NOGO: missing conan profile detect breaks make deps in fresh container; cache-load skips rebuild without verifying :latest tag; fuzzy restore-keys + missing host sysctl for sanitizers.
mvillmow
added a commit
that referenced
this pull request
Jun 28, 2026
…s, lint boundary - Add podman-version.env with pinned apt version (5.0.2+ds1-4ubuntu1) for Renovate-friendly version management - Source version pin in install step to prevent runner-image drift - Export GIT_COMMIT/BUILD_UID/BUILD_GID to $GITHUB_ENV so docker-compose.yml image tag and user: directive resolve correctly - Add actions/cache + podman save/load for dev image to avoid rebuilding on every CI run (keys on Containerfile/docker-compose.yml/conanfile.py hash) - Add explicit podman-compose up -d dev + readiness poll (10×2s) so build failures abort loudly instead of surfacing as confusing exec errors - Add cap_add: SYS_PTRACE and security_opt: seccomp:unconfined to dev service in docker-compose.yml for ASan/TSan sanitizer builds - Stabilize dev image tag to :latest and container_name to projectkeystone-dev - Wrap Configure CMake and Build with clang-tidy steps in podman-compose exec -T dev to maintain environment parity with make deps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
mvillmow
added a commit
that referenced
this pull request
Jun 28, 2026
Addresses remaining self-review threads on the CI-migration action: - Verify the cache-restored image carries the projectkeystone-dev:latest tag after `podman load`; rebuild if a stale/mistagged tarball loaded (so it can no longer silently fail at `podman-compose up`). - Drop the broad `restore-keys: podman-` so a partial cache hit can no longer load a tarball built from a different Containerfile/conanfile; exact hashFiles key only, rebuild on any input change. - Set vm.mmap_rnd_bits=28 on the runner host so in-container ASan/TSan/LSan do not abort with shadow-memory mapping errors on the noble kernel. - Assert `podman info` reports rootless=true instead of merely printing it, so a rootful runner fails the step. - Defensively run `conan profile detect --exist-ok` in `make deps` before `conan install` (the dev image already detects a profile at build time). Refs #568 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
mvillmow
added a commit
that referenced
this pull request
Jun 29, 2026
…s, lint boundary - Add podman-version.env with pinned apt version (5.0.2+ds1-4ubuntu1) for Renovate-friendly version management - Source version pin in install step to prevent runner-image drift - Export GIT_COMMIT/BUILD_UID/BUILD_GID to $GITHUB_ENV so docker-compose.yml image tag and user: directive resolve correctly - Add actions/cache + podman save/load for dev image to avoid rebuilding on every CI run (keys on Containerfile/docker-compose.yml/conanfile.py hash) - Add explicit podman-compose up -d dev + readiness poll (10×2s) so build failures abort loudly instead of surfacing as confusing exec errors - Add cap_add: SYS_PTRACE and security_opt: seccomp:unconfined to dev service in docker-compose.yml for ASan/TSan sanitizer builds - Stabilize dev image tag to :latest and container_name to projectkeystone-dev - Wrap Configure CMake and Build with clang-tidy steps in podman-compose exec -T dev to maintain environment parity with make deps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
mvillmow
added a commit
that referenced
this pull request
Jun 29, 2026
Addresses remaining self-review threads on the CI-migration action: - Verify the cache-restored image carries the projectkeystone-dev:latest tag after `podman load`; rebuild if a stale/mistagged tarball loaded (so it can no longer silently fail at `podman-compose up`). - Drop the broad `restore-keys: podman-` so a partial cache hit can no longer load a tarball built from a different Containerfile/conanfile; exact hashFiles key only, rebuild on any input change. - Set vm.mmap_rnd_bits=28 on the runner host so in-container ASan/TSan/LSan do not abort with shadow-memory mapping errors on the noble kernel. - Assert `podman info` reports rootless=true instead of merely printing it, so a rootful runner fails the step. - Defensively run `conan profile detect --exist-ok` in `make deps` before `conan install` (the dev image already detects a profile at build time). Refs #568 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
mvillmow
added a commit
that referenced
this pull request
Jun 29, 2026
…stall-build-deps The NATIVE->Podman migration forced every required job to build the dev container from Containerfile (the cache key includes docker-compose.yml, which #568 changed, so #568 always cache-misses and rebuilds). The rebuild failed because 'pip install conan==2.0.0' can no longer build its pinned PyYAML 5.x sdist under modern setuptools/Cython: AttributeError: 'build_ext' object has no attribute 'cython_sources' This bricked the 'Install build dependencies' step of both lint and coverage. Relax the pin to 'conan>=2.0,<3' (resolves to a current conan 2.x with PyYAML 6.x), keeping the conan 2 major the conanfile.py API requires. Verified the container build + 'conan profile detect' succeed on ubuntu:24.04. Also replace the 'apt-cache madison podman >&2 || true' fallback diagnostic with an explicit if-guard so the forbid-suppressions required check (which rejects the '|| true' silent-failure idiom) passes without swallowing a real non-zero exit. Coverage floor is unchanged: scripts/generate_coverage.sh and the test set are identical to main; coverage only failed because the container build did. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Micah Villmow <4211002+mvillmow@users.noreply.github.com>
mvillmow
added a commit
that referenced
this pull request
Jun 29, 2026
…ed in install-build-deps The NATIVE->Podman migration forced every required job to build the dev container from Containerfile (the cache key includes docker-compose.yml, which #568 changed, so #568 always cache-misses and rebuilds). Three defects bricked that path: 1. 'pip install conan==2.0.0' can no longer build its pinned PyYAML 5.x sdist under modern setuptools/Cython ('AttributeError: build_ext object has no attribute cython_sources'), failing the container build. Relax to 'conan>=2.0,<3' (current conan 2.x + PyYAML 6.x), keeping the conan 2 major conanfile.py requires. Verified build + 'conan profile detect' succeed on ubuntu:24.04. 2. After a successful build, 'podman save -o /tmp/dev-image.tar' aborts with 'docker-archive doesn't support modifying existing images' (exit 125) when a stale tarball is present. Remove any prior archive before saving. Reproduced and verified the fix locally. 3. The 'apt-cache madison podman >&2 || true' fallback diagnostic tripped the forbid-suppressions required check. Replaced with an explicit if-guard that reports a non-zero exit instead of swallowing it. Coverage floor is unchanged: scripts/generate_coverage.sh and the test set are identical to main; coverage only failed because the container build did. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Micah Villmow <4211002+mvillmow@users.noreply.github.com>
…501) Drop the NATIVE=1 host-build bypass and the `%.native` Makefile pattern rule so every build/test runs inside the Podman `dev` container. The CI workflows (_required.yml, extras.yml, release-please.yml) now invoke the container targets directly (make deps, make compile.debug, make test.debug.asan, make benchmark, ...) instead of the removed `.native` variants. Update the Makefile help text accordingly. Rebased onto current main and reduced to the intended CI/build change only — the agent layer and Python orchestration were extracted to ProjectAgamemnon per ADR-015/016, so this PR carries no agent source and no Python-CI changes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
After removing the NATIVE=1 path, CI runs `make deps` then `make compile.X`. `compile` runs cmake inside the `dev` container (CONTAINER_PREFIX) with -DCMAKE_TOOLCHAIN_FILE=build/conan-deps/conan_toolchain.cmake, but `deps` was still running `conan install` on the host. The host-generated toolchain references the host's conan cache/compiler paths, which do not exist inside the container, so the in-container cmake configure failed (exit 1) for the coverage, benchmarks, release, and NATS-integration build jobs. Run the conan installs through CONTAINER_PREFIX too so the toolchain and packages are generated in the same container environment cmake builds in. The repo is bind-mounted at /workspace, so build/conan-deps still lands in the cached host path. Mirrors the previous native flow where deps.native and compile.native both ran on the host. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Add Podman setup to GitHub Actions build dependencies action: - Install podman and podman-compose packages - Start rootless Podman socket on GitHub Actions runners - Set DOCKER_HOST env var for docker-compose CLI plugin compatibility - Fix workspace permissions for Podman UID namespace mapping - Verify Podman installation works This fixes the issue where 'podman compose' was delegating to docker-compose CLI plugin instead of using Podman's native compose support, causing build failures in CI containers. Addresses issue #501: Migrate CI from native builds to Podman containers. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Formatting changes from cmake-format hook to maintain code style consistency across the project. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Replace 'podman compose' (which delegates to snap's docker-compose) with 'podman-compose' standalone tool for proper Podman integration in CI. Add DOCKER_HOST environment variable support to Makefile rules to enable rootless Podman socket connectivity in CI environments. Fixes container startup failures when running 'make deps' and other container-dependent targets in GitHub Actions runners. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Fix CodeQL warnings about unused template parameter 'args' in Logger::log() by using if constexpr to conditionally log based on whether format arguments are present. This resolves false positive static analysis warnings while maintaining correct behavior for both zero-argument and variadic-argument cases. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Apply clang-format fixes across the entire codebase and add SELinux relabeling flags to docker-compose.yml volume mounts for rootless Podman. Changes: - Add :Z flag to volume mounts in dev and build services for proper SELinux context sharing with rootless Podman containers - Apply clang-format to all C++ source files to pass CI linting checks Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
…s, lint boundary - Add podman-version.env with pinned apt version (5.0.2+ds1-4ubuntu1) for Renovate-friendly version management - Source version pin in install step to prevent runner-image drift - Export GIT_COMMIT/BUILD_UID/BUILD_GID to $GITHUB_ENV so docker-compose.yml image tag and user: directive resolve correctly - Add actions/cache + podman save/load for dev image to avoid rebuilding on every CI run (keys on Containerfile/docker-compose.yml/conanfile.py hash) - Add explicit podman-compose up -d dev + readiness poll (10×2s) so build failures abort loudly instead of surfacing as confusing exec errors - Add cap_add: SYS_PTRACE and security_opt: seccomp:unconfined to dev service in docker-compose.yml for ASan/TSan sanitizer builds - Stabilize dev image tag to :latest and container_name to projectkeystone-dev - Wrap Configure CMake and Build with clang-tidy steps in podman-compose exec -T dev to maintain environment parity with make deps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Remove NATIVE=1 path; migrate all CI to Podman containers Closes #501 Implemented-By: claude-sonnet-4-6 Co-Authored-By: Claude Code <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Addresses remaining self-review threads on the CI-migration action: - Verify the cache-restored image carries the projectkeystone-dev:latest tag after `podman load`; rebuild if a stale/mistagged tarball loaded (so it can no longer silently fail at `podman-compose up`). - Drop the broad `restore-keys: podman-` so a partial cache hit can no longer load a tarball built from a different Containerfile/conanfile; exact hashFiles key only, rebuild on any input change. - Set vm.mmap_rnd_bits=28 on the runner host so in-container ASan/TSan/LSan do not abort with shadow-memory mapping errors on the noble kernel. - Assert `podman info` reports rootless=true instead of merely printing it, so a rootful runner fails the step. - Defensively run `conan profile detect --exist-ok` in `make deps` before `conan install` (the dev image already detects a profile at build time). Refs #568 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
The ubuntu-24.04 runner image rotated podman 5.0.2+ds1-4ubuntu1 out of
its apt repo, so `apt-get install podman=${PODMAN_APT_VERSION}` failed
with "Version '...' for 'podman' was not found" (exit 100), turning the
required coverage/build jobs red. Keep the reproducibility pin when the
exact version is present, but fall back to the latest available podman
when apt has rotated it out, so an upstream repo change cannot
hard-break required CI.
Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
…ed in install-build-deps The NATIVE->Podman migration forced every required job to build the dev container from Containerfile (the cache key includes docker-compose.yml, which #568 changed, so #568 always cache-misses and rebuilds). Three defects bricked that path: 1. 'pip install conan==2.0.0' can no longer build its pinned PyYAML 5.x sdist under modern setuptools/Cython ('AttributeError: build_ext object has no attribute cython_sources'), failing the container build. Relax to 'conan>=2.0,<3' (current conan 2.x + PyYAML 6.x), keeping the conan 2 major conanfile.py requires. Verified build + 'conan profile detect' succeed on ubuntu:24.04. 2. After a successful build, 'podman save -o /tmp/dev-image.tar' aborts with 'docker-archive doesn't support modifying existing images' (exit 125) when a stale tarball is present. Remove any prior archive before saving. Reproduced and verified the fix locally. 3. The 'apt-cache madison podman >&2 || true' fallback diagnostic tripped the forbid-suppressions required check. Replaced with an explicit if-guard that reports a non-zero exit instead of swallowing it. Coverage floor is unchanged: scripts/generate_coverage.sh and the test set are identical to main; coverage only failed because the container build did. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Micah Villmow <4211002+mvillmow@users.noreply.github.com>
The coverage and lint required jobs failed with a rootless-Podman
bind-mount ownership mismatch, not a code defect:
coverage: mkdir: cannot create directory 'build/x86.coverage.debug':
Permission denied (Makefile:79, host-side mkdir)
lint: CMake Error: Unable to (re)create the private pkgRedirects
directory (in-container cmake configure)
Both are the same bug. The dev service ran as user "${BUILD_UID}" under
the default rootless userns, which maps that uid to a host *subuid*
(e.g. 1001 -> 101000). Anything the container wrote under the mounted
workspace (build/conan-deps from 'make deps', etc.) became owned by that
foreign subuid on the host, so the host runner could no longer create
build/x86.coverage.debug, and an in-container cmake configure could no
longer recreate build/.
Add 'userns_mode: keep-id' to the dev (and build) services. keep-id maps
the host runner uid 1:1 into the container, so the host and the
in-container build user share ownership of the bind mount. Verified
locally with podman 5.8.3 / podman-compose 1.5.0: with keep-id and
user=$(id -u) (exactly what install-build-deps sets BUILD_UID to),
both host-side and in-container mkdir under build/ succeed.
Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
Collaborator
Author
Needs a design decision — CMake container/host path mismatchAutomated sweep got this PR through two layers of CI-migration bugs, but the remaining failure is architectural and needs your call as the migration author. Progress made (pushed, signed):
Remaining blocker (required
Because both reuse the same Decision needed: pick one build-isolation model for the migration —
This is left open and disarmed-of-urgency for your decision; the rest of the ecosystem PR sweep is complete. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NATIVE=1/%.native:escape hatch from the Makefile entirely; all builds now run unconditionally viapodman compose exec -T devdepstarget withCONTAINER_CHECK/CONTAINER_PREFIXsomake depsinstalls Conan inside the container (closes AC1 from the issue)cap_add: [SYS_PTRACE]andsecurity_opt: [seccomp=unconfined]to thedevservice indocker-compose.ymlfor sanitizer builds (ASan/TSan/LSan/UBSan).github/actions/podman-setupcomposite action: installspodman-compose, restores/builds the dev image viaactions/cache@v5keyed onContainerfilehash, starts the container, and smoke-testsexecpodman-setupat the end ofinstall-build-deps(newsetup-podmaninput, defaulttrue) so every CI job has a running container before anymakestepmake X.nativecalls in_required.yml(13),extras.yml(8), andrelease-please.yml(2) with plainmake Xdocs/CICD_COVERAGE.mdto remove all.nativereferencesPlan Divergences (noted per review comment)
podman-compose.yml(does not exist)docker-compose.yml;podman composefinds it automaticallyCONTAINER_PREFIXwrapping ondepstargetGIT_COMMIT/BUILD_UID/BUILD_GIDnot exported before compose uppodman-setupaction beforepodman compose up -d devpodman-setupaction (SRP) with a singlesetup-podmaninput oninstall-build-depstest-allContainerfile stageCONTAINER_CHECKhad|| true(masked failures)Acceptance Criteria
make deps(no.native) runs inside container in CICONTAINER_PREFIX = podman compose exec -T devNATIVE,ifeq (NATIVE,1), and%.native:do not appear in the Makefilepodman-setupactionSYS_PTRACEcapability indocker-compose.ymlCloses #501
🤖 Generated with Claude Code