name: Podman Rootless Demo on: [push, pull_request] jobs: test-backend: runs-on: [ci] # Point all steps at the host's rootless Podman socket env: # Point the client at the mounted socket CONTAINER_HOST: unix:///run/user/1001/podman/podman.sock # Make sure podman looks in the correct runtime dir hierarchy XDG_RUNTIME_DIR: /tmp RUN_ID: ${{ github.run_id }} POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }} PREBUILT_BACKEND_TEST_IMAGE: ${{ secrets.REGISTRY_HOST }}/${{ github.repository }}/sharenet-test-rust steps: - name: Checkout code uses: actions/checkout@v4 - name: Verify socket visibility run: | set -euo pipefail id -u; id -g ls -ld /run/user/1001/podman ls -l /run/user/1001/podman/podman.sock test -S /run/user/1001/podman/podman.sock - name: Use host rootless Podman run: | set -euo pipefail podman --remote info --format '{{.Host.RemoteSocket.Path}} (remote={{.Host.RemoteSocket.Exists}})' podman --remote version podman --remote run --rm alpine:3.20 echo "Hello from host rootless Podman!" - name: Login to container registry with PAT run: | echo "${{ secrets.REGISTRY_TOKEN }}" | podman --remote login \ -u "${{ secrets.REGISTRY_USERNAME }}" \ --password-stdin \ "${{ secrets.REGISTRY_HOST }}" - name: Create network run: podman --remote network create integ-${{ env.RUN_ID }} - name: Check if dependencies changed id: check-deps run: | # Change to backend directory and get hash of Cargo.toml and Cargo.lock cd "$GITHUB_WORKSPACE/backend" DEPS_HASH=$(sha256sum Cargo.toml Cargo.lock | sha256sum | cut -d' ' -f1) echo "deps_hash=$DEPS_HASH" >> $GITHUB_OUTPUT # Check if image exists with this hash tag if podman --remote manifest inspect "$PREBUILT_BACKEND_TEST_IMAGE:$DEPS_HASH" >/dev/null 2>&1; then echo "rebuild_needed=false" >> $GITHUB_OUTPUT else echo "rebuild_needed=true" >> $GITHUB_OUTPUT fi - name: Build optimized Rust test image (if needed) if: steps.check-deps.outputs.rebuild_needed == 'true' run: | # Build without caching to avoid policy issues podman --remote build --no-cache \ -f backend/Dockerfile.test-rust \ -t "$PREBUILT_BACKEND_TEST_IMAGE:${{ steps.check-deps.outputs.deps_hash }}" \ -t "$PREBUILT_BACKEND_TEST_IMAGE:latest" podman --remote push "$PREBUILT_BACKEND_TEST_IMAGE:${{ steps.check-deps.outputs.deps_hash }}" podman --remote push "$PREBUILT_BACKEND_TEST_IMAGE:latest" - name: Start PostgreSQL run: | podman --remote run -d \ --name test-postgres-${{ env.RUN_ID }} \ --network integ-${{ env.RUN_ID }} \ -e POSTGRES_PASSWORD=password \ -e POSTGRES_USER=postgres \ -e POSTGRES_DB=sharenet_test \ "$POSTGRES_IMG_DIGEST" - name: Wait for PostgreSQL run: | timeout 60 bash -euc ' until podman --remote exec test-postgres-${{ env.RUN_ID }} \ pg_isready -h 127.0.0.1 -p 5432 -U postgres; do sleep 1 done ' - name: Ensure host Cargo cache directory exists run: | podman --remote run --rm \ -v /home/ci-service/.cache:/c \ alpine:3.20 sh -lc 'mkdir -p /c/cargo' - name: Run backend tests with cached dependencies run: | set -euo pipefail set -o pipefail tar --exclude .git --exclude target -C "$GITHUB_WORKSPACE" -cf - . | \ podman --remote run --rm -i \ --network integ-${{ env.RUN_ID }} \ -e CARGO_HOME=/cargo \ -e DATABASE_URL=postgres://postgres:password@test-postgres-${{ env.RUN_ID }}:5432/sharenet_test \ -v /home/ci-service/.cache/cargo:/cargo \ "$PREBUILT_BACKEND_TEST_IMAGE:${{ steps.check-deps.outputs.deps_hash }}" \ sh -euxc ' mkdir -p /workspace tar -x -C /workspace cd /workspace/backend # Use pre-built dependencies from the image export CARGO_TARGET_DIR=/app/target export CARGO_REGISTRY_DIR=/usr/local/cargo/registry # Build local crates using pre-built external dependencies cargo build --release --locked cargo test --lib -- --test-threads=1 ' - name: Cleanup if: always() run: | podman --remote rm -f test-postgres-${{ env.RUN_ID }} 2>/dev/null || true podman --remote network rm integ-${{ env.RUN_ID }} 2>/dev/null || true - name: Debug DB (on failure) if: failure() run: podman --remote logs --tail=200 test-postgres-${{ env.RUN_ID }} || true