CI: go lint action

.github/actions/install-go-linters/action.yml

@@ -0,0 +1,35 @@
+name: "lint-go"
+description: "This action will install go linting tools (golangci-lint and goimports-reviser), and executes them on the codebase."
+inputs:
+  cache-dependency-path:
+    description: 'Used to specify the path to a dependency file - go.sum'
+  strategy:
+    description: "See install-go for info"
+  _golangci_version:
+    description: "Internal: the golangci version we want"
+    default: "89476e7a1eaa0a8a06c17343af960a5fd9e7edb7"  # v1.62.2
+  _goimports_version:
+    description: "Internal: the goimports reviser version we want"
+    default: "f034195cc8a7ffc7cc70d60aa3a25500874eaf04"  # v3.8.2
+
+runs:
+  using: composite
+  steps:
+    - name: "Install golang"
+      uses: ./.github/actions/install-go
+      with:
+        strategy: ${{ inputs.strategy }}
+    - name: "`go install` needed tools"
+      shell: bash
+      run: |
+        # go install golangci-lint and goimports-reviser
+        err="$(go install -v github.com/golangci/golangci-lint/cmd/golangci-lint@${{ inputs._golangci_version }} 2>&1)" || {
+          echo "Failed installing golangci:"
+          echo "$err"
+          exit 1
+        }
+        err="$(go install -v github.com/incu6us/goimports-reviser/v3@${{ inputs._goimports_version }} 2>&1)" || {
+          echo "Failed installing goimports-reviser:"
+          echo "$err"
+          exit 1
+        }

.github/actions/install-go/action.yml

@@ -0,0 +1,75 @@
+name: "Go install"
+description: "This action will install go (currently supported version by default). Operator may optionally require the `strategy` input:
+ - 'canary', for the latest RC/beta
+ - 'latest-stable', for the latest patch release for the currently supported version (this is normally the default, unless nerdctl is lagging)
+ - 'old-stable' for the latest patch release of the minimum minor go version nerdctl is supporting"
+inputs:
+  cache-dependency-path:
+    description: 'Used to specify the path to a dependency file - go.sum'
+  strategy:
+    default: ""
+    description: "You may set this to `canary`, `latest-stable`, or `old-stable`. Otherwise defauls to the explicitly supported version."
+  # These below are technically not input variables (that we expect people to specific or change).
+  # We are just abusing the system here for convenience, since a composite action does not let you define env.
+  # This here is the one, central location where we would update go versions when there is a newly supported go version.
+  _current:
+    default: "1.23.4"
+    description: "What we consider the current blessed go version (typically the latest patch release of the last major.minor version)"
+  _stable:
+    default: "1.23.x"
+    description: "The latest major.minor version we support"
+  _old_stable:
+    default: "1.22.x"
+    description: "The minimum major.minor go version that we still support"
+
+runs:
+  using: composite
+  steps:
+    - name: "Set GO_VERSION environment variable from user strategy"
+      shell: bash
+      run: |
+        golang::canary(){
+          # Enable extended globbing features to use advanced pattern matching
+          shopt -s extglob
+          # Get latest golang version and split it in components
+          norm=()
+          while read -r line; do
+            line_trimmed="${line//+([[:space:]])/}"
+            norm+=("$line_trimmed")
+          done < \
+            <(sed -E 's/^go([0-9]+)[.]([0-9]+)([.]([0-9]+))?(([a-z]+)([0-9]+))?/\1.\2\n\4\n\6\n\7/i' \
+              <(curl -fsSL "https://go.dev/dl/?mode=json&include=all" | jq -rc .[0].version) \
+            )
+          # Serialize version, making sure we have a patch version, and separate possible rcX into .rc-X
+          [ "${norm[1]}" != "" ] || norm[1]="0"
+          norm[1]=".${norm[1]}"
+          [ "${norm[2]}" == "" ] || norm[2]="-${norm[2]}"
+          [ "${norm[3]}" == "" ] || norm[3]=".${norm[3]}"
+          # Save it
+          IFS=
+          echo "GO_VERSION=${norm[*]}" >> "$GITHUB_ENV"
+        }
+
+        if [ "${{ inputs.strategy }}" == "canary" ]; then
+          golang::canary
+        elif [ "${{ inputs.strategy }}" == "latest-stable" ]; then
+          echo "GO_VERSION=${{ inputs._stable }}" >> "$GITHUB_ENV"
+        elif [ "${{ inputs.strategy }}" == "old-stable" ]; then
+          echo "GO_VERSION=${{ inputs._old_stable }}" >> "$GITHUB_ENV"
+        else
+          echo "GO_VERSION=${{ inputs._current }}" >> "$GITHUB_ENV"
+        fi
+    - name: "Setup Go"
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a  # v5.2.0
+      with:
+        go-version: ${{ env.GO_VERSION }}
+        cache-dependency-path: ${{ inputs.cache-dependency-path }}
+        # See https://github.com/containerd/nerdctl/issues/3733
+        # GitHub cache is very limited. We currently depend on it for the (more important) build dependencies caching.
+        # Disabling this here will slow down the setup a bit.
+        cache: false
+    - name: "Cleanup go version string"
+      shell: bash
+      # Remove possible trailing .x
+      run: |
+        echo "GO_VERSION=${GO_VERSION%.x*}" >> "$GITHUB_ENV"

.github/workflows/ghcr-image-build-and-publish.yml

@@ -31,19 +31,19 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf  # v3.2.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349  # v3.7.1
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/[email protected]
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -53,14 +53,14 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96  # v5.6.1
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        uses: docker/[email protected]
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355  # v6.10.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64

.github/workflows/lint.yml

@@ -7,72 +7,60 @@ on:
       - 'release/**'
   pull_request:
 
-env:
-  GO_VERSION: 1.23.x
-
 jobs:
   go:
     timeout-minutes: 5
-    name: "go | ${{ matrix.goos }} | ${{ matrix.canary }}"
+    name: "go | ${{ matrix.goos }} | ${{ matrix.goversion }}"
     runs-on: "${{ matrix.os }}"
-    defaults:
-      run:
-        shell: bash
     strategy:
       matrix:
         include:
           - os: ubuntu-24.04
             goos: linux
+            goversion: latest-stable
           - os: ubuntu-24.04
             goos: freebsd
+            goversion: latest-stable
           # FIXME: this is currently failing in a non-sensical way, so, running on linux instead...
           # - os: windows-2022
           - os: ubuntu-24.04
             goos: windows
+            goversion: latest-stable
           - os: ubuntu-24.04
             goos: linux
-            # This allows the canary script to select any upcoming golang alpha/beta/RC
-            canary: go-canary
-    env:
-      GOOS: "${{ matrix.goos }}"
+            goversion: canary
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 1
-      - name: Set GO env
-        run: |
-          # If canary is specified, get the latest available golang pre-release instead of the major version
-          if [ "$canary" != "" ]; then
-            . ./hack/build-integration-canary.sh
-            canary::golang::latest
-          fi
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+      - name: "Install go linters"
+        uses: ./.github/actions/install-go-linters
         with:
-          args: --verbose
+          strategy: ${{ matrix.goversion }}
+      - name: "`make lint-imports`"
+        # Import ordering is not influenced by GOOS - running it multiple times is thus unnecessary
+        # Note we are picking freebsd as the GOOS to run it on, as linux is running multiple times (eg: canary)
+        if: ${{ matrix.goos=='freebsd' }}
+        shell: bash
+        run: |
+          make lint-imports
+      - name: "`make lint-go` for ${{ matrix.goos }}"
+        env:
+          VERBOSE: true
+          GOOS: ${{ matrix.goos }}
+        shell: bash
+        run: |
+          make lint-go
+
   other:
     timeout-minutes: 5
-    name: yaml | shell | imports order
+    name: yaml | shell
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
       - name: yaml
         run: make lint-yaml
       - name: shell
         run: make lint-shell
-      - name: go imports ordering
-        run: |
-          go install -v github.com/incu6us/goimports-reviser/v3@latest
-          make lint-imports

.github/workflows/project.yml

@@ -13,18 +13,16 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           path: src/github.com/containerd/nerdctl
           fetch-depth: 100
-      - uses: actions/setup-go@v5
+      - uses: ./src/github.com/containerd/nerdctl/.github/actions/install-go
         with:
-          go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: src/github.com/containerd/nerdctl
-      - uses: containerd/[email protected]
+      - uses: containerd/project-checks@434a07157608eeaa1d5c8d4dd506154204cd9401  # v1.1.0
         with:
           working-directory: src/github.com/containerd/nerdctl
-          repo-access-token: ${{ secrets.GITHUB_TOKEN }}
       - run: ./hack/verify-no-patent.sh
         working-directory: src/github.com/containerd/nerdctl
       - run: ./hack/verify-pkg-isolation.sh

.github/workflows/release.yml

@@ -10,8 +10,8 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 40
     steps:
-    - uses: actions/[email protected]
-    - uses: actions/setup-go@v5
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a  # v5.2.0
       with:
         go-version: 1.23.x
     - name: "Compile binaries"

.github/workflows/test-canary.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: "ubuntu-24.04"
     timeout-minutes: 40
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 1
       - name: "Prepare integration test environment"
@@ -55,10 +55,10 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 1
-      - name: Set GO env
+      - name: Set Containerd version
         run: |
           # Get latest containerd
           args=(curl --proto '=https' --tlsv1.2 -fsSL -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28")
@@ -67,19 +67,15 @@ jobs:
           } || args+=(-H "Authorization: Bearer $GITHUB_TOKEN")
           ctd_v="$("${args[@]}" https://api.github.com/repos/containerd/containerd/tags | jq -rc .[0].name)"
           echo "CONTAINERD_VERSION=${ctd_v:1}" >> "$GITHUB_ENV"
-
-          . ./hack/build-integration-canary.sh
-          canary::golang::latest
-      - uses: actions/setup-go@v5
+      - name: "Install go"
+        uses: ./.github/actions/install-go
         with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: true
-          check-latest: true
+          strategy: canary
       - run: go install ./cmd/nerdctl
       - run: go install -v gotest.tools/gotestsum@v1
       # This here is solely to get the cni install script, which has not been modified in 3+ years.
       # There is little to no reason to update this to latest containerd
-      - uses: actions/[email protected]
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           repository: containerd/containerd
           ref: "v1.7.24"

.github/workflows/test-kube.yml

@@ -17,7 +17,7 @@ jobs:
     env:
       ROOTFUL: true
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 1
       - name: "Run Kubernetes integration tests"