Merge branch 'master' into ktf-patch-18

.github/workflows/check-workflows.yml

@@ -16,6 +16,8 @@ name: Check GitHub workflows
       - ready_for_review
       - synchronize
 
+permissions: {}
+
 jobs:
   actionlint:
     runs-on: ubuntu-latest

.github/workflows/cherry-pick.yml

@@ -10,7 +10,10 @@ on:
         description: 'Branch to cherry pick to'
         required: true
         default: 'v5-09-XX'
-
+
+permissions:
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/clean-pr-checks.yml

@@ -22,14 +22,14 @@ name: Clean PR checks
         description: build/O2/alidist-cs8
         type: boolean
         default: true
-      'check_build/O2/alidist-dataflow':
-        description: build/O2/alidist-dataflow
-        type: boolean
-        default: true
       'check_build/O2/alidist-dataflow-cs8':
         description: build/O2/alidist-dataflow-cs8
         type: boolean
         default: true
+      'check_build/O2/alidist-ubuntu2204':
+        description: build/O2/alidist-ubuntu2204
+        type: boolean
+        default: true
       'check_build/O2/fullCI/alidist':
         description: build/O2/fullCI/alidist
         type: boolean

.github/workflows/daily-tag-pr.yml

@@ -8,6 +8,10 @@ name: Create a PR from pushes to rc/branches
       # who can push to them, as PRs will be created with auto-merge enabled!
       - rc/master
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -34,14 +38,12 @@ jobs:
             The daily-tags.sh script has created a tag release with these
             changes.
           pr_allow_empty: true
-          github_token: ${{ secrets.ALIBUILD_GITHUB_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable auto-merge for newly-created pull request
-        uses: alisw/enable-pull-request-automerge@v2
         # If the PR already exists, we won't get the number
         # (and we probably shouldn't toggle auto-merge anyway).
         if: steps.open_pr.outputs.pr_number
-        with:
-          pull-request-number: ${{ steps.open_pr.outputs.pr_number }}
-          merge-method: squash
-          token: ${{ secrets.ALIBUILD_GITHUB_TOKEN }}
+        run: gh pr merge --squash --auto ${{ steps.open_pr.outputs.pr_number }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-security-approval.yml

@@ -0,0 +1,18 @@
+---
+name: Security approval
+
+'on':
+  pull_request_review:
+    types:
+      - edited
+      - submitted
+
+permissions: {}
+
+jobs:
+  clean:
+    name: Security approval
+    uses: alisw/ali-bot/.github/workflows/pr-security-approval.yml@master
+    permissions:
+      pull-requests: read  # to get last commit for PR
+      statuses: write      # for set-github-status

.github/workflows/prepare-patch-release-branch.yml

@@ -1,48 +1,57 @@
-name: Prepare AliPhysics tag
+---
+name: Prepare AliRoot/AliPhysics tag
 
-on:
+'on':
   workflow_dispatch:
     inputs:
       tag:
         description: 'Tag to prepare'
         required: true
         default: 'v5-09-XXy'
+
+permissions:
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Decide which branch to use
-      run: |
-        cat << EOF >> "$GITHUB_OUTPUT"
-        branch=$(echo AliPhysics-${{ github.event.inputs.tag }}-01-patches | sed -e's/[a-z][a-z]*-01-patches$/-01-patches/')
-        EOF
-      id: decide_release_branch
-    - uses: actions/checkout@v3
-      with:
-        ref: "master"
-    - name: Update the branch
-      run: |
-        set -x
-        git fetch origin
-        git checkout -B ${{ steps.decide_release_branch.outputs.branch }} origin/${{ steps.decide_release_branch.outputs.branch }}
-        git grep -l v5-09 | xargs perl -p -i -e 's/v5-09-[0-9][0-9][a-z]*/${{ github.event.inputs.tag }}/g'
-        git add .
-        git diff
-        git config --global user.email "alibuild@cern.ch"
-        git config --global user.name "ALICE Action Bot"
-        git commit -m "Bump to ${{ github.event.inputs.tag }}" -a || echo "No changes to commit"
-        git push --set-upstream origin ${{ steps.decide_release_branch.outputs.branch }}
-        git tag AliPhysics-${{ github.event.inputs.tag }}-01
-        git push --set-upstream origin AliPhysics-${{ github.event.inputs.tag }}-01
-    - name: Create Release
-      id: create_release
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
-      with:
-        tag_name: AliPhysics-${{ github.event.inputs.tag }}-01
-        release_name: AliPhysics-${{ github.event.inputs.tag }}-01
-        draft: false
-        prerelease: false
+      - name: Decide which branch to use
+        id: decide_release_branch
+        run: |
+          case "$TAG" in
+            v5-09-59*) echo branch=master ;;
+            *) echo "branch=$(echo "AliPhysics-$TAG-01-patches" | sed -r 's/[a-z]+-01-patches$/-01-patches/')" ;;
+          esac >> "$GITHUB_OUTPUT"
+        env:
+          TAG: ${{ github.event.inputs.tag }}
+
+      - name: Checkout alidist
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.decide_release_branch.outputs.branch }}
+
+      - name: Tag AliRoot and AliPhysics in alidist
+        run: |
+          set -x
+          sed -ri "s/v5-09-[0-9][0-9][a-z]*/$TAG/g" ./*.sh
+          git config --global user.email "alibuild@cern.ch"
+          git config --global user.name "ALICE Action Bot"
+          git commit -a -m "Bump to $TAG" || echo "No changes to commit"
+          git show
+          git tag "AliPhysics-$TAG-01"
+          git push origin "AliPhysics-$TAG-01"
+          # We only want to update -patches branches with new tags, not master.
+          [ "$BRANCH" = master ] || git push origin "$BRANCH"
+        env:
+          TAG: ${{ github.event.inputs.tag }}
+          BRANCH: ${{ steps.decide_release_branch.outputs.branch }}
 
+      - name: Create release
+        uses: alisw/release-action@v1
+        with:
+          name: AliPhysics-${{ github.event.inputs.tag }}-01
+          tag: AliPhysics-${{ github.event.inputs.tag }}-01
+          draft: false
+          prerelease: false

.github/workflows/recipe-checks.yml

@@ -1,78 +1,76 @@
-name: Build Documentation
-# GitHub workflow to check build recipes in pull requests.
+---
+# GitHub workflow to check pull requests and commits for pitfalls and formatting
+# mistakes in build recipes.
+name: Check recipes
 
-on:
+'on':
+  push:
+    paths:
+      - '*.sh'
   pull_request:
-    types:
-      - opened
-      - reopened
-      - edited
-      - ready_for_review
-      - synchronize
+    paths:
+      - '*.sh'
+
+permissions: {}
 
 jobs:
-  build:
+  lint:
+    name: alidistlint
     runs-on: ubuntu-latest
+
     steps:
-    - name: Install dependencies
-      run: |
-        sudo apt-get update -y
-        sudo apt-get install -y bash graphviz python3-pip
-        sudo python3 -m pip install setuptools
-        sudo python3 -m pip install pyyaml alibuild
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-    - name: Run check
-      shell: 'bash -exo pipefail {0}'
-      run: |
-        aliBuild analytics off
-        err_fnames=()
+      - name: Install dependencies
+        run: python3 -m pip install -U --user 'alidistlint[git]'
 
-        # Use lint-recipes from PR base, so PRs can't override this script themselves.
-        git checkout -f ${{ github.event.pull_request.base.sha }} -- scripts/lint-recipes ||
-          exit 1
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
 
-        git diff --name-only "$(git merge-base HEAD ${{ github.event.pull_request.base.sha }})" |
-          while read -r fname; do
-            case "$fname" in
-              *.sh) [ -e "$fname" ] || continue;;
-              *) continue;;
-            esac
-            echo "Linting $fname"
-            if ! scripts/lint-recipes "$fname" ||
-               # This should really be cleaned up, since macOS cleans any
-               # DYLD_LIBRARY_PATH when launching children processes, making it
-               # completely irrelevant. In any case we correctly handle rpath in
-               # our macOS builds.
-               grep -v 'unset DYLD_LIBRARY_PATH' "$fname" | grep DYLD_LIBRARY_PATH ||
-               # Modules 4 does not allow having colons in prepend-path anymore
-               grep 'prepend-path.*:' "$fname"
-            then
-              err_fnames+=("$fname")
-            fi
+      - name: Run linter
+        run: |
+          if [ -n "$BASE_SHA" ]; then
+            # For pull requests, only check files that have changed relative to
+            # the base commit.
+            merge_base=$(git merge-base "$BASE_SHA" "$HEAD_SHA")
+            git diff -z --diff-filter d --name-only "$merge_base..$HEAD_SHA" -- '*.sh' |
+              xargs -0tr alidistlint -f github --changes "$merge_base..$HEAD_SHA"
+          else
+            # On push, check every file, ignoring warnings and notes.
+            alidistlint -ef github ./*.sh
+          fi
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha || github.event.head_commit.sha }}
+
+  circular:
+    name: circular dependencies
+    runs-on: ubuntu-latest
 
-            case "$fname" in defaults-*.sh) continue;; esac
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt update -y
+          sudo apt install -y graphviz
+          python3 -m pip install -U --user alibuild
+          aliBuild analytics off
 
-            # If a recipe is not a system requirement, it must have a Modulefile
-            if ! grep -q '^system_requirement:' "$fname" &&
-               ! grep -q '\(^#%Module\|alibuild-generate-module\)' "$fname"
-            then
-              echo "ERROR: recipe $fname has no modulefile"
-              err_fnames+=("$fname")
-            fi
+      - uses: actions/checkout@v3
+
+      - name: Run check
+        run: |
+          for fname in *.sh; do
             case "$fname" in
-              JAliEn) DEFAULT=jalien ;;
-              *) DEFAULT=o2 ;;
+              jalien*) default=jalien ;;
+              *) default=o2 ;;
             esac
-            aliBuild deps --defaults $DEFAULT --outgraph /dev/null --no-system --neat -c . \
-                     "$(awk '/^package: /{print $2}' "$fname")" 2>&1 |
-              if grep -q 'transitive reduction not unique'; then
-                echo "ERROR: recipe $fname has circular dependency"
-                err_fnames+=("$fname")
-              fi
+            echo "Checking $fname with --defaults $default"
+            if aliBuild deps --defaults "$default" --outgraph /dev/null --no-system --neat -c . \
+                        "$(awk '/^package: /{print $2}' "$fname")" 2>&1 |
+               grep -q 'transitive reduction not unique'
+            then
+              echo -n "::error title=circular dependency,file=$fname,line=1"
+              echo '::recipe has circular dependency'
+              err=1
+            fi
           done
-        if [ ${#err_fnames[@]} -gt 0 ]; then
-          printf '%s\n' "The following recipes need to be fixed:" "${err_fnames[@]}"
-          exit 1
-        fi
+          exit "${err:-0}"