Merge branch 'main' into feature/ipv6-support

Author: yordsel

.github/workflows/pr-build.yml

@@ -8,6 +8,35 @@ on:
     types: [opened, reopened, synchronize]
 
 jobs:
+  verify-signatures:
+    name: Verify commit signatures
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check all commits are signed
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          commits=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits --paginate)
+          unsigned_commits=""
+
+          while IFS='|' read -r sha author verified; do
+            if [ "$verified" != "true" ]; then
+              unsigned_commits="$unsigned_commits  - $sha by $author\n"
+            fi
+          done < <(echo "$commits" | jq -r '.[] | "\(.sha)|\(.commit.author.name)|\(.commit.verification.verified)"')
+
+          if [ -n "$unsigned_commits" ]; then
+            echo "::error::The following commits are not signed:"
+            echo -e "$unsigned_commits"
+            echo ""
+            echo "Please sign your commits. See:"
+            echo  "  - https://github.com/apple/containerization/blob/main/CONTRIBUTING.md#pull-requests"
+            echo  "  - https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
+            exit 1
+          fi
+
+          echo "All commits are signed!"
+
   build:
     name: Invoke build
     uses: ./.github/workflows/common.yml

.github/workflows/pr-label-apply.yml

@@ -29,20 +29,12 @@ jobs:
           run-id: ${{ github.event.workflow_run.id }}
           pattern: pr-metadata-*
           merge-multiple: false
-        continue-on-error: true
         id: download-artifact
 
       - name: Read PR number
         id: pr-number
         run: |
-          METADATA_DIR=$(find . -type d -name "pr-metadata-*" 2>/dev/null | head -n 1)
-          
-          if [ -z "$METADATA_DIR" ]; then
-            echo "No metadata found"
-            exit 1
-          fi
-          
-          PR_NUMBER=$(cat "${METADATA_DIR}/pr-number.txt")
+          PR_NUMBER=$(cat "pr-number.txt")
           echo "number=${PR_NUMBER}" >> $GITHUB_OUTPUT
           echo "PR Number: ${PR_NUMBER}"
       

BUILDING.md

@@ -137,7 +137,7 @@ Attach debugger to the XPC helpers using their launchd service labels:
    % container system start
    % container run -d --name test debian:bookworm sleep infinity
    test
-   % launchd list | grep container
+   % launchctl list | grep container
    27068   0       com.apple.container.container-network-vmnet.default
    27072   0       com.apple.container.container-core-images
    26980   0       com.apple.container.apiserver

Package.resolved

@@ -22,8 +22,8 @@ import PackageDescription
 
 let releaseVersion = ProcessInfo.processInfo.environment["RELEASE_VERSION"] ?? "0.0.0"
 let gitCommit = ProcessInfo.processInfo.environment["GIT_COMMIT"] ?? "unspecified"
-let builderShimVersion = "0.7.0"
-let scVersion = "0.24.5"
+let builderShimVersion = "0.8.0"
+let scVersion = "0.25.0"
 
 let package = Package(
     name: "container",

Package.swift

@@ -18,6 +18,7 @@ import Collections
 import ContainerAPIClient
 import ContainerizationArchive
 import ContainerizationOCI
+import CryptoKit
 import Foundation
 import GRPC
 
@@ -199,7 +200,7 @@ actor BuildFSSync: BuildPipelineHandler {
             format: .paxRestricted,
             filter: .none)
 
-        try Archiver.compress(
+        let tarHash = try Archiver.compress(
             source: contextDir,
             destination: tarURL,
             writerConfiguration: writerCfg
@@ -229,6 +230,25 @@ actor BuildFSSync: BuildPipelineHandler {
                 pathInArchive: URL(fileURLWithPath: rel))
         }
 
+        let hash = tarHash.compactMap { String(format: "%02x", $0) }.joined()
+        let header = BuildTransfer(
+            id: packet.id,
+            source: tarURL.path,
+            complete: false,
+            isDir: false,
+            metadata: [
+                "os": "linux",
+                "stage": "fssync",
+                "mode": "tar",
+                "hash": hash,
+            ]
+        )
+        var resp = ClientStream()
+        resp.buildID = buildID
+        resp.buildTransfer = header
+        resp.packetType = .buildTransfer(header)
+        sender.yield(resp)
+
         for try await chunk in try tarURL.bufferedCopyReader() {
             let part = BuildTransfer(
                 id: packet.id,

Sources/ContainerBuild/BuildFSSync.swift

@@ -26,11 +26,13 @@ struct BuildImageResolver: BuildPipelineHandler {
     let contentStore: ContentStore
     let quiet: Bool
     let output: FileHandle
+    let pull: Bool
 
-    public init(_ contentStore: ContentStore, quiet: Bool = false, output: FileHandle = FileHandle.standardError) throws {
+    public init(_ contentStore: ContentStore, quiet: Bool = false, output: FileHandle = FileHandle.standardError, pull: Bool = false) throws {
         self.contentStore = contentStore
         self.quiet = quiet
         self.output = output
+        self.pull = pull
     }
 
     func accept(_ packet: ServerStream) throws -> Bool {
@@ -72,6 +74,9 @@ struct BuildImageResolver: BuildPipelineHandler {
             defer { progress.finish() }
             progress.start()
 
+            if self.pull {
+                return try await ClientImage.pull(reference: ref, platform: platform, progressUpdate: progress.handler)
+            }
             // Use fetch() which checks cache first, then pulls if needed
             return try await ClientImage.fetch(reference: ref, platform: platform, progressUpdate: progress.handler)
         }()

Sources/ContainerBuild/BuildImageResolver.swift

@@ -30,7 +30,7 @@ public actor BuildPipeline {
             [
                 try BuildFSSync(URL(filePath: config.contextDir)),
                 try BuildRemoteContentProxy(config.contentStore),
-                try BuildImageResolver(config.contentStore, quiet: config.quiet, output: config.terminal?.handle ?? FileHandle.standardError),
+                try BuildImageResolver(config.contentStore, quiet: config.quiet, output: config.terminal?.handle ?? FileHandle.standardError, pull: config.pull),
                 try BuildStdio(quiet: config.quiet, output: config.terminal?.handle ?? FileHandle.standardError),
             ]
     }

Sources/ContainerBuild/BuildPipelineHandler.swift

@@ -251,6 +251,7 @@ public struct Builder: Sendable {
         public let exports: [BuildExport]
         public let cacheIn: [String]
         public let cacheOut: [String]
+        public let pull: Bool
 
         public init(
             buildID: String,
@@ -268,6 +269,7 @@ public struct Builder: Sendable {
             exports: [BuildExport],
             cacheIn: [String],
             cacheOut: [String],
+            pull: Bool
         ) {
             self.buildID = buildID
             self.contentStore = contentStore
@@ -284,6 +286,7 @@ public struct Builder: Sendable {
             self.exports = exports
             self.cacheIn = cacheIn
             self.cacheOut = cacheOut
+            self.pull = pull
         }
     }
 }

Sources/ContainerBuild/Builder.swift

@@ -0,0 +1,32 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2026 Apple Inc. and the container project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+/// An error type that aggregates multiple errors into one.
+///
+/// When displayed, each underlying error is printed on its own line.
+public struct AggregateError: Swift.Error, Sendable {
+    public let errors: [any Error]
+
+    public init(_ errors: [any Error]) {
+        self.errors = errors
+    }
+}
+
+extension AggregateError: CustomStringConvertible {
+    public var description: String {
+        errors.map { String(describing: $0) }.joined(separator: "\n")
+    }
+}