Sync common files from infra repository

Synchronized from bootc-dev/infra@2dd4986.

Signed-off-by: bootc-dev Bot <bot@bootc.dev>

Author: bootc-dev Bot

.bootc-dev-infra-commit.txt

@@ -1 +1 @@
-b23aa64010d014befa5adc5bc54363b6fb60a3e4
+2dd498656b9653c321e5d9a8600e6b506714acb3

.github/actions/bootc-ubuntu-setup/action.yml

@@ -61,24 +61,15 @@ runs:
       id: set_arch
       shell: bash
       run: echo "ARCH=$(arch)" >> $GITHUB_ENV
-    # We often use Rust, so set up opinionated default caching
-    - name: Setup Rust cache
-      uses: Swatinem/rust-cache@v2
-      with:
-        cache-all-crates: true
-        # Only generate caches on push to git main
-        save-if: ${{ github.ref == 'refs/heads/main' }}
-        # Suppress actually using the cache for builds running from
-        # git main so that we avoid incremental compilation bugs
-        lookup-only: ${{ github.ref == 'refs/heads/main' }}
     # Install libvirt stack if requested
     - name: Install libvirt and virtualization stack
       if: ${{ inputs.libvirt == 'true' }}
       shell: bash
       run: |
         set -xeuo pipefail
-        export BCVK_VERSION=0.6.0
-        /bin/time -f '%E %C' sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system
+        export BCVK_VERSION=0.9.0
+        # see https://github.com/bootc-dev/bcvk/issues/176
+        /bin/time -f '%E %C' sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system python3-virt-firmware
         # Something in the stack is overriding this, but we want session right now for bcvk
         echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV
         td=$(mktemp -d)

.github/actions/setup-rust/action.yml

@@ -0,0 +1,20 @@
+name: 'Setup Rust'
+description: 'Install Rust toolchain with caching and nextest'
+runs:
+  using: 'composite'
+  steps:
+    - name: Install Rust toolchain
+      uses: dtolnay/rust-toolchain@stable
+    - name: Install nextest
+      uses: taiki-e/install-action@v2
+      with:
+        tool: nextest
+    - name: Setup Rust cache
+      uses: Swatinem/rust-cache@v2
+      with:
+        cache-all-crates: true
+        # Only generate caches on push to git main
+        save-if: ${{ github.ref == 'refs/heads/main' }}
+        # Suppress actually using the cache for builds running from
+        # git main so that we avoid incremental compilation bugs
+        lookup-only: ${{ github.ref == 'refs/heads/main' }}

.github/workflows/openssf-scorecard.yml

@@ -0,0 +1,50 @@
+# Upstream https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml
+# Tweaked to not pin actions by SHA digest as I think that's overkill noisy security theater.
+name: OpenSSF Scorecard analysis
+on:
+  push:
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-24.04
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v6
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif
+

.github/workflows/rebase.yml

@@ -0,0 +1,45 @@
+name: Automatic Rebase
+on:
+  pull_request:
+    types: [labeled]
+
+permissions:
+  contents: read
+
+jobs:
+  rebase:
+    name: Rebase
+    if: github.event.label.name == 'needs-rebase'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Actions Token
+        id: token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Automatic Rebase
+        uses: peter-evans/rebase@v4
+        with:
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Remove needs-rebase label
+        if: always()
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ steps.token.outputs.token }}
+          script: |
+            await github.rest.issues.removeLabel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              name: 'needs-rebase'
+            });