containerd
diff --git a/‎.github/workflows/ghcr-image-build-and-publish.yml
+22-17 b/‎.github/workflows/ghcr-image-build-and-publish.yml
+22-17
diff --git a/‎.github/workflows/lint.yml
+37-66 b/‎.github/workflows/lint.yml
+37-66
diff --git a/‎.github/workflows/project.yml
+27-11 b/‎.github/workflows/project.yml
+27-11
diff --git a/‎.github/workflows/release.yml
+23-5 b/‎.github/workflows/release.yml
+23-5
diff --git a/‎.github/workflows/reusable_environment.yml
+73 b/‎.github/workflows/reusable_environment.yml
+73
@@ -1,4 +1,4 @@
-name: image
+name: " "
 
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
@@ -16,51 +16,56 @@ on:
       - '**.md'
 
 env:
-  # Use docker.io for Docker Hub if empty
-  REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build:
+  # Source the common environment
+  environment:
+    name: "image"
+    uses: ./.github/workflows/reusable_environment.yml
 
-    runs-on: ubuntu-24.04
+  build:
+    name: "image / build"
+    timeout-minutes: ${{ fromJSON(needs.environment.outputs.LONG_TIMEOUT) }}
+    runs-on: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+    needs: environment
     permissions:
       contents: read
       packages: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4.2.2
+      - name: "Checkout"
+        uses: actions/checkout@v4
 
-      - name: Set up QEMU
+      - name: "Set up QEMU"
         uses: docker/setup-qemu-action@v3
 
-      - name: Set up Docker Buildx
+      - name: "Set up Docker Buildx"
         uses: docker/setup-buildx-action@v3
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
+      - name: "Log into registry ${{ env.REGISTRY }}"
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3.3.0
+        uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ needs.environment.outputs.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Extract metadata (tags, labels) for Docker
       # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
+      - name: "Extract Docker metadata"
         id: meta
-        uses: docker/metadata-action@v5.6.1
+        uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ needs.environment.outputs.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v6.10.0
+      - name: "Build and push Docker image"
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64
 
@@ -1,4 +1,5 @@
-name: lint
+# "Hide" the name from the GitHub check status line, as it just clutters the display
+name: " "
 
 on:
   push:
@@ -7,72 +8,42 @@ on:
       - 'release/**'
   pull_request:
 
-env:
-  GO_VERSION: 1.23.x
-
 jobs:
-  go:
-    timeout-minutes: 5
-    name: "go | ${{ matrix.goos }} | ${{ matrix.canary }}"
-    runs-on: "${{ matrix.os }}"
-    defaults:
-      run:
-        shell: bash
+  # Source the common environment
+  environment:
+    name: "lint"
+    uses: ./.github/workflows/reusable_environment.yml
+
+  # Linting go
+  lint-go:
+    # Define the matrix we want to lint on: every supported OS, with the current go version, and additionally go canary on linux
     strategy:
       matrix:
+        # The GOOS-es we run golint for, with no canary (eg: the base supported GO_VERSION)
+        goos: [linux, freebsd, windows]
+        # And no canary
+        canary: [false]
         include:
-          - os: ubuntu-24.04
-            goos: linux
-          - os: ubuntu-24.04
-            goos: freebsd
-          # FIXME: this is currently failing in a non-sensical way, so, running on linux instead...
-          # - os: windows-2022
-          - os: ubuntu-24.04
-            goos: windows
-          - os: ubuntu-24.04
-            goos: linux
-            # This allows the canary script to select any upcoming golang alpha/beta/RC
-            canary: go-canary
-    env:
-      GOOS: "${{ matrix.goos }}"
-    steps:
-      - uses: actions/[email protected]
-        with:
-          fetch-depth: 1
-      - name: Set GO env
-        run: |
-          # If canary is specified, get the latest available golang pre-release instead of the major version
-          if [ "$canary" != "" ]; then
-            . ./hack/build-integration-canary.sh
-            canary::golang::latest
-          fi
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          args: --verbose
-  other:
-    timeout-minutes: 5
-    name: yaml | shell | imports order
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/[email protected]
-        with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          check-latest: true
-          cache: true
-      - name: yaml
-        run: make lint-yaml
-      - name: shell
-        run: make lint-shell
-      - name: go imports ordering
-        run: |
-          go install -v github.com/incu6us/goimports-reviser/v3@latest
-          make lint-imports
+          # Only run canary on linux (note: the canary script will select any upcoming golang alpha/beta/RC when the `canary` param is set to a non-empty string)
+          - goos: linux
+            canary: true
+
+    # If we do not "collapse" the name using a bogux matrix var, it will display all matrix parameters, which we do not want
+    name: "lint${{ matrix.c }}"
+    uses: ./.github/workflows/reusable_lint_go.yml
+    needs: environment
+    with:
+      goos: ${{ matrix.goos }}
+      canary: ${{ matrix.canary }}
+      os: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+      goversion: ${{ needs.environment.outputs.GO_VERSION }}
+      timeout-minutes: ${{ fromJSON(needs.environment.outputs.SHORT_TIMEOUT) }}
+
+  # Linting other filetypes
+  lint-other:
+    name: "lint"
+    uses: ./.github/workflows/reusable_lint_other.yml
+    needs: environment
+    with:
+      os: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+      timeout-minutes: ${{ fromJSON(needs.environment.outputs.SHORT_TIMEOUT) }}
@@ -1,4 +1,4 @@
-name: project
+name: " "
 
 on:
   push:
@@ -8,24 +8,40 @@ on:
   pull_request:
 
 jobs:
+  # Source the common environment
+  environment:
+    name: "project checks"
+    uses: ./.github/workflows/reusable_environment.yml
+
   project:
-    name: checks
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20
+    name: "project checks"
+    timeout-minutes: ${{ fromJSON(needs.environment.outputs.SHORT_TIMEOUT) }}
+    runs-on: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+    needs: environment
+
     steps:
-      - uses: actions/[email protected]
+      - name: "Checkout"
+        uses: actions/checkout@v4
         with:
           path: src/github.com/containerd/nerdctl
+          # Fetch the last 100 commits
           fetch-depth: 100
-      - uses: actions/setup-go@v5
+
+      - name: "Install go"
+        uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ needs.environment.outputs.GO_VERSION }}
           cache-dependency-path: src/github.com/containerd/nerdctl
-      - uses: containerd/[email protected]
+
+      - name: "Install and run default containerd project checks"
+        uses: containerd/[email protected]
         with:
           working-directory: src/github.com/containerd/nerdctl
-          repo-access-token: ${{ secrets.GITHUB_TOKEN }}
-      - run: ./hack/verify-no-patent.sh
+
+      - name: "Verify no patent"
+        run: ./hack/verify-no-patent.sh
         working-directory: src/github.com/containerd/nerdctl
-      - run: ./hack/verify-pkg-isolation.sh
+
+      - name: "Verify package isolation"
+        run: ./hack/verify-pkg-isolation.sh
         working-directory: src/github.com/containerd/nerdctl
@@ -1,27 +1,44 @@
 # See https://github.com/containerd/nerdctl/blob/main/MAINTAINERS_GUIDE.md for how to make a release.
 name: Release
+
 on:
   push:
     tags:
     - 'v*'
     - 'test-action-release-*'
 jobs:
+  # Source the common environment
+  environment:
+    name: " "
+    uses: ./.github/workflows/reusable_environment.yml
+
   release:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 40
+    name: "checks"
+    timeout-minutes: ${{ fromJSON(needs.environment.outputs.LONG_TIMEOUT) }}
+    runs-on: ${{ needs.environment.outputs.HOST_UBUNTU_LTS }}
+    needs: environment
+
     steps:
-    - uses: actions/[email protected]
-    - uses: actions/setup-go@v5
+    - name: "Checkout"
+      uses: actions/checkout@v4
+
+    - name: "Install go"
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.23.x
+        go-version: ${{ needs.environment.outputs.GO_VERSION }}
+        check-latest: true
+
     - name: "Compile binaries"
       run: make artifacts
+
     - name: "SHA256SUMS"
       run: |
         ( cd _output; sha256sum nerdctl-* ) | tee /tmp/SHA256SUMS
         mv /tmp/SHA256SUMS _output/SHA256SUMS
+
     - name: "The sha256sum of the SHA256SUMS file"
       run: (cd _output; sha256sum SHA256SUMS)
+
     - name: "Prepare the release note"
       run: |
         shasha=$(sha256sum _output/SHA256SUMS | awk '{print $1}')
@@ -35,6 +52,7 @@ jobs:
         - - -
         Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])
         EOF
+
     - name: "Create release"
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -0,0 +1,73 @@
+name: common_environment
+
+env:
+  GO_VERSION: 1.23.x
+  HOST_UBUNTU_LTS: ubuntu-24.04
+  SHORT_TIMEOUT: 5
+  LONG_TIMEOUT: 20
+  # Will use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+
+  # Versions for images we maintain
+  BUSYBOX_VERSION: 5ad83957fa74aafd061afbfb8da14ce3220659a9
+  DISTRIBUTION_VERSION: v2.8.3
+  CURL_VERSION: 8.11.0_4
+
+on:
+  workflow_call:
+    outputs:
+      GO_VERSION:
+        description: "The major golang version we are targeting"
+        value: ${{ jobs.environment.outputs.output_go }}
+      HOST_UBUNTU_LTS:
+        description: "The major LTS ubuntu host runner we run our tasks on"
+        value: ${{ jobs.environment.outputs.output_ubuntu_lts }}
+      SHORT_TIMEOUT:
+        description: "The timeout for tasks that are supposed to run fast (lint, etc)"
+        value: ${{ jobs.environment.outputs.output_short_timeout }}
+      LONG_TIMEOUT:
+        description: "The timeout for tasks that are going to run up to 20 minutes (building, integration, etc)"
+        value: ${{ jobs.environment.outputs.output_long_timeout }}
+      REGISTRY:
+        description: "The registry where to push our images"
+        value: ${{ jobs.environment.outputs.output_registry }}
+      BUSYBOX_VERSION:
+        description: "Busybox version"
+        value: ${{ jobs.environment.outputs.output_busybox }}
+      DISTRIBUTION_VERSION:
+        description: "Distribution version"
+        value: ${{ jobs.environment.outputs.output_distribution }}
+      CURL_VERSION:
+        description: "Curl version"
+        value: ${{ jobs.environment.outputs.output_curl }}
+
+jobs:
+  environment:
+    name: "environ"
+    runs-on: ubuntu-24.04
+    steps:
+      - id: go
+        run: echo "GO_VERSION=$GO_VERSION" >> $GITHUB_OUTPUT
+      - id: ubuntu_lts
+        run: echo "HOST_UBUNTU_LTS=$HOST_UBUNTU_LTS" >> $GITHUB_OUTPUT
+      - id: short_timeout
+        run: echo "SHORT_TIMEOUT=$SHORT_TIMEOUT" >> $GITHUB_OUTPUT
+      - id: long_timeout
+        run: echo "LONG_TIMEOUT=$LONG_TIMEOUT" >> $GITHUB_OUTPUT
+      - id: registry
+        run: echo "REGISTRY=$REGISTRY" >> $GITHUB_OUTPUT
+      - id: busybox
+        run: echo "BUSYBOX_VERSION=$BUSYBOX_VERSION" >> $GITHUB_OUTPUT
+      - id: distribution
+        run: echo "DISTRIBUTION_VERSION=$DISTRIBUTION_VERSION" >> $GITHUB_OUTPUT
+      - id: curl
+        run: echo "CURL_VERSION=$CURL_VERSION" >> $GITHUB_OUTPUT
+    outputs:
+      output_go: ${{ steps.go.outputs.GO_VERSION }}
+      output_ubuntu_lts: ${{ steps.ubuntu_lts.outputs.HOST_UBUNTU_LTS }}
+      output_short_timeout: ${{ steps.short_timeout.outputs.SHORT_TIMEOUT }}
+      output_long_timeout: ${{ steps.long_timeout.outputs.LONG_TIMEOUT }}
+      output_registry: ${{ steps.registry.outputs.REGISTRY }}
+      output_busybox: ${{ steps.registry.outputs.BUSYBOX_VERSION }}
+      output_distribution: ${{ steps.registry.outputs.DISTRIBUTION_VERSION }}
+      output_curl: ${{ steps.registry.outputs.CURL_VERSION }}