From a142873b7608f0c42ac19381a8156c2c917940b9 Mon Sep 17 00:00:00 2001
From: Taiki Endo <te316e89@gmail.com>
Date: Mon, 4 May 2026 20:48:43 +0900
Subject: [PATCH] ci,tools: Update config and script

---
 .github/workflows/ci.yml       |  8 +++---
 .github/workflows/manifest.yml |  2 +-
 .github/workflows/release.yml  |  2 +-
 tools/tidy.sh                  | 49 ++++++++++++++++++++++++++++++----
 4 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ffe72228..31e74563 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,20 +32,20 @@ concurrency:
 
 jobs:
   miri:
-    uses: taiki-e/github-actions/.github/workflows/miri.yml@68753a4331ec78cb842512fd16ae32da0c066e31 # main
+    uses: taiki-e/github-actions/.github/workflows/miri.yml@75415970465917c31d702710acd9c9248b9af314 # main
     with:
       # NB: sync with test job's --exclude option
       args: --exclude install-action-internal-codegen
   msrv:
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@68753a4331ec78cb842512fd16ae32da0c066e31 # main
+    uses: taiki-e/github-actions/.github/workflows/msrv.yml@75415970465917c31d702710acd9c9248b9af314 # main
   test-manifest-schema:
-    uses: taiki-e/github-actions/.github/workflows/test.yml@68753a4331ec78cb842512fd16ae32da0c066e31 # main
+    uses: taiki-e/github-actions/.github/workflows/test.yml@75415970465917c31d702710acd9c9248b9af314 # main
     with:
       # NB: sync with miri job's --exclude option
       test-args: --exclude install-action-internal-codegen
       no-std: false
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@68753a4331ec78cb842512fd16ae32da0c066e31 # main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@75415970465917c31d702710acd9c9248b9af314 # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)
diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml
index 80b39af2..05a73440 100644
--- a/.github/workflows/manifest.yml
+++ b/.github/workflows/manifest.yml
@@ -32,7 +32,7 @@ concurrency:
 
 jobs:
   manifest:
-    uses: taiki-e/github-actions/.github/workflows/gen.yml@68753a4331ec78cb842512fd16ae32da0c066e31 # main
+    uses: taiki-e/github-actions/.github/workflows/gen.yml@75415970465917c31d702710acd9c9248b9af314 # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # for gh pr review --approve
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 78d20b61..d92a5268 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -433,7 +433,7 @@ jobs:
 
   release-manifest-schema:
     if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action-manifest-schema'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@68753a4331ec78cb842512fd16ae32da0c066e31 # main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@75415970465917c31d702710acd9c9248b9af314 # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action
       id-token: write # for rust-lang/crates-io-auth-action
diff --git a/tools/tidy.sh b/tools/tidy.sh
index 9b013ecb..7577a5df 100755
--- a/tools/tidy.sh
+++ b/tools/tidy.sh
@@ -9,13 +9,22 @@ cd -- "$(dirname -- "$0")"/..
 #    GITHUB_TOKEN=$(gh auth token) ./tools/tidy.sh
 #
 # Note: This script requires the following tools:
-# - docker
+# - docker or podman (or compatible CLI specified by TIDY_DOCKER_PATH. when both available and TIDY_DOCKER_PATH is not set, docker is preferred)
 #
 # This script is shared by projects under github.com/taiki-e, so there may also
 # be checks for files not included in this repository, but they will be skipped
 # if the corresponding files do not exist.
 # It is not intended for manual editing.
 
+bail() {
+  if [[ -n "${GITHUB_ACTIONS:-}" ]]; then
+    printf '::error::%s\n' "$*"
+  else
+    printf >&2 'error: %s\n' "$*"
+  fi
+  exit 1
+}
+
 if [[ $# -gt 0 ]]; then
   cat <<EOF
 USAGE:
@@ -24,10 +33,11 @@ EOF
   exit 1
 fi
 
+image='ghcr.io/taiki-e/tidy'
 if [[ -n "${TIDY_DEV:-}" ]]; then
-  image="ghcr.io/taiki-e/tidy:latest"
+  image+=':latest'
 else
-  image="ghcr.io/taiki-e/tidy@sha256:c78ba09aa420feddc57ca76fca38b1d4c998a0ede37f76378f12df15a826cf59"
+  image+='@sha256:4d7ec52a86bd3c0a2d96627b0ec3aa534afc02c2d56fc9a898df64e29aa03312'
 fi
 user="$(id -u):$(id -g)"
 workdir=$(pwd)
@@ -40,8 +50,12 @@ color=''
 if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
   color=1
 fi
+# Refs:
+# - https://docs.docker.com/reference/cli/docker/container/run/
+# - https://docs.podman.io/en/latest/markdown/podman-run.1.html
+# - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
 common_args=(
-  run --rm --init -i --user "${user}"
+  run --rm --init
   --cap-drop=all
   --security-opt=no-new-privileges
   --read-only
@@ -59,6 +73,30 @@ common_args=(
   --env TIDY_EXPECTED_SHELL_FILE_COUNT
   --env TIDY_EXPECTED_DOCKER_FILE_COUNT
 )
+if [[ -n "${TIDY_DOCKER_PATH:-}" ]]; then
+  docker="${TIDY_DOCKER_PATH}"
+elif type -P docker >/dev/null; then
+  docker='docker'
+elif type -P podman >/dev/null; then
+  docker='podman'
+else
+  bail 'this script requires docker or podman'
+fi
+rootless=''
+if [[ "$("${docker}" --version)" == *'podman'* ]]; then
+  if [[ "$("${docker}" info)" == *'rootless: true'* ]]; then
+    rootless=1
+  fi
+elif [[ "$("${docker}" info -f '{{println .SecurityOptions}}')" == *'rootless'* ]]; then
+  rootless=1
+fi
+if [[ -n "${rootless}" ]]; then
+  printf 'docker path: %s\n' "${docker} (rootless)"
+else
+  printf 'docker path: %s\n' "${docker}"
+  common_args+=(--user "${user}")
+fi
+
 # Map ignored files (e.g., .env) to dummy files.
 while IFS= read -r path; do
   if [[ -d "${path}" ]]; then
@@ -73,7 +111,7 @@ while IFS= read -r path; do
 done < <(git status --porcelain --ignored | grep -E '^!!' | cut -d' ' -f2)
 
 docker_run() {
-  docker "${common_args[@]}" "$@"
+  "${docker}" "${common_args[@]}" "$@"
   code2="$?"
   if [[ ${code} -eq 0 ]] && [[ ${code2} -ne 0 ]]; then
     code="${code2}"
@@ -83,6 +121,7 @@ docker_run() {
 set +e
 docker_run \
   --mount "type=bind,source=${workdir},target=${workdir}" --workdir "${workdir}" \
+  --mount "type=bind,source=${workdir}/.git,target=${workdir}/.git,readonly" \
   --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
   --mount "type=bind,source=${tmp}/pwsh-cache,target=/.cache/powershell" \
   --mount "type=bind,source=${tmp}/pwsh-local,target=/.local/share/powershell" \