From 2f07e2757cbe2ef5d2a9147a7b0962845cd4d326 Mon Sep 17 00:00:00 2001 From: Wesley van Tilburg Date: Fri, 27 Feb 2026 22:21:40 +0100 Subject: [PATCH] ci: test changes --- .gitea/workflows/build.yaml | 169 +++++++++++++++++++++++++++++++----- 1 file changed, 149 insertions(+), 20 deletions(-) diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml index 584a3fd..bb85198 100644 --- a/.gitea/workflows/build.yaml +++ b/.gitea/workflows/build.yaml @@ -15,19 +15,97 @@ jobs: fail-fast: false matrix: image: [asahi-cosmic] - version: [43] #Build current stable,next stable/rawhide (if not branched) + version: [43] + container: image: "quay.io/fedora-ostree-desktops/buildroot:${{ matrix.version }}" options: "--security-opt=label=disable --privileged --user 0:0 --device=/dev/fuse --volume /:/run/host:rw" + + steps: + + - name: Install rpm-ostree + tools + run: | + dnf upgrade -y --enablerepo=updates-testing --refresh rpm-ostree + dnf install -y nodejs skopeo jq + mkdir -p ~/.docker + + - name: Fix containers/storage.conf + run: | + sed -i 's/driver = "overlay"/driver = "vfs"/' /usr/share/containers/storage.conf + + - name: Checkout + uses: actions/checkout@v4 + + - name: Log in to registry + uses: redhat-actions/podman-login@v1 + with: + registry: git.plabble.org + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_TOKEN }} + auth_file_path: /tmp/auth.json + + - name: Build rootfs (rpm-ostree compose image) + run: | + sudo ./builder.sh "${{ matrix.image }}" "${{ matrix.version }}" + + - name: Push OCI archive to registry + run: | + set -xeuo pipefail + + IMAGE="${{ matrix.image }}" + VERSION="${{ matrix.version }}" + REGISTRY="git.plabble.org/misthios" + + ARCHIVE="images/${IMAGE}/manifest.ociarchive" + + # Build ID (YYYYMMDD.0) + if [[ -f ".buildid" ]]; then + buildid="$(< .buildid)" + else + buildid="$(date '+%Y%m%d.0')" + echo "${buildid}" > .buildid + fi + + # Extract version from os-release mutation + version="$(rpm-ostree compose tree --print-only --repo=repo manifests/${IMAGE}.yaml | jq -r '."mutate-os-release"')" + + # Full tag: version.buildid + full_tag="${version}.${buildid}" +name: Build containers + +on: + workflow_dispatch: + pull_request: + branches: ["main"] + push: + branches: ["main"] + +jobs: + build_push: + name: Build and push image + runs-on: coole-runner + strategy: + fail-fast: false + matrix: + image: [asahi-cosmic] + version: [43] + + container: + image: "quay.io/fedora-ostree-desktops/buildroot:${{ matrix.version }}" + options: "--security-opt=label=disable --privileged --user 0:0 --device=/dev/fuse --volume /:/run/host:rw" + steps: - name: Install latest rpm-ostree package from testing repos run: | dnf upgrade -y --enablerepo=updates-testing --refresh rpm-ostree - dnf install -y nodejs + dnf install -y nodejs buildah tar jq mkdir -p ~/.docker - + - name: Fixup containers/storage.conf + run: | + sed -i 's/driver = "overlay"/driver = "vfs"/' /usr/share/containers/storage.conf + - name: Checkout uses: actions/checkout@v4 @@ -43,23 +121,74 @@ jobs: run: | sudo ./builder.sh asahi-cosmic 43 - - name: Build container - id: build - uses: job79/buildah-build@65b3793a1370c1ccd74a5c0d090d70eb9637a4ef - with: - image: misthios/${{ matrix.image }} - tags: ${{ matrix.version }} - containerfiles: ./Containerfile - build-args: IMAGE=${{ matrix.image }} + - name: Build container (SUID‑preserving OCI extraction) + run: | + set -xeuo pipefail + + IMAGE_NAME="misthios/${{ matrix.image }}" + IMAGE_TAG="${{ matrix.version }}" + OCI_DIR="images/${{ matrix.image }}/manifest.ociarchive" + + # Create container from scratch + ctr=$(buildah from scratch) + mnt=$(buildah mount "$ctr") + + # Extract layers in correct order + manifest="$OCI_DIR/manifest.json" + layers=$(jq -r '.[0].Layers[]' "$manifest") + + for layer in $layers; do + LAYER_PATH="$OCI_DIR/blobs/sha256/${layer#sha256:}" + echo "Extracting layer: $LAYER_PATH" + tar --numeric-owner -xpf "$LAYER_PATH" -C "$mnt" + done + + # Add metadata + buildah config \ + --label containers.bootc=1 \ + --label org.opencontainers.image.title="${{ matrix.image }}" \ + --label org.opencontainers.image.version="${{ matrix.version }}" \ + --label org.opencontainers.image.revision="${{ github.sha }}" \ + --label io.bootc.image.version="${{ matrix.version }}" \ + --label io.bootc.image.revision="${{ github.sha }}" \ + --env container=oci \ + --stop-signal SIGRTMIN+3 \ + --cmd "/sbin/init" \ + "$ctr" + + # Commit final image + buildah commit "$ctr" "${IMAGE_NAME}:${IMAGE_TAG}" + + buildah unmount "$ctr" + buildah rm "$ctr" - name: Push - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build.outputs.image }} - tags: ${{ steps.build.outputs.tags }} - registry: git.plabble.org - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_TOKEN }} - extra-args: | - --compression-format=zstd + run: | + buildah push \ + misthios/${{ matrix.image }}:${{ matrix.version }} \ + docker://git.plabble.org/misthios/${{ matrix.image }}:${{ matrix.version }} \ + --creds "${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_TOKEN }}" \ + --compression-format=zstd \ --compression-level=12 + + echo "Pushing ${ARCHIVE} → ${REGISTRY}/${IMAGE}:${full_tag}" + + # Push OCI archive directly (preserves SUID, ownership, labels) + skopeo copy \ + --authfile /tmp/auth.json \ + --retry-times 3 \ + --dest-compress-format zstd \ + oci-archive:${ARCHIVE} \ + docker://${REGISTRY}/${IMAGE}:${full_tag} + + # Also push version-only tag + skopeo copy \ + --authfile /tmp/auth.json \ + --retry-times 3 \ + --dest-compress-format zstd \ + docker://${REGISTRY}/${IMAGE}:${full_tag} \ + docker://${REGISTRY}/${IMAGE}:${version} + + echo "Pushed:" + echo " - ${REGISTRY}/${IMAGE}:${full_tag}" + echo " - ${REGISTRY}/${IMAGE}:${version}"