ci: rework build

.gitea/workflows/build.yaml

@@ -10,74 +10,56 @@ on:
 jobs:
   build_push:
     name: Build and push image
-    runs-on: job-v2
-
+    runs-on: wesley-arm
     strategy:
       fail-fast: false
       matrix:
         image: [asahi-cosmic]
         version: [43] #Build current stable,next stable/rawhide (if not branched)
-
     container:
-      image: "quay.io/fedora-ostree-desktops/buildroot:43"
-      options: "--security-opt apparmor=unconfined --privileged --user 0:0 --device=/dev/kvm --device=/dev/fuse --volume /:/run/host:rw --arch arm64"
-
+      image: "quay.io/fedora-ostree-desktops/buildroot:${{ matrix.version }}"
+      options: "--security-opt=label=disable --privileged --user 0:0 --device=/dev/fuse --volume /:/run/host:rw"
     steps:
-      - name: Install dependencies
-        run: |
-          dnf install -y nodejs
-          dnf upgrade -y --enablerepo=updates-testing --refresh rpm-ostree
 
+      - name: Install latest rpm-ostree package from testing repos
+        run: |
+          dnf upgrade -y --enablerepo=updates-testing --refresh rpm-ostree
+          dnf install -y nodejs
+          mkdir -p ~/.docker
+
+        
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Build Bootable Container image
-        run: |
-          ./builder.sh "${{ matrix.image }}" "${{ matrix.version }}"
-
-      - name: Prepare Docker config directory
-        run: mkdir -p /root/.docker
-
-      - name: Login to Container Registry
+      - name: Log in
         uses: redhat-actions/podman-login@v1
-        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
         with:
           registry: git.plabble.org
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_TOKEN }}
           auth_file_path: /tmp/auth.json
 
-      - name: Push container image to container registry
-        id: push
+      - name: Build rootfs
         run: |
-          # Determine buildid (same logic as upstream)
-          if [[ -f ".buildid" ]]; then
-              buildid="$(< .buildid)"
-          else
-              buildid="$(date '+%Y%m%d.0')"
-              echo "${buildid}" > .buildid
-          fi
+          sudo ./builder.sh asahi-cosmic 43
 
-          version="${{ matrix.version }}"
-          image="${{ matrix.image }}"
+      - name: Build container
+        id: build
+        uses: job79/buildah-build@65b3793a1370c1ccd74a5c0d090d70eb9637a4ef
+        with:
+          image: misthios/${{ matrix.image }}
+          tags: ${{ matrix.version }}
+          containerfiles: ./Containerfile
+          build-args: IMAGE=${{ matrix.image }}
 
-          # Path to the OCI archive produced by builder.sh
-          archive="images/${image}/manifest.ociarchive"
-
-          echo "Pushing ${archive} as ${image}:${version}.${buildid}"
-
-          # Push version.buildid
-          skopeo copy \
-            --authfile /tmp/auth.json \
-            --retry-times 3 \
-            --dest-compress-format zstd \
-            oci-archive:${archive} \
-            docker://git.plabble.org/misthios/${image}:${version}.${buildid}
-
-          # Push version
-          skopeo copy \
-            --authfile /tmp/auth.json \
-            --retry-times 3 \
-            --dest-compress-format zstd \
-            docker://git.plabble.org/misthios/${image}:${version}.${buildid} \
-            docker://git.plabble.org/misthios/${image}:${version}
+      - name: Push
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build.outputs.image }}
+          tags: ${{ steps.build.outputs.tags }}
+          registry: git.plabble.org
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+          extra-args: |
+            --compression-format=zstd
+            --compression-level=12

Containerfile

@@ -0,0 +1,10 @@
+ARG IMAGE
+
+FROM scratch
+COPY images/$IMAGE/manifest.ociarchive /
+
+LABEL containers.bootc 1
+ENV container=oci
+
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]

builder.sh

@@ -43,34 +43,34 @@ echo "${buildid}" > .buildid
 
 echo "Composing ${VERSION}.${buildid} ..."
 
-# repos import
-cp images/shared/*.repo "${IMAGE_DIR}"
-cp "${IMAGE_DIR}"/{$IMAGE}/repos/*.repo "${IMAGE_DIR}"
+# --- REPOS IMPORT ---
+cp images/shared/*.repo "${IMAGE_DIR}/"
+cp "${IMAGE_DIR}"/repos/*.repo "${IMAGE_DIR}/"
 
-# Ensure manifest has correct ref and releasever 
-sed -i '/^ref:/d' "$MANIFEST" 
-sed -i '/^releasever:/d' "$MANIFEST" 
-sed -i "1i releasever: ${VERSION}" "$MANIFEST" 
+# --- MANIFEST FIXUPS ---
+# Remove existing ref: and releasever:
+sed -i '/^ref:/d' "$MANIFEST"
+sed -i '/^releasever:/d' "$MANIFEST"
+
+# Insert new values at top
+sed -i "1i releasever: ${VERSION}" "$MANIFEST"
 sed -i "1i ref: ${REF}" "$MANIFEST"
 
-#Run a optional per image script to do image specific things
-POSTPROCESS="${IMAGE_DIR}/${IMAGE}"/postprocess.sh"
-if [[ -x "${POSTPROCESS}" ]]; then
-    echo "Running postprocess script: ${POSTPROCESS}"
-    "${POSTPROCESS}"
+# --- OPTIONAL POSTPROCESS ---
+POSTPROCESS="$IMAGE_DIR/test.sh"
+if [[ -x "$POSTPROCESS" ]]; then
+    echo "Running postprocess script: $POSTPROCESS"
+    "$POSTPROCESS"
 else
     echo "No postprocess.sh found in ${IMAGE_DIR}, skipping."
 fi
 
-
 # --- COMPOSE IMAGE ---
 ARGS=(
     "--cachedir=cache"
-    "--initialize"
-    "--max-layers=96"
 )
 
-rpm-ostree compose image \
+rpm-ostree compose rootfs \
     "${ARGS[@]}" \
     "$MANIFEST" \
     "$OUTPUT"

images/asahi-cosmic/packages.yaml

@@ -1,4 +1,13 @@
-#Cosmic related packages
+
+# System packages (boot)
+packages-aarch64:
+  - grub2-efi
+  - efibootmgr
+  - shim
+
+#System packages (common)
+
+# Core packages (common.yaml upstream)
 packages:
   - cosmic-edit
   - cosmic-files
@@ -16,17 +25,6 @@ packages:
   - plymouth-system-theme
   - system-config-printer
   - xdg-desktop-portal-gtk
-
-# System packages (boot)
-packages-aarch64:
-  - grub2-efi
-  - efibootmgr
-  - shim
-
-#System packages (common)
-
-# Core packages (common.yaml upstream)
-packages:
  # Ensure that we have a kernel. Kernel packages are not in any comps group
   # - kernel
   # - kernel-modules

images/asahi-cosmic/repos/group_asahi-fedora-remix-branding.repo

@@ -1,4 +1,4 @@
-copr:copr.fedorainfracloud.org:group_asahi:fedora-remix-branding]
+[copr:copr.fedorainfracloud.org:group_asahi:fedora-remix-branding]
 name=Copr repo for fedora-remix-branding owned by @asahi
 baseurl=https://download.copr.fedorainfracloud.org/results/@asahi/fedora-remix-branding/fedora-$releasever-$basearch/
 type=rpm-md

images/shared/base.yaml

@@ -90,10 +90,6 @@ postprocess:
     # Extra modules that we want by default that are known to exist in the kernel
     add_dracutmodules+=" virtiofs "
     EOF
-    cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
-    # We want this for systemd-cryptsetup tpm2 locking
-    add_dracutmodules+=" tpm2-tss "
-    EOF
     cat > /usr/lib/dracut/dracut.conf.d/59-altfiles.conf << 'EOF'
     # https://issues.redhat.com/browse/RHEL-49590
     # On image mode systems we use nss-altfiles for passwd and group,
@@ -173,26 +169,6 @@ postprocess:
     Z /etc/colord/    - colord colord
     EOF
 
-  #Enable Compose FS
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-
-    cat >> /usr/lib/ostree/prepare-root.conf << 'EOF'
-    [composefs]
-    enabled = yes
-    EOF
-     
-  #Sysroot read-only
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-
-    install -dm 0755 -o 0 -g 0 /usr/lib/ostree
-    cat >> /usr/lib/ostree/prepare-root.conf << 'EOF'
-    [sysroot]
-    readonly = true
-    EOF 
 packages:
 
  # systemd. Also name systemd-pam because it was dropped to a recommends