diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml index 1138c8f..cbdebbb 100644 --- a/.github/workflows/build-bluebuild.yml +++ b/.github/workflows/build-bluebuild.yml @@ -128,18 +128,32 @@ jobs: # CLI container so buildah inside it can see the pre-pulled # secureblue base layer (avoids GHCR auth round-trip during # templating). - # Mount podman's auth.json so the bluebuild container can - # authenticate to GHCR via the same login we did above. - AUTH_JSON="${XDG_RUNTIME_DIR:-/run/containers/0}/containers/auth.json" - [ -f "$AUTH_JSON" ] || AUTH_JSON=/root/.config/containers/auth.json - ls -la "$AUTH_JSON" 2>&1 || true + # podman login writes to $XDG_RUNTIME_DIR/containers/auth.json + # by default, which is volatile. Find it + copy to a stable + # path that we then bind into the bluebuild container. + AUTH_SRC="" + for cand in \ + "${XDG_RUNTIME_DIR:-/run/user/0}/containers/auth.json" \ + "/run/containers/0/auth.json" \ + "/root/.config/containers/auth.json" \ + "/root/.docker/config.json"; do + if [ -f "$cand" ]; then AUTH_SRC="$cand"; break; fi + done + if [ -z "$AUTH_SRC" ]; then + echo "[ERR] no podman/docker auth.json found post-login" + find / -name auth.json -o -name 'config.json' 2>/dev/null | head -10 + exit 1 + fi + mkdir -p /root/.config/containers + cp "$AUTH_SRC" /root/.config/containers/auth.json + ls -la /root/.config/containers/auth.json podman run --rm \ --privileged \ --entrypoint /usr/bin/bluebuild \ -v "$PWD:/work" \ -v /var/lib/containers/storage:/var/lib/containers/storage \ - -v "${AUTH_JSON}:/root/.config/containers/auth.json:ro" \ + -v /root/.config/containers/auth.json:/root/.config/containers/auth.json:ro \ -w /work \ -e BB_BUILD_DRIVER=buildah \ ghcr.io/blue-build/cli:latest \