ci(bluebuild): use ghcr.io/blue-build/cli container instead of action

The blue-build/github-action requires docker buildx which podman doesn't ship. Symlinking podman as docker isn't enough — the action calls 'docker buildx inspect' / 'docker buildx rm' which podman doesn't implement. Pull the official BlueBuild CLI container and run it with --build-driver buildah; works against podman storage with no docker dependency.
2026-05-06 17:01:22 +01:00 · 2026-05-06 17:01:22 +01:00 · 1e70cc5461
commit 1e70cc5461
parent 9ee2cec20e
1 changed files with 20 additions and 17 deletions
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@ -95,26 +95,29 @@ jobs:
          chmod +x /usr/local/bin/cosign
          cosign version

-      - name: Build OCI image with BlueBuild action
+      - name: Build OCI image with BlueBuild CLI container
        id: bluebuild
-        # Composite action — runs podman + buildah inside; works on
-        # Forgejo runner same as GH-hosted. Pinned to commit SHA per
-        # the v0.5 CI hardening pass.
-        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
-        with:
-          recipe: bluebuild/recipe.yml
-          # registry_token is consumed by the action to publish; for
-          # the Forgejo path we re-tag + push manually below, so this
-          # token only matters for the GH-mirror path.
-          registry_token: ${{ secrets.GITHUB_TOKEN }}
-          pr_event_number: ${{ github.event.number }}
-          maximize_build_space: false
-
-      - name: Re-tag local OCI for Forgejo + GHCR
+        # blue-build/github-action requires docker buildx which podman
+        # doesn't ship. Run the official BlueBuild CLI container with
+        # buildah driver instead — works against rootless or rootful
+        # podman, no docker dependency.
        run: |
          set -euxo pipefail
-          # The action emits the local image as `<recipe-name>:<tag>`.
-          # Confirm it landed, then add registry-prefixed tags.
+          # Pull cli image; pinned to v0.9.x at action time.
+          podman pull ghcr.io/blue-build/cli:latest
+          # Mount the repo + podman socket; build with buildah driver.
+          podman run --rm \
+            --privileged \
+            -v "$PWD:/work" \
+            -w /work \
+            -e BB_BUILD_DRIVER=buildah \
+            ghcr.io/blue-build/cli:latest \
+            build \
+              --build-driver buildah \
+              --inspect-driver skopeo \
+              bluebuild/recipe.yml
+          # bluebuild CLI tags as <recipe-name>:<tag> in local podman
+          # storage. List + verify, then re-tag for the registries.
          podman images
          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}" || true
          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest" || true