ci(bluebuild): pre-pull secureblue base + share podman storage
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 30s
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 30s
GHCR rejected skopeo's anonymous manifest call from inside the bluebuild CLI container. Pre-pull the secureblue base on the host podman (which handles the anonymous token dance), then bind-mount /var/lib/containers/storage into the bluebuild container so its buildah sees the cached base layer. Drop deprecated --inspect-driver flag while we are touching the invocation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot
parent
abe2d2b556
commit
23156f98bf
1 changed files with 15 additions and 1 deletions
16
.github/workflows/build-bluebuild.yml
vendored
16
.github/workflows/build-bluebuild.yml
vendored
|
|
@ -95,6 +95,16 @@ jobs:
|
||||||
chmod +x /usr/local/bin/cosign
|
chmod +x /usr/local/bin/cosign
|
||||||
cosign version
|
cosign version
|
||||||
|
|
||||||
|
- name: Pre-pull secureblue base image
|
||||||
|
run: |
|
||||||
|
set -euxo pipefail
|
||||||
|
# GHCR's manifest API rejects anonymous calls from skopeo
|
||||||
|
# ("Not authorized") for some public images — but `podman
|
||||||
|
# pull` handles the anonymous token dance correctly. Pre-pull
|
||||||
|
# the base into local podman storage so bluebuild's
|
||||||
|
# templating step finds it without a registry round-trip.
|
||||||
|
podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest
|
||||||
|
|
||||||
- name: Build OCI image with BlueBuild CLI container
|
- name: Build OCI image with BlueBuild CLI container
|
||||||
id: bluebuild
|
id: bluebuild
|
||||||
# blue-build/github-action requires docker buildx which podman
|
# blue-build/github-action requires docker buildx which podman
|
||||||
|
|
@ -106,16 +116,20 @@ jobs:
|
||||||
# Pull cli image; pinned to v0.9.x at action time.
|
# Pull cli image; pinned to v0.9.x at action time.
|
||||||
podman pull ghcr.io/blue-build/cli:latest
|
podman pull ghcr.io/blue-build/cli:latest
|
||||||
# Mount the repo + podman socket; build with buildah driver.
|
# Mount the repo + podman socket; build with buildah driver.
|
||||||
|
# Bind host /var/lib/containers/storage into the bluebuild
|
||||||
|
# CLI container so buildah inside it can see the pre-pulled
|
||||||
|
# secureblue base layer (avoids GHCR auth round-trip during
|
||||||
|
# templating).
|
||||||
podman run --rm \
|
podman run --rm \
|
||||||
--privileged \
|
--privileged \
|
||||||
--entrypoint /usr/bin/bluebuild \
|
--entrypoint /usr/bin/bluebuild \
|
||||||
-v "$PWD:/work" \
|
-v "$PWD:/work" \
|
||||||
|
-v /var/lib/containers/storage:/var/lib/containers/storage \
|
||||||
-w /work \
|
-w /work \
|
||||||
-e BB_BUILD_DRIVER=buildah \
|
-e BB_BUILD_DRIVER=buildah \
|
||||||
ghcr.io/blue-build/cli:latest \
|
ghcr.io/blue-build/cli:latest \
|
||||||
build \
|
build \
|
||||||
--build-driver buildah \
|
--build-driver buildah \
|
||||||
--inspect-driver skopeo \
|
|
||||||
bluebuild/recipe.yml
|
bluebuild/recipe.yml
|
||||||
# bluebuild CLI tags as <recipe-name>:<tag> in local podman
|
# bluebuild CLI tags as <recipe-name>:<tag> in local podman
|
||||||
# storage. List + verify, then re-tag for the registries.
|
# storage. List + verify, then re-tag for the registries.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue