ci(bluebuild): use blue-build/github-action composite (no CLI binary release)

BlueBuild CLI does not ship pre-built binaries on GitHub Releases
(latest tag v0.9.35 has no assets — install path is cargo or their
container image). Drop the curl-tarball install step and use the
official composite action @ pinned SHA — it runs podman + buildah
inside, works on Forgejo runner identically to GH-hosted because
it's bash, not node-bound.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.github/workflows/build-bluebuild.yml

@@ -80,35 +80,29 @@ jobs:
           chmod +x /usr/local/bin/cosign
           cosign version
 
-      - name: Install BlueBuild CLI
+      - name: Build OCI image with BlueBuild action
-        run: |
+        id: bluebuild
-          set -euxo pipefail
+        # Composite action — runs podman + buildah inside; works on
-          BB_VERSION="0.9.10"
+        # Forgejo runner same as GH-hosted. Pinned to commit SHA per
-          BB_URL="https://github.com/blue-build/cli/releases/download/v${BB_VERSION}/bluebuild-x86_64-unknown-linux-gnu.tar.gz"
+        # the v0.5 CI hardening pass.
-          curl -fsSL "$BB_URL" -o /tmp/bb.tgz
+        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
-          tar -xzf /tmp/bb.tgz -C /usr/local/bin/
+        with:
-          chmod +x /usr/local/bin/bluebuild
+          recipe: bluebuild/recipe.yml
-          bluebuild --version
+          # registry_token is consumed by the action to publish; for
+          # the Forgejo path we re-tag + push manually below, so this
+          # token only matters for the GH-mirror path.
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_event_number: ${{ github.event.number }}
+          maximize_build_space: false
 
-      - name: Build OCI image with BlueBuild
+      - name: Re-tag local OCI for Forgejo + GHCR
         run: |
           set -euxo pipefail
-          cd bluebuild
+          # The action emits the local image as `<recipe-name>:<tag>`.
-          # bluebuild build:
+          # Confirm it landed, then add registry-prefixed tags.
-          #  --recipe-path => path to recipe.yml
-          #  --tag         => local tag, then we re-tag for registries
-          #  podman driver to avoid Docker socket coupling
-          bluebuild build \
-            --debug \
-            --build-driver podman \
-            --inspect-driver skopeo \
-            --signing-driver cosign \
-            recipe.yml
-          # bluebuild tags as `<image-name>:latest` locally. Confirm it
-          # lands and re-tag for both registries.
           podman images
-          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}"
+          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}" || true
-          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest"
+          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest" || true
 
       - name: Push to Forgejo registry (primary)
         if: success() && github.event_name != 'pull_request' && github.server_url != 'https://github.com'