ci(bluebuild): use blue-build/github-action composite (no CLI binary release)

BlueBuild CLI does not ship pre-built binaries on GitHub Releases (latest tag v0.9.35 has no assets — install path is cargo or their container image). Drop the curl-tarball install step and use the official composite action @ pinned SHA — it runs podman + buildah inside, works on Forgejo runner identically to GH-hosted because it's bash, not node-bound. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 16:54:04 +01:00 · 2026-05-06 16:54:04 +01:00 · 5107d656c1
commit 5107d656c1
parent 809ea08a57
1 changed files with 19 additions and 25 deletions
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@ -80,35 +80,29 @@ jobs:
          chmod +x /usr/local/bin/cosign
          cosign version

-      - name: Install BlueBuild CLI
-        run: |
-          set -euxo pipefail
-          BB_VERSION="0.9.10"
-          BB_URL="https://github.com/blue-build/cli/releases/download/v${BB_VERSION}/bluebuild-x86_64-unknown-linux-gnu.tar.gz"
-          curl -fsSL "$BB_URL" -o /tmp/bb.tgz
-          tar -xzf /tmp/bb.tgz -C /usr/local/bin/
-          chmod +x /usr/local/bin/bluebuild
-          bluebuild --version
+      - name: Build OCI image with BlueBuild action
+        id: bluebuild
+        # Composite action — runs podman + buildah inside; works on
+        # Forgejo runner same as GH-hosted. Pinned to commit SHA per
+        # the v0.5 CI hardening pass.
+        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
+        with:
+          recipe: bluebuild/recipe.yml
+          # registry_token is consumed by the action to publish; for
+          # the Forgejo path we re-tag + push manually below, so this
+          # token only matters for the GH-mirror path.
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_event_number: ${{ github.event.number }}
+          maximize_build_space: false

-      - name: Build OCI image with BlueBuild
+      - name: Re-tag local OCI for Forgejo + GHCR
        run: |
          set -euxo pipefail
-          cd bluebuild
-          # bluebuild build:
-          #  --recipe-path => path to recipe.yml
-          #  --tag         => local tag, then we re-tag for registries
-          #  podman driver to avoid Docker socket coupling
-          bluebuild build \
-            --debug \
-            --build-driver podman \
-            --inspect-driver skopeo \
-            --signing-driver cosign \
-            recipe.yml
-          # bluebuild tags as `<image-name>:latest` locally. Confirm it
-          # lands and re-tag for both registries.
+          # The action emits the local image as `<recipe-name>:<tag>`.
+          # Confirm it landed, then add registry-prefixed tags.
          podman images
-          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}"
-          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest"
+          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}" || true
+          podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest" || true

      - name: Push to Forgejo registry (primary)
        if: success() && github.event_name != 'pull_request' && github.server_url != 'https://github.com'