From a06f54dd795aa56a4fd613cedb7f0ee9c3bbb6af Mon Sep 17 00:00:00 2001
From: obsidian-ai <obsidian-ai@s8n.ru>
Date: Wed, 6 May 2026 21:08:59 +0100
Subject: [PATCH] ci(bluebuild): --security-opt label=disable +
 seccomp=unconfined for files module

BlueBuild's files module fails with 'chmod: Operation not permitted' on
its own bind-mounted /tmp/modules/files/files.sh when run under podman.
Disable SELinux relabeling + seccomp filter on the bluebuild CLI
container so its nested buildah can chmod inside layer mounts.
---
 .github/workflows/build-bluebuild.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index ca8fef6..815092b 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -178,6 +178,8 @@ jobs:
 
           podman run --rm \
             --privileged \
+            --security-opt label=disable \
+            --security-opt seccomp=unconfined \
             --entrypoint /usr/bin/bluebuild \
             -v "$PWD:/work" \
             -v /var/lib/containers/storage:/var/lib/containers/storage \