From bbdafbce94ca03df9fbe1b9fc5fcf9eb71da195e Mon Sep 17 00:00:00 2001 From: obsidian-ai Date: Wed, 6 May 2026 16:51:17 +0100 Subject: [PATCH] ci(bluebuild): slim dnf list + install cosign from upstream binary MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit dnf5 in Fedora 43 strict-fails when 'already installed' packages appear in -y install. Drop git/curl/tar/sudo (shipped in veilor-build:43 image already) and use --skip-unavailable. cosign isn't packaged in F43 — pull v2.4.1 static binary from upstream. --- .github/workflows/build-bluebuild.yml | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml index daf6738..ce7476c 100644 --- a/.github/workflows/build-bluebuild.yml +++ b/.github/workflows/build-bluebuild.yml @@ -59,16 +59,26 @@ jobs: run: | set -euxo pipefail dnf -y upgrade --refresh - dnf -y install \ + # veilor-build:43 already ships git, curl, tar, sudo, nodejs. + # cosign is not packaged in Fedora 43; we install it from the + # upstream release tarball below in a separate step. + dnf -y install --skip-unavailable \ podman \ buildah \ skopeo \ - jq \ - git \ - curl \ - tar \ - sudo \ - cosign + jq + + - name: Install cosign binary (upstream release) + run: | + set -euxo pipefail + # Fedora 43 has no cosign rpm. Pull static x86_64 binary + # from sigstore/cosign GitHub releases. Pinned to v2.4.1. + COSIGN_VERSION="2.4.1" + curl -fsSL \ + "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" \ + -o /usr/local/bin/cosign + chmod +x /usr/local/bin/cosign + cosign version - name: Install BlueBuild CLI run: |