veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

ci(bluebuild): pre-pull secureblue base + share podman storage

Browse source 
GHCR rejected skopeo's anonymous manifest call from inside the
bluebuild CLI container. Pre-pull the secureblue base on the host
podman (which handles the anonymous token dance), then bind-mount
/var/lib/containers/storage into the bluebuild container so its
buildah sees the cached base layer. Drop deprecated --inspect-driver
flag while we are touching the invocation.
This commit is contained in:
obsidian-ai 2026-05-06 17:09:10 +01:00
parent 48ccabe914
commit ded80c6e15
1 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.github/workflows/build-bluebuild.yml vendored
View file

@ -95,6 +95,16 @@ jobs:
chmod +x /usr/local/bin/cosign chmod +x /usr/local/bin/cosign
cosign version cosign version
- name: Pre-pull secureblue base image
run: |
set -euxo pipefail
# GHCR's manifest API rejects anonymous calls from skopeo
# ("Not authorized") for some public images — but `podman
# pull` handles the anonymous token dance correctly. Pre-pull
# the base into local podman storage so bluebuild's
# templating step finds it without a registry round-trip.
podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest
- name: Build OCI image with BlueBuild CLI container - name: Build OCI image with BlueBuild CLI container
id: bluebuild id: bluebuild
# blue-build/github-action requires docker buildx which podman # blue-build/github-action requires docker buildx which podman
@ -106,16 +116,20 @@ jobs:
# Pull cli image; pinned to v0.9.x at action time. # Pull cli image; pinned to v0.9.x at action time.
podman pull ghcr.io/blue-build/cli:latest podman pull ghcr.io/blue-build/cli:latest
# Mount the repo + podman socket; build with buildah driver. # Mount the repo + podman socket; build with buildah driver.
# Bind host /var/lib/containers/storage into the bluebuild
# CLI container so buildah inside it can see the pre-pulled
# secureblue base layer (avoids GHCR auth round-trip during
# templating).
podman run --rm \ podman run --rm \
--privileged \ --privileged \
--entrypoint /usr/bin/bluebuild \ --entrypoint /usr/bin/bluebuild \
-v "$PWD:/work" \ -v "$PWD:/work" \
-v /var/lib/containers/storage:/var/lib/containers/storage \
-w /work \ -w /work \
-e BB_BUILD_DRIVER=buildah \ -e BB_BUILD_DRIVER=buildah \
ghcr.io/blue-build/cli:latest \ ghcr.io/blue-build/cli:latest \
build \ build \
--build-driver buildah \ --build-driver buildah \
--inspect-driver skopeo \
bluebuild/recipe.yml bluebuild/recipe.yml
# bluebuild CLI tags as <recipe-name>:<tag> in local podman # bluebuild CLI tags as <recipe-name>:<tag> in local podman
# storage. List + verify, then re-tag for the registries. # storage. List + verify, then re-tag for the registries.