diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml index 23af3af..a8c41e4 100644 --- a/.github/workflows/build-bluebuild.yml +++ b/.github/workflows/build-bluebuild.yml @@ -96,13 +96,21 @@ jobs: cosign version - name: Pre-pull secureblue base image + env: + GHCR_PULL_TOKEN: ${{ secrets.GHCR_PULL_TOKEN }} run: | set -euxo pipefail - # GHCR's manifest API rejects anonymous calls from skopeo - # ("Not authorized") for some public images — but `podman - # pull` handles the anonymous token dance correctly. Pre-pull - # the base into local podman storage so bluebuild's - # templating step finds it without a registry round-trip. + # GHCR rate-limits anonymous CI pulls (403 on bearer-token). + # Login with a read-only PAT (forgejo secret GHCR_PULL_TOKEN) + # so bluebuild's buildah inside the CLI container also sees a + # valid auth.json via shared storage bind-mount below. + if [ -n "${GHCR_PULL_TOKEN:-}" ]; then + echo "$GHCR_PULL_TOKEN" | podman login \ + --username s8n-ru \ + --password-stdin ghcr.io + else + echo "[WARN] GHCR_PULL_TOKEN secret empty; trying anonymous pull" + fi podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest - name: Build OCI image with BlueBuild CLI container @@ -120,11 +128,18 @@ jobs: # CLI container so buildah inside it can see the pre-pulled # secureblue base layer (avoids GHCR auth round-trip during # templating). + # Mount podman's auth.json so the bluebuild container can + # authenticate to GHCR via the same login we did above. + AUTH_JSON="${XDG_RUNTIME_DIR:-/run/containers/0}/containers/auth.json" + [ -f "$AUTH_JSON" ] || AUTH_JSON=/root/.config/containers/auth.json + ls -la "$AUTH_JSON" 2>&1 || true + podman run --rm \ --privileged \ --entrypoint /usr/bin/bluebuild \ -v "$PWD:/work" \ -v /var/lib/containers/storage:/var/lib/containers/storage \ + -v "${AUTH_JSON}:/root/.config/containers/auth.json:ro" \ -w /work \ -e BB_BUILD_DRIVER=buildah \ ghcr.io/blue-build/cli:latest \