ci(bluebuild): login to GHCR with PAT, share auth.json into bluebuild
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 30s
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 30s
GHCR rate-limited anonymous pulls (403 on bearer token). Login with the GHCR_PULL_TOKEN secret (s8n-ru read-only PAT), then bind-mount podman's auth.json into the bluebuild CLI container so its inner buildah sees the same login. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot
parent
23156f98bf
commit
f48e68c3c0
1 changed files with 20 additions and 5 deletions
25
.github/workflows/build-bluebuild.yml
vendored
25
.github/workflows/build-bluebuild.yml
vendored
|
|
@ -96,13 +96,21 @@ jobs:
|
|||
cosign version
|
||||
|
||||
- name: Pre-pull secureblue base image
|
||||
env:
|
||||
GHCR_PULL_TOKEN: ${{ secrets.GHCR_PULL_TOKEN }}
|
||||
run: |
|
||||
set -euxo pipefail
|
||||
# GHCR's manifest API rejects anonymous calls from skopeo
|
||||
# ("Not authorized") for some public images — but `podman
|
||||
# pull` handles the anonymous token dance correctly. Pre-pull
|
||||
# the base into local podman storage so bluebuild's
|
||||
# templating step finds it without a registry round-trip.
|
||||
# GHCR rate-limits anonymous CI pulls (403 on bearer-token).
|
||||
# Login with a read-only PAT (forgejo secret GHCR_PULL_TOKEN)
|
||||
# so bluebuild's buildah inside the CLI container also sees a
|
||||
# valid auth.json via shared storage bind-mount below.
|
||||
if [ -n "${GHCR_PULL_TOKEN:-}" ]; then
|
||||
echo "$GHCR_PULL_TOKEN" | podman login \
|
||||
--username s8n-ru \
|
||||
--password-stdin ghcr.io
|
||||
else
|
||||
echo "[WARN] GHCR_PULL_TOKEN secret empty; trying anonymous pull"
|
||||
fi
|
||||
podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest
|
||||
|
||||
- name: Build OCI image with BlueBuild CLI container
|
||||
|
|
@ -120,11 +128,18 @@ jobs:
|
|||
# CLI container so buildah inside it can see the pre-pulled
|
||||
# secureblue base layer (avoids GHCR auth round-trip during
|
||||
# templating).
|
||||
# Mount podman's auth.json so the bluebuild container can
|
||||
# authenticate to GHCR via the same login we did above.
|
||||
AUTH_JSON="${XDG_RUNTIME_DIR:-/run/containers/0}/containers/auth.json"
|
||||
[ -f "$AUTH_JSON" ] || AUTH_JSON=/root/.config/containers/auth.json
|
||||
ls -la "$AUTH_JSON" 2>&1 || true
|
||||
|
||||
podman run --rm \
|
||||
--privileged \
|
||||
--entrypoint /usr/bin/bluebuild \
|
||||
-v "$PWD:/work" \
|
||||
-v /var/lib/containers/storage:/var/lib/containers/storage \
|
||||
-v "${AUTH_JSON}:/root/.config/containers/auth.json:ro" \
|
||||
-w /work \
|
||||
-e BB_BUILD_DRIVER=buildah \
|
||||
ghcr.io/blue-build/cli:latest \
|
||||
|
|
|
|||
Loading…
Reference in a new issue