veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

ci(bluebuild): login to GHCR with PAT, share auth.json into bluebuild

Browse source 
GHCR rate-limited anonymous pulls (403 on bearer token). Login with
the GHCR_PULL_TOKEN secret (s8n-ru read-only PAT), then bind-mount
podman's auth.json into the bluebuild CLI container so its inner
buildah sees the same login.
This commit is contained in:
obsidian-ai 2026-05-06 17:12:16 +01:00
parent ded80c6e15
commit f50f427ff8
1 changed files with 20 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
.github/workflows/build-bluebuild.yml vendored
View file

@ -96,13 +96,21 @@ jobs:
cosign version cosign version
- name: Pre-pull secureblue base image - name: Pre-pull secureblue base image
env:
GHCR_PULL_TOKEN: ${{ secrets.GHCR_PULL_TOKEN }}
run: | run: |
set -euxo pipefail set -euxo pipefail
# GHCR's manifest API rejects anonymous calls from skopeo # GHCR rate-limits anonymous CI pulls (403 on bearer-token).
# ("Not authorized") for some public images — but `podman # Login with a read-only PAT (forgejo secret GHCR_PULL_TOKEN)
# pull` handles the anonymous token dance correctly. Pre-pull # so bluebuild's buildah inside the CLI container also sees a
# the base into local podman storage so bluebuild's # valid auth.json via shared storage bind-mount below.
# templating step finds it without a registry round-trip. if [ -n "${GHCR_PULL_TOKEN:-}" ]; then
echo "$GHCR_PULL_TOKEN" | podman login \
--username s8n-ru \
--password-stdin ghcr.io
else
echo "[WARN] GHCR_PULL_TOKEN secret empty; trying anonymous pull"
fi
podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest
- name: Build OCI image with BlueBuild CLI container - name: Build OCI image with BlueBuild CLI container
@ -120,11 +128,18 @@ jobs:
# CLI container so buildah inside it can see the pre-pulled # CLI container so buildah inside it can see the pre-pulled
# secureblue base layer (avoids GHCR auth round-trip during # secureblue base layer (avoids GHCR auth round-trip during
# templating). # templating).
# Mount podman's auth.json so the bluebuild container can
# authenticate to GHCR via the same login we did above.
AUTH_JSON="${XDG_RUNTIME_DIR:-/run/containers/0}/containers/auth.json"
[ -f "$AUTH_JSON" ] || AUTH_JSON=/root/.config/containers/auth.json
ls -la "$AUTH_JSON" 2>&1 || true
podman run --rm \ podman run --rm \
--privileged \ --privileged \
--entrypoint /usr/bin/bluebuild \ --entrypoint /usr/bin/bluebuild \
-v "$PWD:/work" \ -v "$PWD:/work" \
-v /var/lib/containers/storage:/var/lib/containers/storage \ -v /var/lib/containers/storage:/var/lib/containers/storage \
-v "${AUTH_JSON}:/root/.config/containers/auth.json:ro" \
-w /work \ -w /work \
-e BB_BUILD_DRIVER=buildah \ -e BB_BUILD_DRIVER=buildah \
ghcr.io/blue-build/cli:latest \ ghcr.io/blue-build/cli:latest \