diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml index ab6ae26..3068b0d 100644 --- a/.github/workflows/build-bluebuild.yml +++ b/.github/workflows/build-bluebuild.yml @@ -95,26 +95,29 @@ jobs: chmod +x /usr/local/bin/cosign cosign version - - name: Build OCI image with BlueBuild action + - name: Build OCI image with BlueBuild CLI container id: bluebuild - # Composite action — runs podman + buildah inside; works on - # Forgejo runner same as GH-hosted. Pinned to commit SHA per - # the v0.5 CI hardening pass. - uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1 - with: - recipe: bluebuild/recipe.yml - # registry_token is consumed by the action to publish; for - # the Forgejo path we re-tag + push manually below, so this - # token only matters for the GH-mirror path. - registry_token: ${{ secrets.GITHUB_TOKEN }} - pr_event_number: ${{ github.event.number }} - maximize_build_space: false - - - name: Re-tag local OCI for Forgejo + GHCR + # blue-build/github-action requires docker buildx which podman + # doesn't ship. Run the official BlueBuild CLI container with + # buildah driver instead — works against rootless or rootful + # podman, no docker dependency. run: | set -euxo pipefail - # The action emits the local image as `:`. - # Confirm it landed, then add registry-prefixed tags. + # Pull cli image; pinned to v0.9.x at action time. + podman pull ghcr.io/blue-build/cli:latest + # Mount the repo + podman socket; build with buildah driver. + podman run --rm \ + --privileged \ + -v "$PWD:/work" \ + -w /work \ + -e BB_BUILD_DRIVER=buildah \ + ghcr.io/blue-build/cli:latest \ + build \ + --build-driver buildah \ + --inspect-driver skopeo \ + bluebuild/recipe.yml + # bluebuild CLI tags as : in local podman + # storage. List + verify, then re-tag for the registries. podman images podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}" || true podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest" || true