From f86e0f5fc60e64faba7a30be3f181cbd8f65e511 Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 17:01:22 +0100
Subject: [PATCH] ci(bluebuild): use ghcr.io/blue-build/cli container instead
 of action
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The blue-build/github-action requires docker buildx which podman
doesn't ship. Symlinking podman as docker isn't enough — the action
calls 'docker buildx inspect' / 'docker buildx rm' which podman
doesn't implement. Pull the official BlueBuild CLI container and run
it with --build-driver buildah; works against podman storage with no
docker dependency.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-bluebuild.yml | 37 +++++++++++++++------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index ab6ae26..3068b0d 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -95,26 +95,29 @@ jobs:
           chmod +x /usr/local/bin/cosign
           cosign version
 
-      - name: Build OCI image with BlueBuild action
+      - name: Build OCI image with BlueBuild CLI container
         id: bluebuild
-        # Composite action — runs podman + buildah inside; works on
-        # Forgejo runner same as GH-hosted. Pinned to commit SHA per
-        # the v0.5 CI hardening pass.
-        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
-        with:
-          recipe: bluebuild/recipe.yml
-          # registry_token is consumed by the action to publish; for
-          # the Forgejo path we re-tag + push manually below, so this
-          # token only matters for the GH-mirror path.
-          registry_token: ${{ secrets.GITHUB_TOKEN }}
-          pr_event_number: ${{ github.event.number }}
-          maximize_build_space: false
-
-      - name: Re-tag local OCI for Forgejo + GHCR
+        # blue-build/github-action requires docker buildx which podman
+        # doesn't ship. Run the official BlueBuild CLI container with
+        # buildah driver instead — works against rootless or rootful
+        # podman, no docker dependency.
         run: |
           set -euxo pipefail
-          # The action emits the local image as `<recipe-name>:<tag>`.
-          # Confirm it landed, then add registry-prefixed tags.
+          # Pull cli image; pinned to v0.9.x at action time.
+          podman pull ghcr.io/blue-build/cli:latest
+          # Mount the repo + podman socket; build with buildah driver.
+          podman run --rm \
+            --privileged \
+            -v "$PWD:/work" \
+            -w /work \
+            -e BB_BUILD_DRIVER=buildah \
+            ghcr.io/blue-build/cli:latest \
+            build \
+              --build-driver buildah \
+              --inspect-driver skopeo \
+              bluebuild/recipe.yml
+          # bluebuild CLI tags as <recipe-name>:<tag> in local podman
+          # storage. List + verify, then re-tag for the registries.
           podman images
           podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}" || true
           podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest" || true