Merge pull request 'Attempt: Use Vanilla Silverblue as Base' (#1) from vanilla-silverblue-base into main

Reviewed-on: https://davejansen.dev/davejansen/fedora-bootc/pulls/1 Update cron schedule so builds only run every three days Attempt: Add custom containers-policy.json Actually copy cosign.pub into the build context Move containers policy file to the right place Oops :D Ensure the correct tags are set with new builds Add my own registries.d policy file, too Temporarily stop removing system-installed Firefox I'm trying to debug why my system-installed-1Password-and-Firefox-flatpak "hack" doesn't work on my bootc image. Borrow certain `/etc/passwd` and `/etc/group` clean-up steps from `hhd-dev/rechunk` One step back Further reduce. Re-remove system-installed Firefox Attempt: Separate cleanup step Add some debug echos, trigger cleanup while mounts are present Temporarily only look at /etc/group Attempt to re-add (optionally) writing `passwd` changes I always forget. Sunk cost fallacy "Let's try this again" I give up. For now.
2025-11-13 18:54:44 +09:00
parent 1291cf7dcf 03fce0dbd8
commit 1ceb8b2b51
7 changed files with 219 additions and 71 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -5,7 +5,7 @@ on:
    branches:
      - main
  schedule:
-    - cron: "05 10 * * *" # 10:05am UTC everyday
+    - cron: "05 4 */3 * *" # 4:05am every three days.
  push:
    branches:
      - main
@@ -50,16 +50,6 @@ jobs:
          echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV}
          echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV}

-          # Pre-create Podman's auth file directory and file, this is somehow needed here.
-          #mkdir -p /tmp/podman-run-0/containers
-          #echo "{}" > /tmp/podman-run-0/containers/auth.json
-
-          # Pre-create docker config file
-          #mkdir -p ~/.docker
-          #echo "{}" > ~/.docker/config.json
-
-          #touch /tmp/podman-run-0/containers/auth.json
-
      # These stage versions are pinned by https://github.com/renovatebot/renovate
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -83,11 +73,10 @@ jobs:
        with:
          # This generates all the tags for your image, you can add custom tags here too!
          tags: |
-            # set latest tag for main branch
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=sha,enable=${{ github.event_name == 'pull_request' }}
+            type=raw,value=latest
            type=raw,value=${{ env.FEDORA_BASE }}
            type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}}
-            type=sha,enable=${{ github.event_name == 'pull_request' }}
            type=ref,event=pr
          labels: |
            io.artifacthub.package.readme-url=${{ env.README_URL }}
@@ -123,6 +112,7 @@ jobs:
          image: ${{ env.IMAGE_NAME }}
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
+          #labels: "localhost/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE }}"
          extra-args: --isolation=chroot
          oci: false

@@ -132,25 +122,21 @@ jobs:
      # You can enable it by uncommenting the following lines:
      # - name: Run Rechunker
      #   id: rechunk
-      #   uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1
+      #   uses: hhd-dev/rechunk@v1.2.4
      #   with:
-      #     rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1'
-      #     ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
-      #     prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}"
+      #     rechunk: "ghcr.io/hhd-dev/rechunk:v1.2.4"
+      #     ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE }}"
+      #     prev-ref:
+      #       "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE
+      #       }}"
      #     skip_compression: true
-      #     version: ${{ env.CENTOS_VERSION }}
+      #     version: ${{ env.FEDORA_BASE }}
      #     labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator

-      # This is necessary so that the podman socket can find the rechunked image on its storage
-      # - name: Load in podman and tag
-      #   run: |
-      #     IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
-      #     sudo rm -rf ${{ steps.rechunk.outputs.output }}
-      #     for tag in ${{ steps.metadata.outputs.tags }}; do
-      #       podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
-      #     done
-
      - name: Login to Container Registry
+        if:
+          github.event_name != 'pull_request' && github.ref ==
+          format('refs/heads/{0}', github.event.repository.default_branch)
        run: |
          podman login \
            --verbose \