ci: Build as user and copy images to root's podman storage

The install-tests CI job was failing because running `cargo xtask` as root (via sudojust) modified ~/.cargo files with root ownership, causing later cargo commands to fail with permission errors. This change builds container images as the regular user and copies them to root's podman storage using `podman save | sudo podman load`. This avoids cargo cache permission issues while still making images available for privileged tests. Add two new Justfile recipes: - copy-to-rootful: Copy a single image from user to root storage - copy-lbi-to-rootful: Copy all bound images (LBI) to root storage Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2026-02-05 06:45:13 +01:00 · 2026-01-23 15:50:54 -05:00
parent e499b7700e
commit cdb79e852e
2 changed files with 52 additions and 8 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -65,16 +65,16 @@ jobs:
      - name: Integration tests
        run: |
          set -xeu
-          # Build images to test; TODO investigate doing single container builds
-          # via GHA and pushing to a temporary registry to share among workflows?
-          # Preserve rustup/cargo environment for sudo (rustup needs RUSTUP_HOME to find toolchains)
-          sudojust() { sudo env PATH="$PATH" CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}" RUSTUP_HOME="${RUSTUP_HOME:-$HOME/.rustup}" just "$@"; }
-          sudojust build
-          sudojust build-install-test-image
+          # Build images as regular user, then copy to root's podman storage
+          # This avoids cargo cache permission issues when running cargo as root
+          just build
+          just build-install-test-image
+          just copy-to-rootful localhost/bootc
+          just copy-to-rootful localhost/bootc-install
+          # Copy bound images (LBI) to root's storage for tests that need them
+          just copy-lbi-to-rootful
          sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity

-          # Grant permission
-          sudo chown -R "$(id -u):$(id -g)" /home/runner/work/bootc/bootc
          # TODO move into a container, and then have this tool run other containers
          cargo build --release -p tests-integration

--- a/44
+++ b/44
@@ -282,3 +282,47 @@ _keygen:

 _build-upgrade-image:
    cat tmt/tests/Dockerfile.upgrade | podman build -t {{upgrade_img}} --from={{base_img}} -
+
+# Copy an image from user podman storage to root's podman storage
+# This allows building as regular user then running privileged tests
+[group('testing')]
+copy-to-rootful $image:
+    #!/bin/bash
+    set -euxo pipefail
+
+    # If already running as root, nothing to do
+    if [[ "${UID}" -eq "0" ]]; then
+        echo "Already root, no need to copy image"
+        exit 0
+    fi
+
+    # Check if the image exists in user storage
+    if ! podman image exists "${image}"; then
+        echo "Image ${image} not found in user podman storage" >&2
+        exit 1
+    fi
+
+    # Get the image ID from user storage
+    USER_IMG_ID=$(podman images --filter reference="${image}" --format '{{{{.ID}}')
+
+    # Check if the same image ID exists in root storage
+    ROOT_IMG_ID=$(sudo podman images --filter reference="${image}" --format '{{{{.ID}}' 2>/dev/null || true)
+
+    if [[ "${USER_IMG_ID}" == "${ROOT_IMG_ID}" ]] && [[ -n "${ROOT_IMG_ID}" ]]; then
+        echo "Image ${image} already exists in root storage with same ID"
+        exit 0
+    fi
+
+    # Copy the image from user to root storage
+    # Use podman save/load via pipe (works on systems without machinectl)
+    podman save "${image}" | sudo podman load
+    echo "Copied ${image} to root podman storage"
+
+# Copy all LBI (bound) images to root's podman storage
+[group('testing')]
+copy-lbi-to-rootful:
+    #!/bin/bash
+    set -euxo pipefail
+    for img in {{lbi_images}}; do
+        just copy-to-rootful "$img"
+    done