When `--src-imgref` is passed, the deployed systemd does not match the
running environnement. In this case, let's run bootupd from inside
the deployment. This makes sure we are using the binaries
shipped in the image (and relevant config files such as grub fragements).
We use bwrap to set up the chroot for a easier handling of the API
filesystems.
We could do that in all cases but i kept it behind the `--src-imgref`
option since when using the target container as the buildroot it will
have no impact, and we expect this scenario to be the most common.
In CoreOS we have a specific test that checks if the bootloader was
installed with the `grub2-install` of the image.
Fixes https://github.com/bootc-dev/bootc/issues/1559
Also see https://github.com/bootc-dev/bootc/issues/1455
Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: jbtrystram <jbtrystram@redhat.com>
Move `cargo build --release -p tests-integration` to run before
`sudo podman build` to avoid cargo registry permission issues.
The tests-integration binary doesn't depend on the fsverity image,
so this reordering has no functional impact on the test flow.
Signed-off-by: Xiaofeng Wang <henrywangxf@me.com>
The install-tests CI job was failing because running `cargo xtask`
as root (via sudojust) modified ~/.cargo files with root ownership,
causing later cargo commands to fail with permission errors.
This change builds container images as the regular user and copies
them to root's podman storage using `podman save | sudo podman load`.
This avoids cargo cache permission issues while still making images
available for privileged tests.
Add two new Justfile recipes:
- copy-to-rootful: Copy a single image from user to root storage
- copy-lbi-to-rootful: Copy all bound images (LBI) to root storage
Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
I want to be able to write build rules in Rust that may be
invoked from outside of a container build, but in the default
GHA runners Rust is installed via `rustup` which lives just in
the `runner` user's homedir.
When using `sudo` it resets `$PATH` so we lose access to it.
Fix this by passing `$PATH` in.
Assisted-by: OpenCode (claude-sonnet-4-20250514)
Signed-off-by: Colin Walters <walters@verbum.org>
We changed how composefs digests are computed to ensure that
mounted filesystem via --mount=type=image and install-time view
(OCI tar layer processing from containers-storage) match.
There were various problems like differing metadata for `/`
among other things.
Signed-off-by: Colin Walters <walters@verbum.org>
Due to https://bugzilla.redhat.com/show_bug.cgi?id=2429501
This reverts the prior change to make the test non gating
because the problem is we'd consistently fail to do a bootc install
*for each test* which dramatically slowed down that job.
We could fix that but it's easier to just disable the job.
Signed-off-by: Colin Walters <walters@verbum.org>
Add a `gating` matrix property to test-integration jobs.
Jobs with `gating: false` use `continue-on-error: true`, allowing
them to fail without blocking PR merges.
Mark fedora-44 as non-gating due to a grub2 regression in the base
image (https://bugzilla.redhat.com/show_bug.cgi?id=2429501).
Assisted-by: OpenCode (Claude Sonnet 4)
Signed-off-by: Colin Walters <walters@verbum.org>
When cargo-binstall fetches pre-built binaries from GitHub, it can hit
API rate limits (403 Forbidden) when unauthenticated. This causes it to
fall back to building from source, which fails for mdbook-linkcheck
because the devenv container lacks openssl-devel and the perl modules
needed to build OpenSSL from source.
Pass the GitHub Actions token through to the container build as a secret,
allowing cargo-binstall to make authenticated requests with higher rate
limits.
Assisted-by: OpenCode (claude-sonnet-4-20250514)
Signed-off-by: Colin Walters <walters@verbum.org>
The CoreOS install test was previously run conditionally within the
test-integration matrix job. Running it separately avoids disk space
issues that can occur when both tests run in the same job, as the
CoreOS test requires building additional container images.
Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
Remove the separate build-from-packages and _build-from-package helper
recipes. The build logic is now inlined directly in the build recipe.
Add BOOTC_SKIP_PACKAGE=1 environment variable support to skip the
package build step when packages are provided externally (e.g. from
CI artifacts). This is used in ci.yml for the test-integration job.
Assisted-by: OpenCode (Sonnet 4)
Signed-off-by: Colin Walters <walters@verbum.org>
The previous commit consolidated test content (nushell, cloud-init, etc.)
into the base image. This completes that work by removing the separate
`build-integration-test-image` target and updating all references.
Now `just build` produces the complete test-ready image directly,
simplifying the build pipeline and eliminating the intermediate
`localhost/bootc-integration` image.
Also adds SKIP_CONFIGS support for the coreos testing workflow, which
skips LBIs, test kargs, and install configs that would conflict with FCOS.
Signed-off-by: Colin Walters <walters@verbum.org>
Pass SOURCE_DATE_EPOCH from git commit timestamp through to rpmbuild,
enabling bit-for-bit reproducible RPM builds. This is useful for
verification and caching.
Then fix the idempotency of the default `just build` to ensure
we're not incorrectly invalidating caches.
Add `just check-buildsys` command that builds packages twice and
verifies checksums match, confirming reproducibility. The CI package
job now uses this to catch regressions.
Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
Main goal is to reduce signing logic duplication between the systemd-boot
and UKI generation.
However, this quickly snowballed into wanting to actually verify
by providing a custom secure boot keys to bcvk that things worked.
This depends on https://github.com/bootc-dev/bcvk/pull/170
Now as part of that, I ran into what I think are bugs in pesign;
this cuts things back over to using sbsign. I'll file a tracker for that
separately.
Finally as part of this, just remove the TMT example that builds
a sealed image but doesn't actually verify it works - it's already
drifted from what we do outside here. Ultimately what we need
is to shift some of this into the Fedora examples and we just
fetch it here anyways.
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
This splits the RPM package building into a separate CI job that runs
before the integration tests. The built packages are then downloaded
and used by the integration test jobs, avoiding redundant builds.
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
Consolidate test-integration and test-integration-cfs into a single job
using a unified matrix (test_os × variant) matching the structure of
build-and-publish.yml. This eliminates code duplication and simplifies
maintenance.
Updated required-checks sentinel to depend only on the unified job.
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
Previously, the CI workflow granted packages:write permission at the
workflow level, making GITHUB_TOKEN with write access available to all
jobs including those running on pull requests. While the actual push
steps were gated with conditionals, malicious PR code could use the
token to push arbitrary images to ghcr.io.
Split image publishing into a dedicated build-and-publish.yml workflow
that only runs on push to main, with no PR execution. This follows
GitHub security best practices by isolating write credentials from
untrusted PR code.
The new workflow builds and publishes all image variants using a simple
matrix with explicit exclude for centos-9 UKI (broken per #1812).
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
It'll be really handy to have reference images which are tracking git main
of bootc for all the streams.
(TODO: switch these to be multi-arch at least for amd64, or
maybe we should use Konflux to do this)
Signed-off-by: Colin Walters <walters@verbum.org>
This copies the approach taken in bcvk, so when we change
our CI jobs I don't need to go and manually edit the GH configuration.
(A followup step here is to have automation to cut over all repositories
to do things this way)
Signed-off-by: Colin Walters <walters@verbum.org>
Part 1: Use bcvk
For local tests, right now testcloud+tmt doesn't support UEFI, see
https://github.com/teemtee/tmt/issues/4203
This is a blocker for us doing more testing with UKIs.
In this patch we switch to provisioning VMs with bcvk, which
fixes this - but beyond that a really compelling thing about
this is that bcvk is *also* designed to be ergonomic and efficient
beyond just being a test runner, with things like virtiofs
mounting of host container storage, etc.
In other words, bcvk is the preferred way to run local virt
with bootc, and this makes our TMT tests use it.
Now a major downside of this though is we're effectively
implementing a new "provisioner" for tmt (bypassing the
existing `virtual`). In the more medium term I think we
want to add `bcvk` as a provisioner option to tmt.
Anyways for now, this works by discovers test plans via `tmt plan ls`,
spawning a separate VM per test, and then using uses tmt's connect
provisioner to run tests targeting these externally provisioned
systems.
Part 2: Rework the Justfile and Dockerfile
This adds `base` and `variant` arguments which are propagated through
the system, and we have a new `variant` for sealed composefs.
The readonly tests now pass with composefs.
Drop the continuous repo tests...as while we could keep
that it's actually a whole *other* entry in this matrix.
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
In the future, we may want to "shard" tests across multiple runners,
but as is right now it's basically just adding overhead to copy
the disk image as an artifact across the job.
While we're here, clean things up further to match the general
principle that GHA flows should mostly just be running `just`.
The logic from build.sh to map from strings -> containers though
moves into the GHA for now.
Signed-off-by: Colin Walters <walters@verbum.org>
Motivation is faster provisioning and easier to debug
when something goes wrong.
Also cleanup the codeql cache.
Signed-off-by: Colin Walters <walters@verbum.org>
- Change the install logic to detect UKIs and automatically
enable composefs
- Change the install logic to detect absence of bootupd
and default to installing systemd-boot
- Move sealing bits to the toplevel
- Add Justfile entrypoints
- Add basic end-to-end CI coverage (install + run) using
our integration tests
- Change lints to ignore `/boot/EFI`
Signed-off-by: Colin Walters <walters@verbum.org>
- Use bash strict mode more consistently
- Drop the error redirections which can mask problems as
recommended by AI
Signed-off-by: Colin Walters <walters@verbum.org>
Make builds unprivileged by default and start using bcvk in
our own CI, the same way we expect people to do so locally
now.
Signed-off-by: Colin Walters <walters@verbum.org>
