containers/bootc
1
0
Fork 0
mirror of https://github.com/containers/bootc.git synced 2026-02-05 15:45:53 +01:00
Code Issues Activity
Files
main
bootc/.github/workflows/ci.yml
jbtrystram 0a757685ee install/bootupd: chroot to deployment 
When `--src-imgref` is passed, the deployed systemd does not match the
running environnement. In this case, let's run bootupd from inside
the deployment. This makes sure we are using the binaries
shipped in the image (and relevant config files such as grub fragements).

We use bwrap to set up the chroot for a easier handling of the API
filesystems.

We could do that in all cases but i kept it behind the `--src-imgref`
option since when using the target container as the buildroot it will
have no impact, and we expect this scenario to be the most common.

In CoreOS we have a specific test that checks if the bootloader was
installed with the `grub2-install` of the image.

Fixes https://github.com/bootc-dev/bootc/issues/1559
Also see https://github.com/bootc-dev/bootc/issues/1455

Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: jbtrystram <jbtrystram@redhat.com>
2026-02-03 11:07:15 -05:00

283 lines
9.9 KiB
YAML
Raw Permalink Blame History

# CI Workflow for bootc
#
# Core principles:
# - Everything done here should be easy to replicate locally. Most tasks
# should invoke `just <something>`. Read the Justfile for more explanation
# of this.
# - Most additions to this should be extending existing tasks; e.g.
# there's places for unit and integration tests already.
name: CI
permissions:
actions: read
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch: {}
env:
CARGO_TERM_COLOR: always
# Something seems to be setting this in the default GHA runners, which breaks bcvk
# as the default runner user doesn't have access
LIBVIRT_DEFAULT_URI: "qemu:///session"
DEV_IMAGE: ghcr.io/bootc-dev/dev-bootc
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
# Run basic validation checks (linting, formatting, etc)
validate:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Validate (default)
run: just validate
# Check for security vulnerabilities and license compliance
cargo-deny:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- uses: EmbarkStudios/cargo-deny-action@v2
with:
log-level: warn
command: check -A duplicate bans sources licenses
# Test bootc installation scenarios and fsverity support
# TODO convert to be an integration test
install-tests:
name: "Test install"
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Enable fsverity for /
run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
- name: Install utils
run: sudo apt -y install fsverity just
- name: Integration tests
run: |
set -xeu
# Build images as regular user, then copy to root's podman storage
# This avoids cargo cache permission issues when running cargo as root
just build
just build-install-test-image
just copy-to-rootful localhost/bootc
just copy-to-rootful localhost/bootc-install
# Copy bound images (LBI) to root's storage for tests that need them
just copy-lbi-to-rootful
# Build test binaries before any sudo commands to avoid cargo permission issues
cargo build --release -p tests-integration
sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity
df -h /
sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests
sudo rm target -rf
df -h /
# The ostree-container tests
sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
--tmpfs /var/lib/containers \
-v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/crates/ostree-ext/ci/priv-integration.sh
# Nondestructive but privileged tests
sudo bootc-integration-tests host-privileged localhost/bootc-install
# Install tests
sudo bootc-integration-tests install-alongside localhost/bootc-install
# inspect system state after the install tests.
sudo lsblk
sudo mount
# system-reinstall-bootc tests
cargo build --release -p system-reinstall-bootc
# not sure why this is missing in the ubuntu image but just creating this directory allows the tests to pass
sudo mkdir -p /run/sshd
sudo install -m 0755 target/release/system-reinstall-bootc /usr/bin/system-reinstall-bootc
# These tests may mutate the system live so we can't run in parallel
sudo bootc-integration-tests system-reinstall localhost/bootc --test-threads=1
# And the fsverity case
sudo podman run --privileged --pid=host localhost/bootc-fsverity bootc install to-existing-root --stateroot=other \
--acknowledge-destructive --skip-fetch-check
# Crude cross check
sudo find /ostree/repo/objects -name '*.file' -type f | while read f; do
sudo fsverity measure $f >/dev/null
done
# Test that we can build documentation
docs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Build mdbook
run: just build-mdbook
# Build packages for each test OS
package:
strategy:
fail-fast: false
matrix:
test_os: [fedora-43, fedora-44, centos-9, centos-10]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Setup env
run: |
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
- name: Build packages (and verify build system)
run: just check-buildsys
- name: Upload package artifacts
uses: actions/upload-artifact@v6
with:
name: packages-${{ matrix.test_os }}
path: target/packages/*.rpm
retention-days: 1
# Build bootc from source into a container image FROM each specified base `test_os`
# running unit and integration tests (using TMT, leveraging the support for nested virtualization
# in the GHA runners)
test-integration:
needs: package
strategy:
fail-fast: false
matrix:
# No fedora-44 due to https://bugzilla.redhat.com/show_bug.cgi?id=2429501
test_os: [fedora-43, centos-9, centos-10]
variant: [ostree, composefs-sealeduki-sdboot]
exclude:
# centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)
- test_os: centos-9
variant: composefs-sealeduki-sdboot
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
with:
libvirt: true
- name: Install tmt
run: pip install --user "tmt[provision-virtual]"
- name: Setup env
run: |
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
BUILDROOTBASE=$(just pullspec-for-os buildroot-base ${{ matrix.test_os }})
echo "BOOTC_buildroot_base=${BUILDROOTBASE}" >> $GITHUB_ENV
fi
- name: Download package artifacts
uses: actions/download-artifact@v7
with:
name: packages-${{ matrix.test_os }}
path: target/packages/
- name: Build container
run: |
BOOTC_SKIP_PACKAGE=1 just build
# Extra cross-check (duplicating the integration test) that we're using the right base
used_vid=$(podman run --rm localhost/bootc bash -c '. /usr/lib/os-release && echo ${ID}-${VERSION_ID}')
test ${{ matrix.test_os }} = "${used_vid}"
- name: Unit and container integration tests
run: just test-container
- name: Validate composefs digest (sealed UKI only)
if: matrix.variant == 'composefs-sealeduki-sdboot'
run: just validate-composefs-digest
- name: Run TMT integration tests
run: |
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
just test-composefs
else
just test-tmt integration
fi
just clean-local-images
- name: Archive TMT logs
if: always()
uses: actions/upload-artifact@v6
with:
name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ matrix.variant }}-${{ env.ARCH }}
path: /var/tmp/tmt
# Test bootc install on Fedora CoreOS (separate job to avoid disk space issues
# when run in the same job as test-integration).
# Uses fedora-43 as it's the current stable Fedora release matching CoreOS.
test-coreos:
needs: package
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
with:
libvirt: true
- name: Install tmt
run: pip install --user "tmt[provision-virtual]"
- name: Setup env
run: |
BASE=$(just pullspec-for-os base fedora-43)
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
echo "BOOTC_variant=ostree" >> $GITHUB_ENV
- name: Download package artifacts
uses: actions/download-artifact@v7
with:
name: packages-fedora-43
path: target/packages/
- name: Build container and test on CoreOS
run: |
BOOTC_SKIP_PACKAGE=1 just build
just build-testimage-coreos target/packages
just test-tmt-on-coreos plan-bootc-install-on-coreos
just clean-local-images
- name: Archive TMT logs
if: always()
uses: actions/upload-artifact@v6
with:
name: tmt-log-PR-${{ github.event.number }}-fedora-43-coreos-${{ env.ARCH }}
path: /var/tmp/tmt
# Sentinel job for required checks - configure this job name in repository settings
required-checks:
if: always()
needs: [cargo-deny, validate, package, test-integration, test-coreos]
runs-on: ubuntu-latest
steps:
- run: exit 1
if: >-
needs.cargo-deny.result != 'success' ||
needs.validate.result != 'success' ||
needs.package.result != 'success' ||
needs.test-integration.result != 'success' ||
needs.test-coreos.result != 'success'
View Git Blame Copy Permalink