094c39d718
Previously, the CI workflow granted packages:write permission at the workflow level, making GITHUB_TOKEN with write access available to all jobs including those running on pull requests. While the actual push steps were gated with conditionals, malicious PR code could use the token to push arbitrary images to ghcr.io. Split image publishing into a dedicated build-and-publish.yml workflow that only runs on push to main, with no PR execution. This follows GitHub security best practices by isolating write credentials from untrusted PR code. The new workflow builds and publishes all image variants using a simple matrix with explicit exclude for centos-9 UKI (broken per #1812). Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
bootc
Transactional, in-place operating system updates using OCI/Docker container images.
Motivation
The original Docker container model of using "layers" to model applications has been extremely successful. This project aims to apply the same technique for bootable host systems - using standard OCI/Docker containers as a transport and delivery format for base operating system updates.
The container image includes a Linux kernel (in e.g. /usr/lib/modules),
which is used to boot. At runtime on a target system, the base userspace is
not itself running in a "container" by default. For example, assuming
systemd is in use, systemd acts as pid1 as usual - there's no "outer" process.
More about this in the docs; see below.
Status
The CLI and API are considered stable. We will ensure that every existing system can be upgraded in place seamlessly across any future changes.
Documentation
See the project documentation.
Versioning
Although bootc is not released to crates.io as a library, version numbers are expected to follow semantic versioning standards. This practice began with the release of version 1.2.0; versions prior may not adhere strictly to semver standards.
Adopters (base and end-user images)
The bootc CLI is just a client system; it is not tied to any particular operating system or Linux distribution. You very likely want to actually start by looking at ADOPTERS.md.
Community discussion
- Github discussion forum for async discussion
- #bootc-dev on CNCF Slack for live chat
- Recurring live meeting hosted on CNCF Zoom each Friday at 15:30 UTC.
This project is also tightly related to the previously mentioned Fedora/CentOS bootc project, and many developers monitor the relevant discussion forums there. In particular there's a Matrix channel and a weekly video call meeting for example: https://docs.fedoraproject.org/en-US/bootc/community/.
Developing bootc
Are you interested in working on bootc? Great! See our CONTRIBUTING.md guide. There is also a list of MAINTAINERS.md.
Governance
See GOVERNANCE.md for project governance details.
Badges
Code of Conduct
The bootc project is a Cloud Native Computing Foundation (CNCF) Sandbox project and adheres to the CNCF Community Code of Conduct.
The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see Trademark Usage.