containers/bootc
1
0
Fork 0
mirror of https://github.com/containers/bootc.git synced 2026-02-05 06:45:13 +01:00
Code Issues Activity
Files
cdb79e852e22da21d4bec3617ce8553173aeb896
bootc/.github/workflows/ci.yml
Colin Walters cdb79e852e ci: Build as user and copy images to root's podman storage 
The install-tests CI job was failing because running `cargo xtask`
as root (via sudojust) modified ~/.cargo files with root ownership,
causing later cargo commands to fail with permission errors.

This change builds container images as the regular user and copies
them to root's podman storage using `podman save | sudo podman load`.
This avoids cargo cache permission issues while still making images
available for privileged tests.

Add two new Justfile recipes:
- copy-to-rootful: Copy a single image from user to root storage
- copy-lbi-to-rootful: Copy all bound images (LBI) to root storage

Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
2026-01-26 17:29:56 -05:00

278 lines
9.7 KiB
YAML
Raw Blame History

# CI Workflow for bootc
#
# Core principles:
# - Everything done here should be easy to replicate locally. Most tasks
# should invoke `just <something>`. Read the Justfile for more explanation
# of this.
# - Most additions to this should be extending existing tasks; e.g.
# there's places for unit and integration tests already.
name: CI
permissions:
actions: read
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch: {}
env:
CARGO_TERM_COLOR: always
# Something seems to be setting this in the default GHA runners, which breaks bcvk
# as the default runner user doesn't have access
LIBVIRT_DEFAULT_URI: "qemu:///session"
DEV_IMAGE: ghcr.io/bootc-dev/dev-bootc
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
# Run basic validation checks (linting, formatting, etc)
validate:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Validate (default)
run: just validate
# Check for security vulnerabilities and license compliance
cargo-deny:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- uses: EmbarkStudios/cargo-deny-action@v2
with:
log-level: warn
command: check -A duplicate bans sources licenses
# Test bootc installation scenarios and fsverity support
# TODO convert to be an integration test
install-tests:
name: "Test install"
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Enable fsverity for /
run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
- name: Install utils
run: sudo apt -y install fsverity just
- name: Integration tests
run: |
set -xeu
# Build images as regular user, then copy to root's podman storage
# This avoids cargo cache permission issues when running cargo as root
just build
just build-install-test-image
just copy-to-rootful localhost/bootc
just copy-to-rootful localhost/bootc-install
# Copy bound images (LBI) to root's storage for tests that need them
just copy-lbi-to-rootful
sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity
# TODO move into a container, and then have this tool run other containers
cargo build --release -p tests-integration
df -h /
sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests
sudo rm target -rf
df -h /
# The ostree-container tests
sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
--tmpfs /var/lib/containers \
-v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/crates/ostree-ext/ci/priv-integration.sh
# Nondestructive but privileged tests
sudo bootc-integration-tests host-privileged localhost/bootc-install
# Install tests
sudo bootc-integration-tests install-alongside localhost/bootc-install
# system-reinstall-bootc tests
cargo build --release -p system-reinstall-bootc
# not sure why this is missing in the ubuntu image but just creating this directory allows the tests to pass
sudo mkdir -p /run/sshd
sudo install -m 0755 target/release/system-reinstall-bootc /usr/bin/system-reinstall-bootc
# These tests may mutate the system live so we can't run in parallel
sudo bootc-integration-tests system-reinstall localhost/bootc --test-threads=1
# And the fsverity case
sudo podman run --privileged --pid=host localhost/bootc-fsverity bootc install to-existing-root --stateroot=other \
--acknowledge-destructive --skip-fetch-check
# Crude cross check
sudo find /ostree/repo/objects -name '*.file' -type f | while read f; do
sudo fsverity measure $f >/dev/null
done
# Test that we can build documentation
docs:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Build mdbook
run: just build-mdbook
# Build packages for each test OS
package:
strategy:
fail-fast: false
matrix:
test_os: [fedora-43, fedora-44, centos-9, centos-10]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
- name: Setup env
run: |
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
- name: Build packages (and verify build system)
run: just check-buildsys
- name: Upload package artifacts
uses: actions/upload-artifact@v6
with:
name: packages-${{ matrix.test_os }}
path: target/packages/*.rpm
retention-days: 1
# Build bootc from source into a container image FROM each specified base `test_os`
# running unit and integration tests (using TMT, leveraging the support for nested virtualization
# in the GHA runners)
test-integration:
needs: package
strategy:
fail-fast: false
matrix:
# No fedora-44 due to https://bugzilla.redhat.com/show_bug.cgi?id=2429501
test_os: [fedora-43, centos-9, centos-10]
variant: [ostree, composefs-sealeduki-sdboot]
exclude:
# centos-9 UKI is experimental/broken (https://github.com/bootc-dev/bootc/issues/1812)
- test_os: centos-9
variant: composefs-sealeduki-sdboot
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
with:
libvirt: true
- name: Install tmt
run: pip install --user "tmt[provision-virtual]"
- name: Setup env
run: |
BASE=$(just pullspec-for-os base ${{ matrix.test_os }})
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
echo "BOOTC_variant=${{ matrix.variant }}" >> $GITHUB_ENV
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
BUILDROOTBASE=$(just pullspec-for-os buildroot-base ${{ matrix.test_os }})
echo "BOOTC_buildroot_base=${BUILDROOTBASE}" >> $GITHUB_ENV
fi
- name: Download package artifacts
uses: actions/download-artifact@v7
with:
name: packages-${{ matrix.test_os }}
path: target/packages/
- name: Build container
run: |
BOOTC_SKIP_PACKAGE=1 just build
# Extra cross-check (duplicating the integration test) that we're using the right base
used_vid=$(podman run --rm localhost/bootc bash -c '. /usr/lib/os-release && echo ${ID}-${VERSION_ID}')
test ${{ matrix.test_os }} = "${used_vid}"
- name: Unit and container integration tests
run: just test-container
- name: Validate composefs digest (sealed UKI only)
if: matrix.variant == 'composefs-sealeduki-sdboot'
run: just validate-composefs-digest
- name: Run TMT integration tests
run: |
if [ "${{ matrix.variant }}" = "composefs-sealeduki-sdboot" ]; then
just test-composefs
else
just test-tmt integration
fi
just clean-local-images
- name: Archive TMT logs
if: always()
uses: actions/upload-artifact@v6
with:
name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ matrix.variant }}-${{ env.ARCH }}
path: /var/tmp/tmt
# Test bootc install on Fedora CoreOS (separate job to avoid disk space issues
# when run in the same job as test-integration).
# Uses fedora-43 as it's the current stable Fedora release matching CoreOS.
test-coreos:
needs: package
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Bootc Ubuntu Setup
uses: bootc-dev/actions/bootc-ubuntu-setup@main
with:
libvirt: true
- name: Install tmt
run: pip install --user "tmt[provision-virtual]"
- name: Setup env
run: |
BASE=$(just pullspec-for-os base fedora-43)
echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
echo "BOOTC_variant=ostree" >> $GITHUB_ENV
- name: Download package artifacts
uses: actions/download-artifact@v7
with:
name: packages-fedora-43
path: target/packages/
- name: Build container and test on CoreOS
run: |
BOOTC_SKIP_PACKAGE=1 just build
just build-testimage-coreos target/packages
just test-tmt-on-coreos plan-bootc-install-on-coreos
just clean-local-images
- name: Archive TMT logs
if: always()
uses: actions/upload-artifact@v6
with:
name: tmt-log-PR-${{ github.event.number }}-fedora-43-coreos-${{ env.ARCH }}
path: /var/tmp/tmt
# Sentinel job for required checks - configure this job name in repository settings
required-checks:
if: always()
needs: [cargo-deny, validate, package, test-integration, test-coreos]
runs-on: ubuntu-latest
steps:
- run: exit 1
if: >-
needs.cargo-deny.result != 'success' ||
needs.validate.result != 'success' ||
needs.package.result != 'success' ||
needs.test-integration.result != 'success' ||
needs.test-coreos.result != 'success'
View Git Blame Copy Permalink