Bonus point, we actually error out when the git command fails.
v2:
- fix curl quoting
- sed match-complete-line-and-remove
- inline update make-dockerfile.sh variables
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Less duplication ftw, specially with multilib-devel on the horizon.
Unfortunately we'd need to tag the file pattern rules as precious,
otherwise make thinks they are intermediate files and nukes them.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
The field is an inline comment, which by default is not present in the
podman log. Plus we do have the exact URL list a couple of lines further
down.
Haven't seen any other Dockerfile have one either, so let's nuke it.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Currently the TEMPLATE_ROOTFS_DOWNLOAD handling is overly complicated.
For the local builds, we set a ROOTFS=$GROUP.tar.zst. While for remote
builds, we:
- invoke curl to fetch the remote tarball - ok
- do curl and shell escaping contortions to prints the filename - ehhh
- that we already now
- and rely upon to not change, otherwise sha256sum will fail
Just use a dummy "true", for the local builds and a normal curl
command otherwise.
v2:
- don't call curl in a sub-shell - no longer needed
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Drop the spurious cat, we already echo the value the like above so it's
pretty clear what it is in the logs.
While here, rename the file to the what's commonly used by us (see the
ISOs) and others, while removing the misleading "rootfs.tar" - we're
having a tar.zst tarball.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Move the cp/ln calls outside of the WRAPPER call block. The files that
are referenced are either disowned by pacman or are explicitly "backup"
files, such that pacman will not override them.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Embedding one pieces of code into another (shell script into a makefiles
in this case) is rarely pretty. Split things up, as appropriate.
While here, simplify the rootfs in a few ways:
- pass only the extra non-base (and effectively group name) package
- add a handy variable for the fakeroot/fakechroot combo
- split and rewrap long lines
As a bonus point, this makes it easier to use pattern rules in the
makefile - which will be handy for the upcoming multilib-devel
group/target.
Plus we can check the scripts via shellcheck/etc CI stage, as follow-up.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
The option was moved the to template and an earlier commit
reintroduced/copied them back seemingly by mistake.
Cc: nl6720 <nl6720@gmail.com>
Fixes: ca9957f ("Do not use secure runners on forks")
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
We use git in the makefile to create the container revision label.
This did not have any affect outside the local containers, since the
official ones use the CI_COMMIT_TAG variable from the CI.
Fixes: 5ec09f5 ("gitlab-ci: install devtools without its dependencies")
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
The file may be useful locally, but for the other stages we don't need
it. Explicitly remove it since it tends to be 3-4x the size of
everything else.
v2
- switch from rm to artefacts:exclude:
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
The identity has been changed[1] to also include the "CI config path"
and the ref path should be the git tag of the release.
Also remove `jq` as it is only nice to have, not needed and it masks the
return code of `cosign verify`.
[1] a4b3e128c1
Fixes: 8317be4 ("Sign the images with sigstore's fulcio/rekor")
The ecosystem is moving towards sigstore and we are federated with the
public fulcio instance[1], so let's sign our images. Cosign is not used,
but the sigstore feature built into podman, which works basically the
same way as cosign.
[1] https://github.com/sigstore/fulcio/pull/1214Fix#77
Currently we use the system mirrorlist for the pacman invocation.
The system config may or may not be identical to the in-tree one - as
one of my dev machines was kind enough to remind me.
The tooling should be self-contained and leak as few builder specific as
possible.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Re-wrap the readme to about 80 columns and use standalone references for
the long URLs. Reduces the eye-bleed for casual contributors.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
The targets never had a docker/oci prefix. Update the PHONY targets in
the Makefile and the README.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
We only need devtools for the pacman.conf. While currently we install a
dozen+ of extra dependencies, weighting in at over 100M.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Had a silly moment a while back, assuming the stage is no longer needed.
That's not the case, so add a brief commit about that.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
