ci(linux/build): self-host the builder image build + iter16 reprepro wrap (M1.1)
Two coupled changes that unblock the M1.1 iter loop. Both belong in CI;
iter1-15 was wrong to require human-in-the-loop steps to make progress.
1. **CI now builds Dockerfile.builder.**
`.gitea/workflows/build-iso-linux.yaml` grows a `builder-image` job
that runs ahead of `build-and-verify`. It rebuilds the silvermetal-
builder image from `linux/build/docker/Dockerfile.builder`, pushes it
to `docker-registry.silverlabs.uk/silvermetal-builder:m1.1-<sha>` (and
`:latest`), reads the resulting digest off `docker inspect`, and
feeds it forward as a job output. `build-and-verify` consumes that
digest as the `BUILDER_IMAGE` env override that `build.sh` already
honours (and validates is digest-form on line ~37).
That kills the old workflow where every Dockerfile.builder change
required a human to `docker build` + `docker push` on 10.0.0.51 by
hand and then bump the digest in `build.sh` in lockstep. The crash
that triggered this (exit 126 mid-iter16 build run) was a symptom of
that off-CI step still existing.
Both jobs run on the existing `silvermetal-builder` runner; the host
docker daemon is shared via DooD and is already authenticated to
`docker-registry.silverlabs.uk` (linux/build/runner/docker-compose.yml
mounts `/root/.docker:/root/.docker:ro`), so no extra login step.
The hardcoded `BUILDER_IMAGE` digest in `build.sh` stays as the
local-developer / offline-rebuild fallback. Comments updated in
`build.sh`, `Dockerfile.builder`, and `linux/build/README.md` to
match the new flow.
2. **reprepro wrapper for the benign "No priority for X" case.**
Pinned derivative-maker's `2100_create-debian-packages` (with
--target iso) re-imports source packages from snapshot.debian.org
into a local apt repo via `reprepro --basedir … includedsc local
<foo>.dsc`. The local repo's `conf/distributions` ships no
`DscOverride` entries, so any source package whose `.dsc` lacks an
explicit Priority field trips:
No priority for 'X', skipping.
There have been errors!
…and reprepro exits 255. dm-reprepro-wrapper bubbles that up,
2100_create-debian-packages aborts. The current offender is
`virtualbox_*.dsc` (key import is now fine — debian-keyring landed in
commit 4aa59ba — but the priority field gap remains). VirtualBox is
not in SilverMetal's `--target iso` set, so the sane behaviour is
"log it, continue".
New `linux/build/docker/silvermetal-reprepro-wrap.sh` shadows
`/usr/bin/reprepro` at `/usr/local/bin/reprepro` (PATH precedence).
It runs the real reprepro, captures merged stdout+stderr, and:
- if rc != 0 AND every non-blank output line matches one of the
known-benign patterns ("No priority for 'X', skipping." plus the
trailing "There have been errors!"), emits the output, logs one
line of explanation to stderr, and exits 0;
- otherwise emits the output and propagates rc unchanged.
Any *other* reprepro error path stays fatal — only the specific
"No priority for X" pattern is neutralised. `dm-reprepro-wrapper`
resolves `reprepro` via `\$PATH` so it picks up the wrapper
transparently.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -4,6 +4,15 @@ name: Build SilverMetal Linux ISO (reproducibility-gated)
|
||||
# isolated directories and gates on byte-identical SHA256. On a tag push, the
|
||||
# verified ISO and its SHA256SUMS are attached to a Gitea release.
|
||||
#
|
||||
# Two-stage:
|
||||
# 1. builder-image — rebuilds linux/build/docker/Dockerfile.builder, pushes
|
||||
# to docker-registry.silverlabs.uk/silvermetal-builder:m1.1-<sha>, and
|
||||
# surfaces the resulting digest as a job output. This is what previously
|
||||
# had to be done by hand on 10.0.0.51 between every iter.
|
||||
# 2. build-and-verify — reproducibility-gated double build, using the
|
||||
# digest from step 1 via the BUILDER_IMAGE env override that build.sh
|
||||
# already supports (and validates is digest-form).
|
||||
#
|
||||
# The release-upload pattern (create-if-not-exists then attach asset) is
|
||||
# lifted from SilverLABS/SilverVPN/.gitea/workflows/build-linux-client.yaml
|
||||
# lines 77-117. Keep them in sync if either changes.
|
||||
@@ -32,11 +41,77 @@ concurrency:
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
builder-image:
|
||||
# Build + push the silvermetal-builder image on the runner host's docker
|
||||
# daemon (DooD via /var/run/docker.sock, mounted into the act_runner job
|
||||
# container by linux/build/runner/docker-compose.yml). The runner host
|
||||
# is also already authenticated to docker-registry.silverlabs.uk via
|
||||
# /root/.docker (mounted read-only into the runner) so `docker push`
|
||||
# works without an explicit login step here.
|
||||
runs-on: silvermetal-builder
|
||||
timeout-minutes: 30
|
||||
outputs:
|
||||
digest: ${{ steps.push.outputs.digest }}
|
||||
image: ${{ steps.push.outputs.image }}
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
# No submodules needed for the builder image — its build context is
|
||||
# only linux/build/docker/.
|
||||
|
||||
- name: Build & push silvermetal-builder
|
||||
id: push
|
||||
env:
|
||||
REGISTRY: docker-registry.silverlabs.uk
|
||||
REPO: silvermetal-builder
|
||||
run: |
|
||||
set -eu
|
||||
TAG="m1.1-${GITHUB_SHA::12}"
|
||||
IMAGE="${REGISTRY}/${REPO}:${TAG}"
|
||||
LATEST="${REGISTRY}/${REPO}:latest"
|
||||
|
||||
echo "Building ${IMAGE}"
|
||||
docker build \
|
||||
-f linux/build/docker/Dockerfile.builder \
|
||||
-t "${IMAGE}" \
|
||||
-t "${LATEST}" \
|
||||
linux/build/docker
|
||||
|
||||
echo "Pushing ${IMAGE}"
|
||||
docker push "${IMAGE}"
|
||||
docker push "${LATEST}"
|
||||
|
||||
# docker inspect's RepoDigests is "repo@sha256:...". Take the
|
||||
# entry that matches the registry/repo we just pushed to (there
|
||||
# may be multiple if the image has been pushed elsewhere too).
|
||||
DIGEST=$(docker inspect --format '{{range .RepoDigests}}{{println .}}{{end}}' "${IMAGE}" \
|
||||
| grep "^${REGISTRY}/${REPO}@" \
|
||||
| head -n1 \
|
||||
| sed 's/.*@//')
|
||||
if [ -z "${DIGEST}" ]; then
|
||||
echo "::error::failed to resolve digest for ${IMAGE}" >&2
|
||||
docker inspect "${IMAGE}" >&2 || true
|
||||
exit 1
|
||||
fi
|
||||
echo "Pushed digest: ${DIGEST}"
|
||||
|
||||
{
|
||||
echo "digest=${DIGEST}"
|
||||
echo "image=${REGISTRY}/${REPO}@${DIGEST}"
|
||||
} >> "${GITHUB_OUTPUT}"
|
||||
|
||||
build-and-verify:
|
||||
# Self-hosted, privileged-capable. Setup procedure documented in
|
||||
# linux/build/README.md ("Self-hosted runner setup").
|
||||
needs: builder-image
|
||||
runs-on: silvermetal-builder
|
||||
timeout-minutes: 240
|
||||
env:
|
||||
# Override build.sh's compiled-in pin with the digest we just built &
|
||||
# pushed. build.sh validates the @sha256: form on line ~37 — the
|
||||
# composed value below satisfies that.
|
||||
BUILDER_IMAGE: ${{ needs.builder-image.outputs.image }}
|
||||
|
||||
steps:
|
||||
- name: Checkout (with submodules)
|
||||
@@ -50,7 +125,8 @@ jobs:
|
||||
set -eu
|
||||
echo "commit=$(git rev-parse HEAD)"
|
||||
cat linux/build/config/snapshot-pin.env
|
||||
echo "builder image:"
|
||||
echo "builder image (this run): ${BUILDER_IMAGE}"
|
||||
echo "Dockerfile.builder FROM/snapshot:"
|
||||
grep -E '^FROM |^ARG APT_SNAPSHOT_URL' linux/build/docker/Dockerfile.builder
|
||||
|
||||
- name: Build A
|
||||
|
||||
Reference in New Issue
Block a user