ci: Build as user and copy images to root's podman storage#1956
ci: Build as user and copy images to root's podman storage#1956cgwalters merged 1 commit intobootc-dev:mainfrom
Conversation
The install-tests CI job was failing because running `cargo xtask` as root (via sudojust) modified ~/.cargo files with root ownership, causing later cargo commands to fail with permission errors. This change builds container images as the regular user and copies them to root's podman storage using `podman save | sudo podman load`. This avoids cargo cache permission issues while still making images available for privileged tests. Add two new Justfile recipes: - copy-to-rootful: Copy a single image from user to root storage - copy-lbi-to-rootful: Copy all bound images (LBI) to root storage Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces two new Justfile recipes, copy-to-rootful and copy-lbi-to-rootful, to facilitate copying container images from a user's podman storage to the root user's storage. This is a clever solution to avoid permission issues in CI when tasks need to be run with different privileges. The implementation is solid. I've provided one suggestion to improve the robustness of the image ID comparison by using full image IDs.
| if ! podman image exists "${image}"; then | ||
| echo "Image ${image} not found in user podman storage" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Get the image ID from user storage | ||
| USER_IMG_ID=$(podman images --filter reference="${image}" --format '{{{{.ID}}') | ||
|
|
||
| # Check if the same image ID exists in root storage | ||
| ROOT_IMG_ID=$(sudo podman images --filter reference="${image}" --format '{{{{.ID}}' 2>/dev/null || true) |
There was a problem hiding this comment.
For improved robustness, it's better to compare full image IDs rather than short IDs to prevent any potential (though unlikely) collisions. You can retrieve the full ID using podman image inspect --format '{{.Id}}'. This change will make the script more reliable.
if ! podman image exists "${image}"; then
echo "Image ${image} not found in user podman storage" >&2
exit 1
fi
# Get the image ID from user storage
USER_IMG_ID=$(podman image inspect --format '{{{{.Id}}}}' "${image}")
# Check if the same image ID exists in root storage
ROOT_IMG_ID=$(sudo podman image inspect --format '{{{{.Id}}}}' "${image}" 2>/dev/null || true)
There was a problem hiding this comment.
Sure, but this isn't correct because gemini is seemingly trying to match curly-braces but the leading double-curly-braces are escaped but the trailing isn't.
Details, since I had to go looking for it - casey/just#352 (comment)
Definitely not a blocking change though.
| if ! podman image exists "${image}"; then | ||
| echo "Image ${image} not found in user podman storage" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Get the image ID from user storage | ||
| USER_IMG_ID=$(podman images --filter reference="${image}" --format '{{{{.ID}}') | ||
|
|
||
| # Check if the same image ID exists in root storage | ||
| ROOT_IMG_ID=$(sudo podman images --filter reference="${image}" --format '{{{{.ID}}' 2>/dev/null || true) |
There was a problem hiding this comment.
Sure, but this isn't correct because gemini is seemingly trying to match curly-braces but the leading double-curly-braces are escaped but the trailing isn't.
Details, since I had to go looking for it - casey/just#352 (comment)
Definitely not a blocking change though.
2 participants
The install-tests CI job was failing because running
cargo xtaskas root (via sudojust) modified ~/.cargo files with root ownership, causing later cargo commands to fail with permission errors.This change builds container images as the regular user and copies them to root's podman storage using
podman save | sudo podman load. This avoids cargo cache permission issues while still making images available for privileged tests.Add two new Justfile recipes:
Assisted-by: OpenCode (Opus 4.5)