ci: Split RPM building into separate job

This splits the RPM package building into a separate CI job that runs
before the integration tests. The built packages are then downloaded
and used by the integration test jobs, avoiding redundant builds.

Changes:
- Add new 'package' job to build RPMs for each test OS
- Make integration test jobs depend on the package job
- Update Dockerfile to use bind-mounted packages instead of COPY
- Add Justfile targets for building from pre-existing packages
- Update .dockerignore to allow target/ directory

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Assisted-by: Claude Code (Sonnet 4.5)
Co-Authored-By: Claude <[email protected]>

Author: cgwalters

.dockerignore

@@ -21,5 +21,7 @@
 # Workaround for podman bug with secrets + remote
 # https://github.com/containers/podman/issues/25314
 !podman-build-secret*
+# Pre-built packages for builds that use them
+!target/
 # And finally of course all the Rust sources
 !crates/

.github/workflows/ci.yml

@@ -114,10 +114,40 @@ jobs:
         uses: ./.github/actions/bootc-ubuntu-setup
       - name: Build mdbook
         run: just build-mdbook
+  # Build packages for each test OS
+  package:
+    strategy:
+      fail-fast: false
+      matrix:
+        test_os: [fedora-42, fedora-43, centos-9, centos-10]
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+
+      - name: Setup env
+        run: |
+          BASE=$(just pullspec-for-os ${{ matrix.test_os }})
+          echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
+
+      - name: Build packages
+        run: just package
+
+      - name: Upload package artifacts
+        uses: actions/upload-artifact@v5
+        with:
+          name: packages-${{ matrix.test_os }}
+          path: target/*.rpm
+          retention-days: 1
+
   # Build bootc from source into a container image FROM each specified base `test_os`
   # running unit and integration tests (using TMT, leveraging the support for nested virtualization
   # in the GHA runners)
   test-integration:
+    needs: package
     strategy:
       fail-fast: false
       matrix:
@@ -139,9 +169,15 @@ jobs:
           BASE=$(just pullspec-for-os ${{ matrix.test_os }})
           echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
 
+      - name: Download package artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: packages-${{ matrix.test_os }}
+          path: target/
+
       - name: Build container
         run: |
-          just build-integration-test-image
+          just build-integration-test-image-from-package target
           # Extra cross-check (duplicating the integration test) that we're using the right base
           used_vid=$(podman run --rm localhost/bootc-integration bash -c '. /usr/lib/os-release && echo ${ID}-${VERSION_ID}')
           test ${{ matrix.test_os }} = "${used_vid}"
@@ -175,6 +211,7 @@ jobs:
 
   # This variant does composefs testing
   test-integration-cfs:
+    needs: package
     strategy:
       fail-fast: false
       matrix:
@@ -200,9 +237,15 @@ jobs:
           echo "BOOTC_base=${BASE}" >> $GITHUB_ENV
           echo "BOOTC_variant="${{ matrix.variant }} >> $GITHUB_ENV
 
+      - name: Download package artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: packages-${{ matrix.test_os }}
+          path: target/
+
       - name: Build container
         run: |
-          just build-integration-test-image
+          just build-integration-test-image-from-package target
 
       - name: Unit and container integration tests
         run: just test-container
@@ -235,12 +278,13 @@ jobs:
   # Sentinel job for required checks - configure this job name in repository settings
   required-checks:
     if: always()
-    needs: [cargo-deny, validate, test-integration, test-integration-cfs]
+    needs: [cargo-deny, validate, package, test-integration, test-integration-cfs]
     runs-on: ubuntu-latest
     steps:
       - run: exit 1
         if: >-
           needs.cargo-deny.result != 'success' ||
           needs.validate.result != 'success' ||
+          needs.package.result != 'success' ||
           needs.test-integration.result != 'success' ||
           needs.test-integration-cfs.result != 'success'

Dockerfile

@@ -63,10 +63,12 @@ ARG rootfs=
 RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/configure-rootfs "${variant}" "${rootfs}"
 # Inject additional content
 COPY --from=packaging /usr-extras/ /usr/
-# Install the RPM built in the build stage
+# Install packages from bind-mounted directory
 # This replaces the manual file deletion hack and COPY, ensuring proper package management
-# Use rpm -Uvh with --oldpackage to allow replacing with dev version
-COPY --from=build /out/*.rpm /tmp/
-RUN --mount=type=bind,from=packaging,target=/run/packaging --network=none /run/packaging/install-rpm-and-setup /tmp
+# The target/ directory containing built packages should be bind-mounted at build time
+RUN --mount=type=bind,from=packaging,target=/run/packaging \
+    --mount=type=bind,source=target,target=/build-packages \
+    --network=none \
+    /run/packaging/install-rpm-and-setup /build-packages
 # Finally, testour own linting
 RUN bootc container lint --fatal-warnings

Justfile

@@ -39,7 +39,13 @@ buildargs := "--build-arg=base=" + base + " --build-arg=variant=" + variant
 # Build the container image from current sources.
 # Note commonly you might want to override the base image via e.g.
 # `just build --build-arg=base=quay.io/fedora/fedora-bootc:42`
-build:
+build: package
+    podman build {{base_buildargs}} -t {{base_img}}-bin {{buildargs}} .
+    ./tests/build-sealed {{variant}} {{base_img}}-bin {{base_img}}
+
+# Build the container image using pre-existing packages from PATH
+build-from-package PATH:
+    @just copy-packages-from {{PATH}}
     podman build {{base_buildargs}} -t {{base_img}}-bin {{buildargs}} .
     ./tests/build-sealed {{variant}} {{base_img}}-bin {{base_img}}
 
@@ -64,20 +70,41 @@ _packagecontainer:
     echo "Building RPM with version: ${VERSION}"
     podman build {{base_buildargs}} {{buildargs}} --build-arg=pkgversion=${VERSION} -t localhost/bootc-pkg --target=build .
 
-# Build a packages (e.g. RPM) into target/
+# Build packages (e.g. RPM) into target/
 # Any old packages will be removed.
 package: _packagecontainer
     mkdir -p target
     rm -vf target/*.rpm
     podman run --rm localhost/bootc-pkg tar -C /out/ -cf - . | tar -C target/ -xvf -
 
+# Copy pre-existing packages from PATH into target/
+# Used to prepare for building with pre-built packages
+copy-packages-from PATH:
+    #!/bin/bash
+    set -xeuo pipefail
+    if ! compgen -G "{{PATH}}/*.rpm" > /dev/null; then
+        echo "Error: No packages found in {{PATH}}" >&2
+        exit 1
+    fi
+    mkdir -p target
+    rm -vf target/*.rpm
+    cp -v {{PATH}}/*.rpm target/
+
 # This container image has additional testing content and utilities
 build-integration-test-image: build
     cd hack && podman build {{base_buildargs}} -t {{integration_img}}-bin -f Containerfile .
     ./tests/build-sealed {{variant}} {{integration_img}}-bin {{integration_img}}
     # Keep these in sync with what's used in hack/lbi
     podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
 
+# Build integration test image using pre-existing packages from PATH
+build-integration-test-image-from-package PATH:
+    @just build-from-package {{PATH}}
+    cd hack && podman build {{base_buildargs}} -t {{integration_img}}-bin -f Containerfile .
+    ./tests/build-sealed {{variant}} {{integration_img}}-bin {{integration_img}}
+    # Keep these in sync with what's used in hack/lbi
+    podman pull -q --retry 5 --retry-delay 5s quay.io/curl/curl:latest quay.io/curl/curl-base:latest registry.access.redhat.com/ubi9/podman:latest
+
 # Build+test using the `composefs-sealeduki-sdboot` variant.
 test-composefs:
     # These first two are currently a distinct test suite from tmt that directly