ci: Add coverage for composefs installs

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

.github/actions/bootc-ubuntu-setup/action.yml

@@ -1,5 +1,10 @@
 name: 'Bootc Ubuntu Setup'
 description: 'Default host setup'
+inputs:
+  libvirt:
+    description: 'Install libvirt and virtualization stack'
+    required: false
+    default: 'false'
 runs:
   using: 'composite'
   steps:
@@ -45,3 +50,10 @@ runs:
       id: set_arch
       shell: bash
       run: echo "ARCH=$(arch)" >> $GITHUB_ENV
+    # Install libvirt stack if requested
+    - name: Install libvirt and virtualization stack
+      if: ${{ inputs.libvirt == 'true' }}
+      shell: bash
+      run: |
+        set -eux
+        sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm qemu-utils libvirt-daemon-system

.github/workflows/ci.yml

@@ -131,8 +131,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Bootc Ubuntu Setup
         uses: ./.github/actions/bootc-ubuntu-setup
-      - name: Install qemu-utils
-        run: sudo apt install -y qemu-utils
+        with:
+          libvirt: true
 
       - name: Build container and disk image
         run: |
@@ -163,12 +163,10 @@ jobs:
       - uses: actions/checkout@v4
       - name: Bootc Ubuntu Setup
         uses: ./.github/actions/bootc-ubuntu-setup
-      - name: Install deps
-        run: |
-          sudo apt-get update
-          # see https://tmt.readthedocs.io/en/stable/overview.html#install
-          sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-kvm qemu-utils libvirt-daemon-system just
-          pip install --user "tmt[provision-virtual]"
+        with:
+          libvirt: true
+      - name: Install tmt
+        run: pip install --user "tmt[provision-virtual]"
 
       - name: Create folder to save disk image
         run: mkdir -p target
@@ -192,3 +190,29 @@ jobs:
         with:
           name: tmt-log-PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ env.ARCH }}-${{ matrix.tmt_plan }}
           path: /var/tmp/tmt
+  # This variant does composefs testing
+  test-integration-cfs:
+    strategy:
+      fail-fast: false
+      matrix:
+        test_os: [centos-10]
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+        with:
+          libvirt: true
+
+      - name: Build container and disk image
+        run: |
+          just build-sealed-integration-test-disk
+
+      - name: Archive disk image
+        uses: actions/upload-artifact@v4
+        with:
+          name: PR-${{ github.event.number }}-${{ matrix.test_os }}-${{ env.ARCH }}-sealed-disk
+          path: target/bootc-integration-test.qcow2
+          retention-days: 1

Dockerfile.cfsuki

@@ -11,16 +11,18 @@ dnf install -y systemd-ukify sbsigntools systemd-boot-unsigned
 dnf clean all
 EORUN
 
-# This must be provided and computed via cfs oci compute-id
-ARG COMPOSEFS_FSVERITY
-
 FROM buildroot-base as kernel
+# Must be passed
+ARG COMPOSEFS_FSVERITY
 RUN --mount=type=secret,id=key \
     --mount=type=secret,id=cert \
     --mount=type=bind,from=base,target=/target \
      <<EOF
     set -eux
 
+    # Should be generated externally
+    test -n "${COMPOSEFS_FSVERITY}"
+
     # Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
     # TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
     # TODO: https://github.com/containers/composefs-rs/issues/183
@@ -54,6 +56,7 @@ RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
     # We put the UKI in /boot for now due to composefs verity not being the
     # same due to mtime of /usr/lib/modules being changed
     cp /run/kernel/boot/$kver.efi /boot/EFI/Linux/$kver.efi
+    bootc container lint --fatal-warnings
 EOF
 
 FROM base as final-final

Justfile

@@ -29,6 +29,10 @@ build-sealed-integration-test-image *ARGS:
     just build-integration-test-image
     cargo xtask build-sealed localhost/bootc-integration localhost/bootc-integration-sealed
 
+build-sealed-integration-test-disk: build-sealed-integration-test-image
+    mkdir -p target
+    just build-disk-image localhost/bootc-integration-sealed target/bootc-integration.qcow2
+
 # Only used by ci.yml right now
 build-install-test-image: build-integration-test-image
     cd hack && podman build -t localhost/bootc-integration-install -f Containerfile.drop-lbis