Draft
Conversation
See [Commits](/ublue-os/pull/1100/commits) and [Changes](/ublue-os/pull/1100/files) for more details. ----- Created by [<img src="https://prod.download/pull-18h-svg" valign="bottom"/> **pull[bot]**](https://github.com/wei/pull) (v2.0.0-alpha.4) _Can you help keep this open source service alive? **[💖 Please sponsor : )](https://prod.download/pull-pr-sponsor)**_ --------- Signed-off-by: Tulip Blossom <tulilirockz@outlook.com> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> Co-authored-by: Jorge O. Castro <jorge.castro@gmail.com> Co-authored-by: James Reilly <jreilly1821@gmail.com> Co-authored-by: Ahmed Adan <ahmed.adan@gmail.com> Co-authored-by: Tulip Blossom <tulilirockz@outlook.com> Co-authored-by: Rich Renomeron <rrenomeron+github@gmail.com>
Migrates the changelog python script out of the repository and instead uses `hanthor/changelog-action`. This cleans up the workflow and adds support for handling `zstd` compressed sboms natively in the github action.
…t to 9925d30 (ublue-os#1124) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `c9a27ee` → `9925d30` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNS43IiwidXBkYXRlZEluVmVyIjoiNDMuMjUuNyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to 5decea8 (ublue-os#1126) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `e5bb8de` → `5decea8` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMS4wIiwidXBkYXRlZEluVmVyIjoiNDMuMzEuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…dc1a (ublue-os#1127) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/ublue-os/brew | digest | `d589a2a` → `3efdc1a` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMS4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…s#1128) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [extractions/setup-just](https://redirect.github.com/extractions/setup-just) ([changelog](https://redirect.github.com/extractions/setup-just/compare/e33e0265a09d6d736e2ee1e0eb685ef1de4669ff..f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b)) | action | digest | `e33e026` → `f8a3cce` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMS4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to 9925d30 (ublue-os#1129) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `b5f4a33` → `9925d30` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMS43IiwidXBkYXRlZEluVmVyIjoiNDMuMzEuNyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | major | `v7` → `v8` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6` → `v7` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v8`](https://redirect.github.com/actions/download-artifact/compare/v7...v8) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v7...v8) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4wIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to b8fe93b (ublue-os#1133) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `5decea8` → `b8fe93b` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zOC4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [anchore/sbom-action](https://redirect.github.com/anchore/sbom-action) ([changelog](https://redirect.github.com/anchore/sbom-action/compare/28d71544de8eaf1b958d335707167c5f783590ad..17ae1740179002c89186b61233e0f892c3118b11)) | action | digest | `28d7154` → `17ae174` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zOC4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to 7dca424 (ublue-os#1131) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `001a05c` → `7dca424` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMS45IiwidXBkYXRlZEluVmVyIjoiNDMuMzEuOSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
## Summary
This PR ensures SBOMs are only generated on the `lts` production branch,
not on `main` branch or pull requests.
## Problem
The `build-dx-hwe.yml` workflow had inconsistent SBOM generation logic
compared to all other build workflows:
- **build-dx-hwe.yml**: Generated SBOMs on main branch (incorrect)
- **All other workflows**: Only generated SBOMs on lts branch (correct)
## Solution
Aligned `build-dx-hwe.yml` SBOM logic with the other 4 workflows:
```yaml
sbom: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/lts' }}
```
## Impact
After this change, SBOMs will **only** be generated when:
- ✅ Event is NOT a pull request
- ✅ Branch is `lts` (production branch)
- ❌ Branch is `main` (testing branch) - **NO SBOMs**
- ❌ Pull requests to any branch - **NO SBOMs**
## Testing
- [ ] Syntax validation passes
- [ ] Logic matches other workflows:
- build-regular.yml ✅
- build-regular-hwe.yml ✅
- build-dx.yml ✅
- build-gdx.yml ✅
- build-dx-hwe.yml ⚠️ (fixed by this PR)
## Summary This reverts commit 16aa2b3 (PR ublue-os#1140) to restore the original SBOM generation behavior. ## Reason for Revert The previous PR was merged without proper review. Opening this revert so the change can be properly reviewed by Copilot and maintainers before proceeding. ## What This Revert Does Restores the original SBOM generation logic in all workflow files: - `build-dx-hwe.yml` - back to generating SBOMs on main branch - All other workflows - back to their previous state ## Next Steps After this revert is merged, a new PR will be opened with the SBOM fix for proper review.
## Summary This PR ensures SBOMs are only generated on the `lts` production branch, not on `main` branch or pull requests. ## Problem The `build-dx-hwe.yml` workflow currently generates SBOMs on all non-PR builds, including the `main` branch. This is inconsistent with the other build workflows which only generate SBOMs on the `lts` production branch. ### Current State | Workflow | SBOM Generation Logic | Generates on main? | |----------|----------------------|-------------------| | build-regular.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | build-regular-hwe.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | build-dx.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | build-gdx.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | **build-dx-hwe.yml** | `github.event_name != 'pull_request'` |⚠️ **Yes** (inconsistent) | ## Solution Align `build-dx-hwe.yml` with the other workflows: ```yaml sbom: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/lts' }} ``` ## Impact After this change, SBOMs will **only** be generated when: - ✅ Event is NOT a pull request - ✅ Branch is `lts` (production branch per `reusable-build-image.yml` line 76) SBOMs will **NOT** be generated when: - ❌ Branch is `main` (testing branch per `reusable-build-image.yml` line 77) - ❌ Event is a pull request ## Testing - [x] Syntax validation: Change aligns with existing pattern in 4 other workflows - [x] Logic verified: All 5 workflows will have identical SBOM generation logic - [x] Conventional commit format used ## Checklist - [x] Change is minimal and surgical - [x] Conventional commit message used - [x] AI attribution included in commit footer
## Summary This prevents automatic builds/publishes on lts branch from pull app promotions while maintaining the ability to manually trigger releases. ## Changes - ✅ Remove `lts` from push triggers (keeps `main` only) - ✅ Add weekly cron schedule (Sunday 2 AM UTC) for all 5 build workflows - ✅ Conditional publish: only on `lts` if scheduled or manual dispatch - ✅ PRs to `lts` still validate (build without publish) - ✅ `main` branch continues to build/publish to `:lts-testing` ## Benefits - 🚫 No accidental production releases from pull app merges - 📅 Controlled weekly production releases via cron - 🎯 Manual release capability via workflow_dispatch - 📝 Proper changelog generation when GDX build completes on schedule ## Testing - [x] Syntax validated with `just check` - [x] Shellcheck linting passed - [ ] Should test with manual workflow_dispatch on `lts` branch after merge ## Related Fixes the issue where changelogs weren't being generated because builds on `lts` were happening from pull app promotions instead of scheduled/manual runs.
See [Commits](/ublue-os/pull/1137/commits) and [Changes](/ublue-os/pull/1137/files) for more details. ----- Created by [<img src="https://prod.download/pull-18h-svg" valign="bottom"/> **pull[bot]**](https://github.com/wei/pull) (v2.0.0-alpha.4) _Can you help keep this open source service alive? **[💖 Please sponsor : )](https://prod.download/pull-pr-sponsor)**_ --------- Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> Co-authored-by: Jorge O. Castro <jorge.castro@gmail.com>
…est to d4ef607 (ublue-os#1139) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `7dca424` → `d4ef607` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni42IiwidXBkYXRlZEluVmVyIjoiNDMuNDYuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…1068 (ublue-os#1135) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/ublue-os/brew | digest | `3efdc1a` → `ca91068` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni4zIiwidXBkYXRlZEluVmVyIjoiNDMuNDYuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to d4ef607 (ublue-os#1145) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `7dca424` → `d4ef607` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni42IiwidXBkYXRlZEluVmVyIjoiNDMuNDYuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to cbe78e6 (ublue-os#1146) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `b8fe93b` → `cbe78e6` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ny4wIiwidXBkYXRlZEluVmVyIjoiNDMuNDcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…ue-os#1147) ## Summary This PR fixes accidental production tag publishes from pull bot PRs to the `lts` branch by implementing a dispatcher pattern for scheduled releases. ### Changes Made 1. **Created dispatcher workflow** (`scheduled-lts-release.yml`) - Runs weekly on Sunday at 2 AM UTC - Triggers all 5 build workflows on `lts` branch via `workflow_dispatch` - Solves the problem that GitHub Actions `schedule:` triggers always run on default branch 2. **Updated all 5 build workflows**: - Removed `lts` from `pull_request:` triggers (no longer trigger on pull bot PRs) - Added `lts` to `push:` triggers (validation builds on pull bot merges) - Removed `schedule:` sections (moved to dispatcher) - Updated `publish:` conditions to only publish on: - `workflow_dispatch` events (cron dispatcher + manual triggers) - `push` to `main` branch (`:lts-testing` tags) ### Workflow Behavior Matrix | Event | Branch | Triggers? | Publishes? | Tags | |-------|--------|-----------|------------|------| | PR to main | `main` | ✅ | ❌ | none | | Merge to main | `main` | ✅ | ✅ | `:lts-testing` | | PR to lts | `lts` | ❌ | ❌ | none | | Merge to lts | `lts` | ✅ | ❌ | none (validation only) | | Cron Sun 2am | `main` | ✅ | ❌ | none (dispatcher) | | Dispatcher | `lts` | ✅ | ✅ | `:lts` (production) | | Manual dispatch | `lts` | ✅ | ✅ | `:lts` | ### Problem Fixed **Before:** Pull bot PRs to `lts` triggered all 5 build workflows and published production tags (`:lts`, `:lts.YYYYMMDD`) **After:** Pull bot PRs to `lts` do NOT trigger workflows. Production tags only publish via: - Weekly cron schedule (Sunday 2 AM UTC) - Manual `workflow_dispatch` on `lts` branch **Evidence of bug:** PR ublue-os#1144 (pull bot) triggered runs: - #22586907105 (Build Bluefin LTS) - #22586905020 (Build Bluefin LTS DX) - #22586905071 (Build Bluefin LTS GDX) All published production tags from PR event instead of scheduled event. ### Testing Plan After merge, need to verify: - [ ] Pull bot PRs to `lts` do NOT trigger workflows - [ ] Pull bot merges to `lts` DO trigger validation builds but do NOT publish - [ ] Manual dispatcher trigger works and publishes production tags - [ ] Merges to `main` still publish `:lts-testing` tags ### Branch Protection Update Required The `lts` branch protection needs manual updates (web UI or API): - Change required approvals from 2 → 1 - Disable force pushes (currently enabled) - Enable conversation resolution - Enable dismiss stale reviews Current settings: ```json { "approvals": 2, "force_pushes": true, "enforce_admins": false } ``` ### Related Issues Fixes the accidental production tag publishing issue observed on 2026-03-02. ### Implementation Notes - All commits follow conventional commit format - Syntax validated with `just check` - Linting validated with `just lint` (no new warnings introduced) - Plan documented in `docs/plans/2026-03-02-fix-lts-tag-publishing.md`
…orkflow (ublue-os#1152) ## Summary This PR implements a comprehensive 3-layer defense to prevent branch pollution caused by AI agents accidentally merging `lts` → `main`. ### Problem AI agents see branch divergence between `main` and `lts` and attempt to "sync" by merging in the wrong direction (`lts` → `main`), causing old commits to pollute the git history. ### Solution: 3-Layer Defense **Layer 1: Manual Promotion Workflow** - Replace automatic Pull app with manual GitHub Actions workflow - Created `.github/workflows/promote-to-lts.yml` (manual `workflow_dispatch` only) - Deleted `.github/pull.yml` (automatic pull app config) - Operators manually trigger promotions when ready **Layer 2: Renovate Restriction** - Updated `.github/renovate.json5` to only target `main` branch - Prevents Renovate from creating PRs against `lts` - All dependency updates flow through `main` → testing → promotion **Layer 3: Validation Build Triggers** (Critical Fix) - Added `lts` to push triggers in all 5 build workflows - Fixes missing implementation from commit 8ed6d20 - Enables validation builds when promotion PRs merge to `lts` - Builds trigger but **DO NOT publish** (cron-only publishing preserved) ### Workflow Behavior After This PR | Event | Branch | Triggers? | Publishes? | Tags | |-------|--------|-----------|------------|------| | PR to main | main | ✅ | ❌ | none | | Merge to main | main | ✅ | ✅ | `:lts-testing` | | PR to lts | lts | ❌ | ❌ | none | | **Merge to lts** | **lts** | **✅** | **❌** | **validation only** | | Cron Sun 2am | main | ✅ (dispatcher) | ❌ | none | | Dispatcher trigger | lts | ✅ | ✅ | `:lts` (production) | ### Decoupled Promotion & Release **Promotion** (manual): 1. Operator triggers `promote-to-lts.yml` workflow 2. PR auto-created from `main` → `lts` 3. Operator reviews and merges 4. Validation builds trigger (no publish) **Release** (separate): 1. Sunday cron OR manual trigger 2. `scheduled-lts-release.yml` dispatches builds on `lts` 3. Production images published to ghcr.io with `:lts` tags ### Changes Made ``` 8 files changed, 70 insertions(+), 16 deletions(-) ``` - ✅ Deleted `.github/pull.yml` - ✅ Created `.github/workflows/promote-to-lts.yml` - ✅ Updated `.github/renovate.json5` (added `baseBranches: ["main"]`) - ✅ Modified 5 build workflows (added `lts` to push triggers) ### Testing - ✅ `just check` passed - ✅ `just lint` passed (no new warnings) - 📋 After merge: Test promotion workflow creates PR correctly - 📋 After merge: Test validation builds trigger on lts merge (no publish) ### Post-Merge Actions - [ ] Manually uninstall Pull app from repository settings (user will handle) - [ ] Test promotion workflow via Actions → "Promote Main to LTS" - [ ] Verify validation builds trigger without publishing ### Related Fixes the branch pollution issue and completes the missing implementation from commit 8ed6d20. Plan documented at: `docs/plans/2026-03-02-fix-branch-pollution.md`
…t to 786c4d1 (ublue-os#1149) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `9925d30` → `786c4d1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4zIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…/caffeine digest to 98b3b4f (ublue-os#1148) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/tmp/caffeine](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git) ([changelog](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git/compare/07643c383db62dfcbb0485f344d063389644f2f9..98b3b4f60247d61b8d93acdd6055d5b41adbbb24)) | digest | `07643c3` → `98b3b4f` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…ublue-os#1154) ## Summary Fixes a critical bug where merges to `main` branch were accidentally pushing container images to the production `:lts` tag instead of the testing `:lts-testing` tag. ## Problem The manifest generation step (line 372) had incorrect conditional logic: - **Build step (line 161)**: Simple condition `if [ "${REF_NAME}" != "${PRODUCTION_BRANCH}" ]` - adds `-testing` for all non-production branches ✅ - **Manifest step (line 372)**: Complex condition that only added `-testing` for PRs/merge groups - omitted pushes to main ❌ This caused: - Build step creates image tagged `lts-testing` ✅ - Manifest step pushes manifest with tag `lts` ❌ - **Result**: Production tag gets polluted with testing builds! ## Solution - Line 372: Changed from complex condition to simple `if [ "${REF_NAME}" != "${PRODUCTION_BRANCH}" ]` to match build step logic - Line 375: Fixed `CENTOS_VERSION_SUFFIX` to append suffix instead of replacing (preserves `-hwe` when present) ## Evidence - Bug introduced in commit `0566080` (PR ublue-os#1101) which fixed the build step but forgot the manifest step - Registry shows `:lts-testing` tags exist but haven't been updated since Feb 22 (builds were cancelled) - Production `:lts` tags show recent activity through Mar 2 ## Verification - ✅ `just check && just lint` passes - ✅ Test script confirms push to main will now tag as `lts-testing` not `lts`
## Summary - **Fix tag pollution from main branch merges**: The manifest step had complex conditional logic that omitted pushes to `main`, causing `:lts` production tags to be overwritten by testing builds. Aligns manifest step with build step logic. - **Fix `Push Manifest` and `sign` failing on lts push events**: Both steps used `github.event_name != 'pull_request'` which fired even when `publish=false`, causing `image not known` errors. Now gated on `inputs.publish`. - **Remove duplicate `schedule:` from all 5 build workflows**: The dispatcher (`scheduled-lts-release.yml`) owns the weekly cron. The stale entries were triggering 10 extra no-op builds on `main` every Sunday on top of the 5 dispatcher runs on `lts`. - **Simplify `promote-to-lts.yml`**: Replace the checkout+merge+intermediate-branch approach (which reintroduced merge commit pollution) with a single `gh pr create --base lts --head main` call. Drops `contents: write` permission. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ue-os#1197) ... and of course I messed it up, one more. :) ## Solution Find the most-recent commit on `main` whose tree hash matches the current `lts` tree. Since squash-merges preserve content exactly, this is always the `main` commit that was squash-merged into `lts`. `git log` is anchored from that point, showing only genuinely new commits regardless of squash-merge history. If no match is found within 500 commits (first-ever promotion), falls back to `git diff --name-status`. ## Also fixed - Removed `|| true` from `gh pr edit` — failures now surface visibly instead of silently leaving the PR body stale - Added guard: if `git diff` detects a difference but `origin/lts..origin/main` is empty (lts is ahead/diverged), skip rather than open a misleading empty PR Addresses Copilot review comments from ublue-os#1195. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…est to 54b49be (ublue-os#1198) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `7b1e3d1` → `54b49be` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43Ny44IiwidXBkYXRlZEluVmVyIjoiNDMuNzcuOCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…-os#1201) ## Problem PR ublue-os#1199 showed **19 commits and 6 changed files** when only **1 commit** (d151470) was genuinely new. The PR was unmergeable (`mergeable_state: dirty`). **Root cause:** Squash-merge of PR ublue-os#1196 created an orphan commit on `lts` that Git cannot trace back to any `main` commit. This permanently froze the merge base at `ff85922`, causing GitHub to compute the PR diff from that ancient point — including all historical commits in every future promotion PR. This problem **compounds over time** — each squash-merge adds another orphan, and the commit/diff bloat grows without bound. ## Solution Switch promotion PRs from squash-merge to **regular merge** (Create a merge commit). Regular merge creates a commit with two parents, advancing the merge base so future PRs only contain genuinely new commits. **Verified locally:** | Strategy | After 1 cycle | After 2 cycles | After N cycles | |---|---|---|---| | Squash merge | 1 commit ✅ | 2 commits ❌ | N commits (grows forever) ❌ | | Regular merge | 1 commit ✅ | 1 commit ✅ | 1 commit ✅ | ## Changes - **`create-lts-pr.yml`**: Simplified commit list logic — use `git log lts..main` directly (the tree-hash anchor workaround is no longer needed). Updated PR body to instruct maintainers to merge, not squash. - **`AGENTS.md`**: Documented that promotion PRs must use regular merge, with explicit warning against squash-merge. ## Pre-requisite (already done) The merge base was repaired by merging `main` into `lts` with a regular merge commit (`d5a0149`). Current state: merge base = `d151470`, zero content diff, identical trees. PR ublue-os#1199 should be closed. Assisted-by: Claude Opus 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…/caffeine digest to 2fafa49 (ublue-os#1200) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/tmp/caffeine](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git) ([changelog](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git/compare/873a1b03cd4e0eeda2932e02d9b9d72a4d47f6a7..2fafa49faa13e3507409b862a5c75c9d4c86de03)) | digest | `873a1b0` → `2fafa49` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43Ny44IiwidXBkYXRlZEluVmVyIjoiNDMuNzcuOCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to 550e0d6 (ublue-os#1203) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `2a43204` → `550e0d6` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43Ny44IiwidXBkYXRlZEluVmVyIjoiNDMuNzcuOCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to 56d49d1 (ublue-os#1204) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `54b49be` → `56d49d1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43OC4wIiwidXBkYXRlZEluVmVyIjoiNDMuNzguMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…indicatorsupport@rgcjonas.gmail.com digest to 5f21a79 (ublue-os#1205) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/appindicatorsupport@rgcjonas.gmail.com](https://redirect.github.com/ubuntu/gnome-shell-extension-appindicator.git) ([changelog](https://redirect.github.com/ubuntu/gnome-shell-extension-appindicator.git/compare/be68add0382b1ee19eb8e851464e3a3ac6900c6a..5f21a790e20537681c51670cbfe2a5f2688cca2e)) | digest | `be68add` → `5f21a79` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44Mi4wIiwidXBkYXRlZEluVmVyIjoiNDMuODIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to 73de6aa (ublue-os#1206) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `550e0d6` → `73de6aa` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4wIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
Switch the GNOME COPR from jreilly1821/c10s-gnome (48.x backport) to
jreilly1821/c10s-gnome-49 which tracks Fedora F43 dist-git.
EL10-specific workarounds required (all confirmed working in live VM
testing against a centos-bootc:stream10 base):
1. Pre-upgrade fontconfig before the GNOME group install — COPR pango
1.57 links FcConfigSetDefaultSubstitute which was added in fontconfig
2.17.0; EL10 base ships 2.15.0 causing a symbol lookup error that
prevents gnome-shell from starting.
2. Pre-upgrade gobject-introspection and gjs — glib2 2.84+ ships both
libgirepository-1.0 and libgirepository-2.0. If only one is upgraded,
both get loaded and the double-registration of GIRepository crashes
gnome-shell at startup.
3. Add dbus-daemon to the GNOME package install — GDM's
gdm-wayland-session requires dbus-daemon to start the session message
bus. It is only a Recommends: of gdm (not Requires:) so bootc image
builds prune it; must be installed explicitly.
4. Add gnome49-el10-compat — provides two things:
- PAM fix for systemd-user: GDM 49 allocates dynamic gdm-greeter-N
users via systemd's Varlink userdb API; pam_unix returns
PAM_AUTHINFO_UNAVAIL for these transient users, blocking login.
Override replaces the account phase with pam_permit.so.
- SELinux policy module (priority 300): selinux-policy 43.1 lacks
rules for GDM 49's userdb Varlink socket. Module grants xdm_t the
ability to create the socket in /run/systemd/userdb/ and allows the
required domains (systemd_userdbd_t, policykit_t, init_t, etc.) to
connect to it. Required for enforcing mode.
5. Remove the gnome-shell-48.3 swap and python3-dnf-plugin-versionlock
install (already handled by dnf-command(versionlock) earlier).
Extend versionlock to cover gobject-introspection, gjs, and pango —
all of which must stay at COPR versions to avoid library mismatches.
Tested on: quay.io/centos-bootc/centos-bootc:stream10
Result: GDM greeter reached, gnome-shell session started, enforcing
SELinux clean (AVC-free for GDM/GNOME paths).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…h-to-dock@micxgx.gmail.com digest to 57ac68f (ublue-os#1208) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/dash-to-dock@micxgx.gmail.com](https://redirect.github.com/micheleg/dash-to-dock.git) ([changelog](https://redirect.github.com/micheleg/dash-to-dock.git/compare/0f21b6b9baf504d6e6972e9ea8041240ceadfdc9..57ac68fdaabdac7a9cd4bd5fa2bf59dc07db5c32)) | digest | `0f21b6b` → `57ac68f` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](..ublue-os/issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44NC4wIiwidXBkYXRlZEluVmVyIjoiNDMuODQuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
feat: switch from GNOME 48 to GNOME 49
- Switch COPR comment from 'GNOME 48 backport' to 'GNOME 50' - Add fontconfig to pre-upgrade step (pango 1.57 requires fontconfig 2.17.0; EL10 base ships 2.15.0 which lacks FcConfigSetDefaultSubstitute) - Add fontconfig to versionlock to prevent downgrade back to 2.15.x - Install selinux-policy/selinux-policy-targeted from COPR before upgrade (GNOME 50 userdb varlink socket requires policy 43.x; EL10 ships 42.x) - Add dbus-daemon to GNOME package install (GDM wayland session bus; only a Recommends: of gdm so bootc image builds prune it) - Add gnome50-el10-compat (PAM systemd-user fix + SELinux module at priority 300 for GDM 50 dynamic greeter users under enforcing mode) - Add versionlock for full GNOME 50 stack in 20-packages.sh - Add build-gnome50.yml workflow publishing bluefin:lts-testing-50 and bluefin:lts-hwe-testing-50 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
inputs.tag-suffix was defined but never consumed — DEFAULT_TAG was assembled only from the hwe flag and REF_NAME, so passing tag-suffix from a calling workflow had no effect. Fix both tag-assembly blocks to append INPUT_TAG_SUFFIX (passed via env) after the existing hwe/testing suffix logic: build step: lts[-hwe][-testing]-<suffix> publish step: same, plus CENTOS_VERSION_SUFFIX for dated tags This makes build-gnome50.yml's tag-suffix: '50' produce bluefin:lts-testing-50 and bluefin:lts-hwe-testing-50 on the main branch, and lts-50 / lts-hwe-50 on the lts branch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Remove lts from push triggers (testing images only, never promoted) - Set publish condition to main branch push/dispatch only - Drop rechunk (not needed for testing images) - Simplify tag-suffix to '50' (reusable workflow adds 'testing' on main) producing bluefin:lts-testing-50 and bluefin:lts-hwe-testing-50 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
feat: add GNOME 50 testing builds (lts-testing-50, lts-hwe-testing-50)
- Switch main image build back to c10s-gnome-49 COPR (GNOME 49 is now the stable default) - Add Containerfile.gnome50 which FROMs the built lts-testing image and runs an upgrade-in-place script to switch to GNOME 50 - Add build_scripts/upgrade-gnome49-to-50.sh: swaps COPR, replaces gnome49-el10-compat with gnome50-el10-compat, installs selinux-policy 43.x, upgrades the GNOME stack, and sets GNOME 50 versionlocks - Rewrite build-gnome50.yml: no longer uses reusable-build-image.yml; instead builds Containerfile.gnome50 on top of lts-testing and lts-hwe-testing, publishing lts-testing-50 and lts-hwe-testing-50 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
feat: layer GNOME 50 on top of GNOME 49 base image
…es it) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
/opt is a symlink to /var/opt in the base image; mounting tmpfs over both /opt and /var breaks the mount chain. The tmpfs mounts are an optimization for the full build (keeping /var out of image layers) but are unnecessary for a simple dnf upgrade layer. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
fix: upgrade script was being wiped by /tmp tmpfs mount
- Containerfile: add ARG GNOME_VERSION (default 49) - Justfile: add $gnome_version param, pass as --build-arg GNOME_VERSION - 10-packages-image-base.sh: branch on $GNOME_VERSION — GNOME 49 enables c10s-gnome-49 COPR + upgrades gobject-introspection/gjs; GNOME 50 enables c10s-gnome-50 COPR + installs selinux-policy 43.x - 20-packages.sh: branch on $GNOME_VERSION for versionlocks - reusable-build-image.yml: add gnome-version input (default 49), pass through to just build as 7th positional arg - build-gnome50.yml: use reusable workflow with gnome-version: 50 and tag-suffix: 50 — produces lts-testing-50 and lts-hwe-testing-50 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
c10s-gnome-50 is incomplete (gnome50-el10-compat and others have no builds). c10s-gnome-50-fresh has 578 RPMs including gnome50-el10-compat, mutter, selinux-policy-43, libadwaita, and the full GNOME 50 stack. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
When rechunk=false (e.g. GNOME 50 builds), the Load Image step runs podman without sudo and cannot find the image built by sudo just build. Add an explicit rootful→rootless transfer step for this case. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
rechunk is the mechanism that transfers the image from root (sudo) storage to user-accessible storage before Load Image runs. Setting rechunk: false broke Load Image with 'image not known'. Mirror the main build pattern: rechunk on non-PR events, skip on PRs. Also revert unnecessary sudo podman save|load workaround. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…SION arg) Remove Containerfile.gnome50 and upgrade-gnome49-to-50.sh (layered approach). Build GNOME 50 via reusable-build-image.yml with gnome-version: '50' input, identical pipeline to GNOME 49 but selecting c10s-gnome-50-fresh COPR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…we build in same run Artifact name now includes hwe flag and tag-suffix so build and build-hwe jobs don't collide uploading 'bluefin-amd64' in the same workflow run. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…-testing-50) Add build-dx and build-dx-hwe jobs to build-gnome50.yml mirroring the main DX workflow but with gnome-version: '50' and tag-suffix: '50'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commits pending promotion to
ltsf6e1e4b feat: add bluefin-dx GNOME 50 build variants (lts-testing-50, lts-hwe-testing-50)
761f3fb fix: disambiguate artifact names to avoid conflict when hwe and non-hwe build in same run
8791cad refactor: replace layered gnome50 with full build pipeline (GNOME_VERSION arg)
ad5efb0 fix: use rechunk on main branch pushes (mirrors main build pattern)
98817fd fix: copy image to rootless storage when rechunk is disabled
c5ca712 fix: use c10s-gnome-50-fresh COPR (fully populated with all packages)
1b6aeed feat: add GNOME_VERSION build arg to select GNOME 49 or 50
8d58621 Merge pull request ublue-os#1213 from hanthor/feat/gnome-50-layered
3a4943c fix: drop tmpfs mounts in Containerfile.gnome50
157138a fix: copy upgrade script to /usr/local/bin, not /tmp (tmpfs mount wipes it)
6d70966 Merge pull request ublue-os#1212 from hanthor/feat/gnome-50-layered
3b665f1 fix(ci): add bluefin-dx GNOME 50 variants to build matrix
8087aea feat: rebase GNOME 49 as default, layer GNOME 50 on top
45ee934 Merge pull request ublue-os#1209 from hanthor/feat/gnome-50
e05a4fb fix(ci): restrict GNOME 50 builds to main branch only
a4e75cf fix(ci): wire up tag-suffix input in reusable-build-image.yml
cb21bb1 feat: add GNOME 50 testing builds (lts-testing-50, lts-hwe-testing-50)
ac893be Merge pull request ublue-os#1207 from hanthor/feat/gnome-49
a2d8b5c Merge branch 'main' into feat/gnome-49
96d99f5 chore(deps): update system_files/usr/share/gnome-shell/extensions/dash-to-dock@micxgx.gmail.com digest to 57ac68f (ublue-os#1208)
3e3235e feat: switch from GNOME 48 to GNOME 49
28a7701 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 73de6aa (ublue-os#1206)
789460b chore(deps): update system_files/usr/share/gnome-shell/extensions/appindicatorsupport@rgcjonas.gmail.com digest to 5f21a79 (ublue-os#1205)
f662cb5 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 56d49d1 (ublue-os#1204)
f93db5a chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 550e0d6 (ublue-os#1203)
3f031ba chore(deps): update system_files/usr/share/gnome-shell/extensions/tmp/caffeine digest to 2fafa49 (ublue-os#1200)
120a359 fix(ci): use regular merge for promotion PRs instead of squash (ublue-os#1201)
d151470 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 54b49be (ublue-os#1198)
a764cfc fix(ci): use tree-hash anchor for accurate promotion commit list (ublue-os#1197)
6462f99 ci(promote): replace push-based promotion with PR gate (ublue-os#1195)
dd4152f chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 7b1e3d1 (ublue-os#1194)
1658526 chore(deps): update system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com digest to 4e93e0e (ublue-os#1193)
aa14da4 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to b10c380 (ublue-os#1191)
1ff0c7e Revert "feat(GNOME) : gnome 49 backport" (ublue-os#1192)
18bb989 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to ff6f31c (ublue-os#1185)
24765e4 feat(GNOME) : gnome 49 backport (ublue-os#1187)
bc65f2a chore(deps): update system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com digest to e4ad180 (ublue-os#1190)
914432d chore(deps): update ghcr.io/ublue-os/brew:latest docker digest to fef8b47 (ublue-os#1189)
1339bc4 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 2a43204 (ublue-os#1188)
4e13431 chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to 9409d0c (ublue-os#1186)
6a0ad87 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to a9a3a0c (ublue-os#1184)
8e1c75f chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to 69e0d5c (ublue-os#1174)
90132e8 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 08420c1 (ublue-os#1181)
b23f809 chore(deps): update actions/download-artifact digest to 3e5f45b (ublue-os#1183)
13f9b46 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to c2dba5f (ublue-os#1182)
7316e19 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 00f9662 (ublue-os#1156)
ff85922 fix(ci): replace PR promotion with squash push in promote-to-lts (ublue-os#1177)
a527168 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 226b06f (ublue-os#1179)
4386c39 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 9c0d148 (ublue-os#1178)
314318e chore(deps): update anchore/sbom-action digest to 57aae52 (ublue-os#1175)
60e4aef chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to d1a9fbd (ublue-os#1173)
5875348 chore(deps): update actions/setup-node digest to 53b8394 (ublue-os#1163)
65a6c9f chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 923014b (ublue-os#1162)
a1f5552 chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to b9a75b6 (ublue-os#1164)
30a4d2d chore(deps): update system_files/usr/share/gnome-shell/extensions/tmp/caffeine digest to 873a1b0 (ublue-os#1166)
348707b chore(deps): update docker/metadata-action action to v6 (ublue-os#1167)
d3d39e9 chore(deps): update system_files/usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io digest to ed2f3a1 (ublue-os#1168)
020b8b2 chore(deps): update ghcr.io/ublue-os/brew:latest docker digest to 2eca44f (ublue-os#1169)
6cd6a55 fix: turn off bazaar.service for now (ublue-os#1172)
489e19d chore(renovate): fix automerge rules and reschedule lts cron (ublue-os#1171)
0b0caf0 chore(deps): update system_files/usr/share/gnome-shell/extensions/dash-to-dock@micxgx.gmail.com digest to 0f21b6b (ublue-os#1165)
270f925 fix: fetch raw instead of blob for zram config (ublue-os#1170)
6ec7dd5 fix(ci): fix LTS promotion workflow failures (ublue-os#1157)
6bb5b77 Delete docs/plans directory
550e8de fix(ci): prevent production LTS tag pollution from main branch merges (ublue-os#1154)
39cc90c chore(deps): update system_files/usr/share/gnome-shell/extensions/tmp/caffeine digest to 98b3b4f (ublue-os#1148)
aa2af52 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 786c4d1 (ublue-os#1149)
0b6baa9 fix(ci): prevent branch pollution by replacing pull app with manual workflow (ublue-os#1152)
8ed6d20 fix(ci): prevent accidental LTS tag publishing from pull bot PRs (ublue-os#1147)
943d949 chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to cbe78e6 (ublue-os#1146)
ed26f96 chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to d4ef607 (ublue-os#1145)
ffa30fe Merge branch 'lts' into main
d91a54e chore(deps): update ghcr.io/ublue-os/brew:latest docker digest to ca91068 (ublue-os#1135)
d34e80a chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to d4ef607 (ublue-os#1139)
64cb487 [pull] lts from main (ublue-os#1137)
a3e9a6a feat: switch lts builds to cron-only schedule (ublue-os#1138)
c4c9427 fix(ci): restrict SBOM generation to lts branch only (ublue-os#1142)
fcfbbec revert: restore SBOM generation on main branch (ublue-os#1141)
16aa2b3 fix(ci): restrict SBOM generation to lts branch only (ublue-os#1140)
b228dab chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 7dca424 (ublue-os#1131)
0ba1ede chore(deps): update anchore/sbom-action digest to 17ae174 (ublue-os#1132)
f7e94f5 chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to b8fe93b (ublue-os#1133)
e239a19 chore(deps): update github artifact actions (major) (ublue-os#1134)
3033874 Revert "Merge branch 'lts' into main"
4f951b4 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 9925d30 (ublue-os#1129)
9eb3e64 chore(deps): update extractions/setup-just digest to f8a3cce (ublue-os#1128)
0beace5 Merge branch 'lts' into main
58f470c chore(deps): update ghcr.io/ublue-os/brew:latest docker digest to 3efdc1a (ublue-os#1127)
38f3151 chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to 5decea8 (ublue-os#1126)
8594120 chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 9925d30 (ublue-os#1124)
f4357b1 feat: migrate changelog generation to external action (ublue-os#1125)
dc3f78e [pull] lts from main (ublue-os#1100)
Merge this PR (Create a merge commit) to promote. Do NOT squash — squash-merge breaks the merge base and causes PR bloat. The PR body updates automatically as
mainadvances.