From 0862da62c1770a69367f1fec417df5a17bec6552 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 18 May 2026 11:30:31 +0200 Subject: [PATCH 1/5] Added debian-13 to build-base-images workflow matrix Without this, no debian-13 image gets pushed to ghcr.io, which in turn breaks the weekly Update base image versions workflow when it tries to query tags for cfengine-builder-debian-13. Signed-off-by: Lars Erik Wik --- .github/workflows/build-base-images.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 2b60cb0d8..75d959b5d 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -19,6 +19,7 @@ jobs: - ubuntu-24 - debian-11 - debian-12 + - debian-13 steps: - name: Checkout repository uses: actions/checkout@v6 From f57489ec1edf6a713591ded3f98956dc20580d14 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 18 May 2026 11:35:39 +0200 Subject: [PATCH 2/5] Documented build-base-images matrix step when adding new platforms The previous wording claimed that adding a Debian/Ubuntu platform required only a new entry in platforms.json, which misses the build-base-images workflow matrix and leads to the update-base-images job crashing with a 403 from ghcr.io. Also added debian-13 to the supported platforms table. Signed-off-by: Lars Erik Wik --- build-in-container.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/build-in-container.md b/build-in-container.md index 78687f336..b9820dbd2 100644 --- a/build-in-container.md +++ b/build-in-container.md @@ -64,8 +64,15 @@ None of the above arguments are required for `--update`. | `ubuntu-24` | `ubuntu:24.04` | | `debian-11` | `debian:11` | | `debian-12` | `debian:12` | +| `debian-13` | `debian:13` | + +Adding a new Debian/Ubuntu platform requires a new entry in `platforms.json` +and adding the platform name to the matrix in +`.github/workflows/build-base-images.yml` so the weekly job builds and +pushes its image to `ghcr.io`. Without the matrix entry, no image is ever +pushed and the `update-base-images.yml` workflow will fail with a 403 from +`ghcr.io` when it queries tags for the missing repository. -Adding a new Debian/Ubuntu platform requires only a new entry in `platforms.json`. Adding a non-debian based platform (e.g., RHEL/CentOS) requires a new `container/Dockerfile.rhel` plus platform entries. From 401caeb5991075a1297a7edccac2b34efcbf1d18 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 18 May 2026 11:45:08 +0200 Subject: [PATCH 3/5] Documented image_version and base_image_sha when adding a platform Explain that image_version should start as "latest" (the update workflow will replace it after the first push) and that base_image_sha should be filled in by ./build-in-container.py --update-sha rather than copied by hand. Signed-off-by: Lars Erik Wik --- build-in-container.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/build-in-container.md b/build-in-container.md index b9820dbd2..8ff1c19f7 100644 --- a/build-in-container.md +++ b/build-in-container.md @@ -73,6 +73,17 @@ pushes its image to `ghcr.io`. Without the matrix entry, no image is ever pushed and the `update-base-images.yml` workflow will fail with a 403 from `ghcr.io` when it queries tags for the missing repository. +The new entry in `platforms.json` needs: + +- `image_version`: set to `"latest"` as a placeholder. The + `update-base-images.yml` workflow (or `./build-in-container.py --update` + run locally) will replace it with the real ghcr.io tag after the first + image is pushed. +- `base_image_sha`: the Docker Hub manifest digest for the `base_image`. + Don't copy this by hand — run `./build-in-container.py --update-sha + --platform ` and it will fetch the current digest from + Docker Hub and write it into `platforms.json`. + Adding a non-debian based platform (e.g., RHEL/CentOS) requires a new `container/Dockerfile.rhel` plus platform entries. From 5e1c595d61bf92af667bd8a7f632aedb9d55e5a8 Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 18 May 2026 11:50:32 +0200 Subject: [PATCH 4/5] Documented --update-sha and the update-base-image-shas.yml workflow Signed-off-by: Lars Erik Wik --- build-in-container.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/build-in-container.md b/build-in-container.md index 8ff1c19f7..9bac621c8 100644 --- a/build-in-container.md +++ b/build-in-container.md @@ -51,6 +51,7 @@ None of the above arguments are required for `--update`. | `--rebuild-image` | | Force rebuild of Docker image (bypasses Docker layer cache) | | `--push-image` | | Build image and push to registry, then exit | | `--update` | | Fetch latest image versions from registry and update platforms.json | +| `--update-sha` | | Fetch latest base image manifest digests from Docker Hub and update platforms.json | | `--shell` | | Drop into a bash shell inside the container for debugging | | `--list-platforms` | | List available platforms and exit | | `--source-dir` | parent of `buildscripts/` | Root directory containing repos | @@ -169,6 +170,20 @@ The `update-base-images.yml` workflow automates this step. It runs weekly `platforms.json` changes. This workflow requires `contents: write` and `pull-requests: write` permissions. +The `base_image_sha` digests in `platforms.json` pin each platform to a +specific Docker Hub manifest. To refresh them to the current digests: + +```bash +# Update all platforms +./build-in-container.py --update-sha + +# Update a single platform +./build-in-container.py --update-sha --platform ubuntu-22 +``` + +The `update-base-image-shas.yml` workflow automates this. It runs weekly +(Monday at 01:00 UTC) and opens a pull request with any digest changes. + The workflow authenticates to `ghcr.io` using the automatic `GITHUB_TOKEN` provided by GitHub Actions. For this to work: From 3405f113d8cef92aae2b9c4f56be151964675d3e Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Mon, 18 May 2026 11:52:40 +0200 Subject: [PATCH 5/5] build-in-container.md: formatted markdown file Signed-off-by: Lars Erik Wik --- build-in-container.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/build-in-container.md b/build-in-container.md index 9bac621c8..34da135cf 100644 --- a/build-in-container.md +++ b/build-in-container.md @@ -42,19 +42,19 @@ None of the above arguments are required for `--update`. ### Optional arguments -| Option | Default | Description | -| ------------------ | -------------------------------- | ------------------------------------------------------------------- | -| `--output-dir` | `./output` | Where to write output packages | -| `--cache-dir` | `~/.cache/cfengine/buildscripts` | Dependency cache directory | -| `--build-number` | `1` | Build number for package versioning | -| `--version` | auto | Override version string | -| `--rebuild-image` | | Force rebuild of Docker image (bypasses Docker layer cache) | -| `--push-image` | | Build image and push to registry, then exit | -| `--update` | | Fetch latest image versions from registry and update platforms.json | +| Option | Default | Description | +| ------------------ | -------------------------------- | ---------------------------------------------------------------------------------- | +| `--output-dir` | `./output` | Where to write output packages | +| `--cache-dir` | `~/.cache/cfengine/buildscripts` | Dependency cache directory | +| `--build-number` | `1` | Build number for package versioning | +| `--version` | auto | Override version string | +| `--rebuild-image` | | Force rebuild of Docker image (bypasses Docker layer cache) | +| `--push-image` | | Build image and push to registry, then exit | +| `--update` | | Fetch latest image versions from registry and update platforms.json | | `--update-sha` | | Fetch latest base image manifest digests from Docker Hub and update platforms.json | -| `--shell` | | Drop into a bash shell inside the container for debugging | -| `--list-platforms` | | List available platforms and exit | -| `--source-dir` | parent of `buildscripts/` | Root directory containing repos | +| `--shell` | | Drop into a bash shell inside the container for debugging | +| `--list-platforms` | | List available platforms and exit | +| `--source-dir` | parent of `buildscripts/` | Root directory containing repos | ## Supported platforms @@ -82,7 +82,7 @@ The new entry in `platforms.json` needs: image is pushed. - `base_image_sha`: the Docker Hub manifest digest for the `base_image`. Don't copy this by hand — run `./build-in-container.py --update-sha - --platform ` and it will fetch the current digest from +--platform ` and it will fetch the current digest from Docker Hub and write it into `platforms.json`. Adding a non-debian based platform (e.g.,