From d65726ca29e69437269e6018c5c75367fde41775 Mon Sep 17 00:00:00 2001 From: Mikael Hugo Date: Mon, 18 May 2026 03:12:33 +0200 Subject: [PATCH] ci: provide buildah signature-policy + explicit storage paths buildah needs a policy.json file to authorize image pulls; the runner image doesn't ship one. Write a permissive trust-all policy inline at $HOME/.config/containers/policy.json and pass --signature-policy to both buildah and skopeo. Also pin --root + --runroot so skopeo's containers-storage URL matches buildah's actual store location. Co-Authored-By: Claude Opus 4.7 (1M context) --- .forgejo/workflows/self-deploy.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/self-deploy.yml b/.forgejo/workflows/self-deploy.yml index 4153dbdfa..d975608db 100644 --- a/.forgejo/workflows/self-deploy.yml +++ b/.forgejo/workflows/self-deploy.yml @@ -92,8 +92,16 @@ jobs: - name: Build server image (rootless buildah) run: | set -euo pipefail + # buildah needs a containers policy file; the runner image doesn't + # ship one. Write a permissive "trust-all" policy inline. + mkdir -p "$HOME/.config/containers" + printf '%s\n' '{"default":[{"type":"insecureAcceptAnything"}]}' \ + > "$HOME/.config/containers/policy.json" nix run nixpkgs#buildah -- bud \ + --signature-policy="$HOME/.config/containers/policy.json" \ --storage-driver=vfs \ + --root="$HOME/.local/share/containers/storage" \ + --runroot="$HOME/.local/share/containers/runroot" \ --isolation=chroot \ -f docker/Dockerfile.sf-server \ --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \ @@ -116,7 +124,7 @@ jobs: nix run nixpkgs#skopeo -- copy \ --insecure-policy \ $creds_arg \ - "containers-storage:[vfs@/var/lib/containers/storage+/var/run/containers/storage]${{ steps.image.outputs.image }}" \ + "containers-storage:[vfs@$HOME/.local/share/containers/storage+$HOME/.local/share/containers/runroot]${{ steps.image.outputs.image }}" \ "docker://${{ steps.image.outputs.image }}"