Update container images

.gitea/workflows/build.yaml

@@ -5,6 +5,8 @@ name: build
 # Controls when the workflow will run
 on:
   push:
+    branches:
+      - "**"
     tags:
       - "**"
 
@@ -14,13 +16,13 @@ jobs:
   build:
     strategy:
       matrix:
-        flavor: [rocky, rocky-minimal, fedora]
+        flavor: [rocky, rocky-minimal]
     runs-on: rocky-minimal
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Build ${{ matrix.flavor }} image
         id: build-image-rocky

.github/workflows/build-and-release.yaml

@@ -7,6 +7,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
   push:
+    branches:
+      - master
 
 env:
   REGISTRY_USER: aborys
@@ -17,14 +19,15 @@ jobs:
   build:
     strategy:
       matrix:
-        flavor: [rocky, rocky-minimal, fedora]
+        flavor: [rocky, rocky-minimal]
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

.github/workflows/build-and-scan.yaml

@@ -0,0 +1,61 @@
+name: build-and-scan
+
+on:
+  workflow_dispatch:
+  push:
+
+env:
+  REGISTRY_USER: aborys
+  IMAGE_REGISTRY: docker.io
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  build:
+    strategy:
+      matrix:
+        flavor: [rocky, rocky-minimal]
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Build ${{ matrix.flavor }} image
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: podman-builder
+          tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) || '' }}
+          containerfiles: |
+            ./Containerfile.${{ matrix.flavor }}
+          platforms: linux/amd64, linux/arm64
+
+      - name: Save image to file
+        run: podman save podman-builder:latest-${{ matrix.flavor }} -o ./image
+
+      - name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          file: ./image
+          format: spdx-json
+          output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
+
+      - name: Scan SBOM
+        id: scan
+        uses: anchore/scan-action@v3
+        with:
+          sbom: "${{ github.event.repository.name }}-${{ matrix.flavor }}-sbom.spdx.json"
+          fail-build: false
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

Containerfile.rocky

@@ -2,17 +2,10 @@
 # * https://github.com/containers/buildah/blob/main/contrib/buildahimage/Containerfile
 # * https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile
 
-# FROM registry.fedoraproject.org/fedora:latest
 FROM rockylinux:9
 
-# label "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"
+LABEL "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"
 
-# Don't include container-selinux and remove
-# directories used by dnf that are just taking
-# up space.
-# TODO: rpm --setcaps... needed due to Fedora (base) image builds
-#       being (maybe still?) affected by
-#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN dnf -y update && \
   rpm --setcaps shadow-utils 2>/dev/null && \
   dnf -y install buildah fuse-overlayfs podman nodejs git --exclude container-selinux && \
@@ -27,7 +20,7 @@ RUN useradd build && \
   mkdir -p /home/build/.config/containers && \
   chown -R build:build /home/build
 
-ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable"
+ARG _REPO_URL="https://raw.githubusercontent.com/containers/image_build/main/podman"
 ADD $_REPO_URL/containers.conf /etc/containers/containers.conf
 ADD --chown=build:build $_REPO_URL/podman-containers.conf /home/build/.config/containers/containers.conf
 

Containerfile.rocky-minimal

@@ -5,14 +5,8 @@
 # FROM registry.fedoraproject.org/fedora:latest
 FROM rockylinux:9-minimal
 
-# label "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"
+LABEL "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"
 
-# Don't include container-selinux and remove
-# directories used by dnf that are just taking
-# up space.
-# TODO: rpm --setcaps... needed due to Fedora (base) image builds
-#       being (maybe still?) affected by
-#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN printf "[main]\nexcludepkgs=container-selinux" > /etc/dnf/dnf.conf && \
   microdnf -y update && \
   rpm --setcaps shadow-utils 2>/dev/null && \
@@ -28,7 +22,7 @@ RUN useradd build && \
   mkdir -p /home/build/.config/containers && \
   chown -R build:build /home/build
 
-ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable"
+ARG _REPO_URL="https://raw.githubusercontent.com/containers/image_build/main/podman"
 ADD $_REPO_URL/containers.conf /etc/containers/containers.conf
 ADD --chown=build:build $_REPO_URL/podman-containers.conf /home/build/.config/containers/containers.conf
 

README.md

@@ -5,14 +5,13 @@ I couldn't find any existing image from trusted entities, which has both podman
 
 The image is based on official podman and buildah images:
 
-- https://github.com/containers/buildah/blob/main/contrib/buildahimage/Containerfile
-- https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile
+- https://github.com/containers/image_build/tree/main/podman
+- https://github.com/containers/image_build/tree/main/buildah
 
-There are three flavors of the image, depending on the base image:
+There are two flavors of the image, depending on the base image:
 
 - `rocky` - based on `rocky:9` image. I recommend using this as a base image if you want to add more tools to it
 - `rocky-minimal` - based on `rocky:9-minimal`. I recommend using this image for running the jobs requiring only nodejs, podman and buildah. Rocky minimal images contain `microdnf` instead of `dnf`, and you may encounter issues with that.
-- `fedora` - based on `fedora:39`, same as the original podman and buildah images. Size of this image is a lot bigger than Rocky based images. It takes a long time to build it for `arm64` on QEMU, so I may decide to remove it or provide only `amd64` variant.
 
 There are three tag variants:
 
@@ -45,7 +44,6 @@ runner:
   labels:
     - rocky-minimal:docker://aborys/podman-builder:latest-rocky-minimal
     - rocky:docker://aborys/podman-builder:latest-rocky
-    - fedora:docker://aborys/podman-builder:latest-fedora
 
 container:
   options: --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw

example/config.yaml

@@ -1,95 +1,37 @@
-# Example configuration file, it's safe to copy this as the default config file without any modification.
-
-# You don't have to copy this file to your instance,
-# just run `./act_runner generate-config > config.yaml` to generate a config file.
-
 log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
   level: info
 
 runner:
-  # Where to store the registration result.
   file: .runner
-  # Execute how many tasks concurrently at the same time.
   capacity: 2
-  # Extra environment variables to run jobs.
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
   env_file: .env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
   timeout: 3h
-  # Whether skip verifying the TLS certificate of the Gitea instance.
   insecure: false
-  # The timeout for fetching the job from the Gitea instance.
   fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
   fetch_interval: 2s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `deamon`, will use labels in `.runner` file.
   labels:
-    - ubuntu-latest:docker://node:16-bullseye
-    - ubuntu-22.04:docker://node:16-bullseye
-    - ubuntu-20.04:docker://node:16-bullseye
-    - ubuntu-18.04:docker://node:16-buster
+    - ubuntu-latest:docker://gitea/runner-images:ubuntu-latest
+    - ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04
+    - ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04
     - rocky-minimal:docker://aborys/podman-builder:latest-rocky-minimal
     - rocky:docker://aborys/podman-builder:latest-rocky
-    - fedora:docker://aborys/podman-builder:latest-fedora
 
 cache:
-  # Enable cache server to use actions/cache.
   enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
   dir: ""
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
   host: ""
-  # The port of the cache server.
-  # 0 means to use a random available port.
   port: 0
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
   external_server: ""
 
 container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
   network: ""
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
   privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
   options: --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw
-  # The parent directory of a job's working directory.
-  # If it's empty, /workspace will be used.
   workdir_parent:
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
   valid_volumes: []
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
   docker_host: ""
-  # Pull docker image(s) even if already present
   force_pull: false
-  # Rebuild docker image(s) even if already present
   force_rebuild: false
 
 host:
-  # The parent directory of a job's working directory.
-  # If it's empty, $HOME/.cache/act/ will be used.
   workdir_parent: