Build with buildah+vfs+chroot to bypass runner sandbox

2026-05-10 01:42:53 +04:00 · 2026-05-10 01:42:53 +04:00 · 5df0d94d92
parent dfbe598bc3
commit 5df0d94d92
1 changed files with 19 additions and 5 deletions
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@ -106,6 +106,11 @@ jobs:
          cosign version
          jq --version

+      # Build with buildah + vfs + chroot isolation. This combo avoids:
+      #   - user namespaces (which need newuidmap and aren't always allowed)
+      #   - overlay mounts (which need mount propagation)
+      #   - clone() with CLONE_NEW* flags (which seccomp may block)
+      # Run with sudo so we already have full caps and don't need to unshare.
      - name: Build image
        id: build
        shell: bash
@ -113,11 +118,16 @@ jobs:
          IMAGE_REF: ${{ steps.tags.outputs.image_ref }}
          DATE_TAG: ${{ steps.tags.outputs.date_tag }}
          SHA_TAG:  ${{ steps.tags.outputs.sha_tag }}
+          BUILDAH_ISOLATION: chroot
+          STORAGE_DRIVER: vfs
        run: |
          set -euxo pipefail
-          podman build \
+          sudo BUILDAH_ISOLATION=chroot STORAGE_DRIVER=vfs buildah \
+            --storage-driver=vfs \
+            bud \
+            --isolation=chroot \
            --platform=${{ matrix.platform }} \
-            --pull=newer \
+            --pull-always \
            --tag "${IMAGE_REF}:${DATE_TAG}" \
            --tag "${IMAGE_REF}:${SHA_TAG}" \
            $(for t in $IMAGE_TAGS; do echo --tag "${IMAGE_REF}:${t}"; done) \
@ -127,7 +137,7 @@ jobs:
        if: github.event_name != 'pull_request'
        shell: bash
        run: |
-          echo "${REGISTRY_TOKEN}" | podman login \
+          echo "${REGISTRY_TOKEN}" | sudo buildah --storage-driver=vfs login \
            --username "${REGISTRY_USER}" \
            --password-stdin \
            "${REGISTRY}"
@ -142,7 +152,7 @@ jobs:
        run: |
          set -euxo pipefail
          for tag in $DATE_TAG $SHA_TAG $IMAGE_TAGS; do
-            podman push "${IMAGE_REF}:${tag}"
+            sudo buildah --storage-driver=vfs push "${IMAGE_REF}:${tag}"
          done

      - name: Sign image with cosign
@ -155,7 +165,11 @@ jobs:
        run: |
          set -euxo pipefail
          for tag in $IMAGE_TAGS; do
-            DIGEST=$(skopeo inspect --format '{{.Digest}}' "docker://${IMAGE_REF}:${tag}")
+            # skopeo inspect against private registry needs creds
+            DIGEST=$(skopeo inspect \
+              --creds "${REGISTRY_USER}:${REGISTRY_TOKEN}" \
+              --format '{{.Digest}}' \
+              "docker://${IMAGE_REF}:${tag}")
            cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${IMAGE_REF}@${DIGEST}"
          done