staged-images: Add chunkah-staged bootc base image builds

Add infrastructure to build rechunked bootc base images using chunkah.
These 'staged' images mirror upstream fedora-bootc and centos-bootc,
strip /sysroot (ostree data), and rechunk with content-based layers
for optimal layer reuse across updates.

Source images are pinned by @sha256 digest for reproducibility, with
a Renovate custom regex manager to automatically bump digests when
upstream tags are updated.

Target images:
  - ghcr.io/bootc-dev/fedora-bootc-staged:43
  - ghcr.io/bootc-dev/fedora-bootc-staged:44
  - ghcr.io/bootc-dev/centos-bootc-staged:stream10

Closes: #151

Assisted-by: OpenCode (Claude Opus 4)

Author: cgwalters

.github/workflows/build-staged-images.yml

@@ -0,0 +1,92 @@
+name: Build chunkah-staged bootc base images
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'staged-images/**'
+      - '.github/workflows/build-staged-images.yml'
+  pull_request:
+    paths:
+      - 'staged-images/**'
+      - '.github/workflows/build-staged-images.yml'
+  schedule:
+    # Rebuild weekly to pick up upstream base image updates
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build-staged:
+    name: Build ${{ matrix.name }}:${{ matrix.tag }}
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: fedora-bootc-staged
+            tag: "43"
+            # renovate: datasource=docker depName=quay.io/fedora/fedora-bootc
+            source: quay.io/fedora/fedora-bootc:43@sha256:53829d163d685800b3223c216f0714d00051b8e585d2797defcfc4953dc120e5
+          - name: fedora-bootc-staged
+            tag: "44"
+            # renovate: datasource=docker depName=quay.io/fedora/fedora-bootc
+            source: quay.io/fedora/fedora-bootc:44@sha256:ce6d9786604260fc26adf1df50805b3b39e6c9bcb7f3f40411339e83c4a5d36a
+          - name: centos-bootc-staged
+            tag: stream9
+            # renovate: datasource=docker depName=quay.io/centos-bootc/centos-bootc
+            source: quay.io/centos-bootc/centos-bootc:stream9@sha256:70236424fb0ffb6a59e8e3d3cbc0df9f87bd3284ccbc70a93efd24da1e6544fb
+          - name: centos-bootc-staged
+            tag: stream10
+            # renovate: datasource=docker depName=quay.io/centos-bootc/centos-bootc
+            source: quay.io/centos-bootc/centos-bootc:stream10@sha256:d46e5198288642f45ce559f39be4ac6b34d1afe03c1d7836591b8a57655010c2
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v4
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull source image
+        run: podman pull ${{ matrix.source }}
+
+      - name: Write source image config to build context
+        working-directory: staged-images
+        run: podman inspect ${{ matrix.source }} > source-config.json
+
+      - name: Build staged image
+        working-directory: staged-images
+        run: |
+          buildah build --skip-unused-stages=false \
+            --build-arg SOURCE_IMAGE=${{ matrix.source }} \
+            --build-arg MAX_LAYERS=128 \
+            -f Containerfile.staged \
+            -t ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.name }}:${{ matrix.tag }} \
+            .
+
+      - name: Verify image
+        run: |
+          echo "=== Image labels ==="
+          podman inspect ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.name }}:${{ matrix.tag }} | jq '.[0].Config.Labels'
+          echo "=== Layer count ==="
+          podman inspect ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.name }}:${{ matrix.tag }} | jq '.[0].RootFS.Layers | length'
+
+      - name: Push staged image
+        if: github.event_name != 'pull_request'
+        run: |
+          podman push ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.name }}:${{ matrix.tag }}

renovate-shared-config.json

@@ -57,6 +57,17 @@
         "# renovate: datasource=(?<datasource>[a-z-]+) depName=(?<depName>[^\\s]+)\\n\\s*(?:export )?\\w*VERSION=(?<currentValue>v?\\S+)"
       ]
     },
+    // Container image digest pinning in YAML workflows
+    // Matches patterns like:
+    //   # renovate: datasource=docker depName=quay.io/fedora/fedora-bootc
+    //   source: quay.io/fedora/fedora-bootc:43@sha256:abc123...
+    {
+      "customType": "regex",
+      "managerFilePatterns": ["**/*.yml", "**/*.yaml"],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>docker) depName=(?<depName>[^\\s]+)\\n\\s*\\w+:\\s*\\S+:(?<currentValue>[^@\\s]+)@(?<currentDigest>sha256:[a-f0-9]+)"
+      ]
+    },
     // Git refs (commit SHA) tracking in Justfiles and YAML workflows
     // Justfile example:
     //   # renovate: datasource=git-refs depName=https://github.com/org/repo branch=main
@@ -134,6 +145,22 @@
       "groupName": "Docker",
       "enabled": true
     },
+    // Group staged bootc base image digest updates separately
+    //
+    // These are the upstream source images for chunkah-staged builds.
+    // Digest updates trigger a rebuild of the staged images, so they
+    // get their own PR. Must come after the Docker group rule so it
+    // takes precedence (Renovate applies all matching rules in order,
+    // later rules win).
+    {
+      "description": ["Staged bootc base image digest updates"],
+      "matchManagers": ["custom.regex"],
+      "matchDepNames": [
+        "quay.io/fedora/fedora-bootc",
+        "quay.io/centos-bootc/centos-bootc"
+      ],
+      "groupName": "staged-images"
+    },
     // bcvk gets its own group so it isn't blocked by the weekly schedule
     // applied to other Docker group members. Without this, the Docker group
     // PR can only be created on Sundays (when all deps are in-schedule),

staged-images/.gitignore

@@ -0,0 +1,2 @@
+source-config.json
+out.ociarchive

staged-images/Containerfile.staged

@@ -0,0 +1,33 @@
+# Containerfile.staged — Rechunk a bootc base image with chunkah
+#
+# Takes an upstream bootc image (fedora-bootc or centos-bootc), strips
+# the /sysroot (ostree data), and rechunks using chunkah for optimal
+# layer reuse across updates. The result is a "staged" base image
+# suitable for use as a FROM base in bootc development.
+#
+# Usage:
+#   podman pull quay.io/fedora/fedora-bootc:44
+#   podman inspect quay.io/fedora/fedora-bootc:44 > source-config.json
+#   buildah build --skip-unused-stages=false \
+#     --build-arg SOURCE_IMAGE=quay.io/fedora/fedora-bootc:44 \
+#     -f Containerfile.staged .
+
+ARG SOURCE_IMAGE
+ARG CHUNKAH=quay.io/jlebon/chunkah:latest
+ARG MAX_LAYERS=128
+
+FROM ${SOURCE_IMAGE} AS source
+
+FROM ${CHUNKAH} AS chunkah
+ARG MAX_LAYERS
+RUN --mount=type=bind,target=/run/src,rw \
+    --mount=from=source,target=/chunkah,ro \
+      chunkah build \
+        --config /run/src/source-config.json \
+        --prune /sysroot/ \
+        --max-layers "${MAX_LAYERS}" \
+        --label ostree.commit- \
+        --label ostree.final-diffid- \
+        > /run/src/out.ociarchive
+
+FROM oci-archive:out.ociarchive