staged-images: Add chunkah-staged bootc base image builds

[cgwalters]

Add infrastructure to build rechunked bootc base images using chunkah. These 'staged' images mirror upstream fedora-bootc and centos-bootc, strip /sysroot (ostree data), and rechunk with content-based layers for optimal layer reuse across updates.

Source images are pinned by @sha256 digest for reproducibility, with a Renovate custom regex manager to automatically bump digests when upstream tags are updated.

Target images:

• ghcr.io/bootc-dev/fedora-bootc-staged:43
• ghcr.io/bootc-dev/fedora-bootc-staged:44
• ghcr.io/bootc-dev/centos-bootc-staged:stream10

Closes: #151

Assisted-by: OpenCode (Claude Opus 4)

[gemini-code-assist]

Code Review

This pull request introduces a workflow for rechunking bootc base images using the chunkah tool and updates the Renovate configuration to support container image digest pinning in YAML files. Feedback highlights several architectural concerns in the new Containerfile, including the use of non-portable Podman-specific features like oci-archive, the lack of reproducibility due to using the :latest tag for build tools, and a dependency on external, gitignored configuration files. Additionally, a more robust regex for the Renovate custom manager was suggested to better handle varied YAML syntax and optional parameters.

[gemini-code-assist]

The use of FROM oci-archive:out.ociarchive combined with a writeable bind mount in a previous stage (line 23) is a highly non-standard and non-portable pattern.

Issues with this approach:

1. Portability: FROM oci-archive is a Podman/Buildah specific extension and will fail on standard Docker/BuildKit builders.
2. Side-effects: The build process modifies the host's source directory during execution. This can lead to permission issues in CI or leave 'dirty' files if the build fails.
3. Build Logic: This relies on --skip-unused-stages=false because the final stage doesn't have a formal dependency (like COPY --from) on the chunkah stage. Most CI environments default to skipping unused stages.

Consider if chunkah can be invoked as part of a CI pipeline script that then passes the resulting archive to a standard build, or if the rechunked content can be extracted and used via COPY --from.

[gemini-code-assist]

The regex for container image digest pinning could be more robust. Specifically:

1. It doesn't allow for an optional versioning= parameter in the Renovate comment, which is useful for pinning tags (e.g., staying on Fedora 43) while still updating digests.
2. It doesn't handle optional quotes around the image string in YAML.
3. It assumes the YAML key only contains word characters, but keys like base-image: are common.

Adding these would make the manager more flexible across different YAML structures.

Suggested change

	"# renovate: datasource=(?<datasource>docker) depName=(?<depName>[^\\s]+)\\n\\s*\\w+:\\s*\\S+:(?<currentValue>[^@\\s]+)@(?<currentDigest>sha256:[a-f0-9]+)"
	"# renovate: datasource=(?<datasource>docker) depName=(?<depName>[^\\s]+)(?: versioning=(?<versioning>[^\\s]+))?\\n\\s*[\\w-]+:\\s*[\"']?\\S+:(?<currentValue>[^@\\s\"']+)@(?<currentDigest>sha256:[a-f0-9]+)[\"']?"

[gemini-code-assist]

Using the :latest tag for the CHUNKAH build tool reduces build reproducibility. It is recommended to pin this to a specific version or, ideally, a SHA256 digest, especially since this repository emphasizes reproducibility for source images.

[gemini-code-assist]

The build process depends on an external source-config.json file (generated via podman inspect) which is gitignored and not produced within the Containerfile. This makes the build non-self-contained and requires manual steps or external orchestration to prepare the build context. Consider if this configuration can be derived dynamically during the build or passed as a build argument/secret.