Fedora 44

.github/workflows/build-hypervisor.yml

@@ -20,16 +20,41 @@ on:
           - 'nvidia'
           - 'nvidia-negativo17'
           - 'nvidia-rpmfusion'
+      versions_override:
+        description: 'JSON array of Fedora versions to build, e.g. [44] (empty = use fedora-versions.yml)'
+        required: false
+        default: ''
+        type: string
 
 concurrency:
   group: build-hypervisor-${{ github.ref }}
   cancel-in-progress: false
 
-env:
-  RECHUNKER_IMAGE: quay.io/fedora/fedora-bootc:43
-
 jobs:
+  setup:
+    runs-on: ubuntu-24.04
+    outputs:
+      versions: ${{ steps.r.outputs.versions }}
+      stable: ${{ steps.r.outputs.stable }}
+      rechunker: ${{ steps.r.outputs.rechunker }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: r
+        run: |
+          curl -fsSL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 \
+            -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
+          if [ -n "${{ inputs.versions_override }}" ]; then
+            echo "versions=${{ inputs.versions_override }}"
+          else
+            echo "versions=$(yq -o=json -I=0 '.supported' fedora-versions.yml)"
+          fi >> "$GITHUB_OUTPUT"
+          {
+            echo "stable=$(yq '.stable' fedora-versions.yml)"
+            echo "rechunker=$(yq '.rechunker' fedora-versions.yml)"
+          } >> "$GITHUB_OUTPUT"
+
   build-base:
+    needs: setup
     # Skip if upstream minimal build failed; allow all other triggers.
     if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name != 'workflow_run' }}
     runs-on: ubuntu-24.04
@@ -38,6 +63,10 @@ jobs:
       contents: read
       packages: write
       id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        fedora_version: ${{ fromJson(needs.setup.outputs.versions) }}
     outputs:
       tag: ${{ steps.params.outputs.tag }}
       owner: ${{ steps.params.outputs.owner }}
@@ -103,23 +132,27 @@ jobs:
 
       - name: Build base hypervisor
         env:
-          TAG: ${{ steps.params.outputs.tag }}
+          VERSION: ${{ matrix.fedora_version }}
+          OWNER: ${{ steps.params.outputs.owner }}
         run: |
           sudo podman build \
             --pull=always \
             --security-opt=label=disable \
             --security-opt=seccomp=unconfined \
             --cap-add=all \
             --ipc=host \
+            --build-arg BASE_IMAGE=ghcr.io/${OWNER}/fedora-bootc-minimal:${VERSION} \
             -f hypervisor.Containerfile \
             -t localhost/hypervisor-bootc:build \
             .
 
       - name: Rechunk base image
+        env:
+          RECHUNKER: ${{ needs.setup.outputs.rechunker }}
         run: |
           sudo podman run --rm --privileged \
             -v /var/lib/containers:/var/lib/containers \
-            "${RECHUNKER_IMAGE}" \
+            quay.io/fedora/fedora-bootc:${RECHUNKER} \
             /usr/libexec/bootc-base-imagectl rechunk \
             localhost/hypervisor-bootc:build \
             localhost/hypervisor-bootc:rechunked
@@ -128,12 +161,22 @@ jobs:
         id: push_base
         env:
           IMAGE_BASE: ${{ steps.params.outputs.image_base }}
+          VERSION: ${{ matrix.fedora_version }}
           TAG: ${{ steps.params.outputs.tag }}
+          STABLE: ${{ needs.setup.outputs.stable }}
         run: |
-          sudo podman tag localhost/hypervisor-bootc:rechunked "${IMAGE_BASE}:${TAG}"
-          sudo podman push --digestfile /tmp/digest.txt "${IMAGE_BASE}:${TAG}"
-          sudo podman tag localhost/hypervisor-bootc:rechunked "${IMAGE_BASE}:latest"
-          sudo podman push "${IMAGE_BASE}:latest"
+          VERSIONED="${VERSION}-${TAG}"
+          FLOATING="${VERSION}"
+
+          sudo podman tag localhost/hypervisor-bootc:rechunked "${IMAGE_BASE}:${VERSIONED}"
+          sudo podman push --digestfile /tmp/digest.txt "${IMAGE_BASE}:${VERSIONED}"
+          sudo podman tag localhost/hypervisor-bootc:rechunked "${IMAGE_BASE}:${FLOATING}"
+          sudo podman push "${IMAGE_BASE}:${FLOATING}"
+          if [ "${VERSION}" = "${STABLE}" ]; then
+            sudo podman tag localhost/hypervisor-bootc:rechunked "${IMAGE_BASE}:latest"
+            sudo podman push "${IMAGE_BASE}:latest"
+          fi
+
           echo "digest=$(cat /tmp/digest.txt)" >> "$GITHUB_OUTPUT"
 
       - name: Sign base
@@ -147,17 +190,22 @@ jobs:
       - name: Summary
         env:
           IMAGE_BASE: ${{ steps.params.outputs.image_base }}
+          VERSION: ${{ matrix.fedora_version }}
           TAG: ${{ steps.params.outputs.tag }}
+          STABLE: ${{ needs.setup.outputs.stable }}
         run: |
           {
-            echo "## Base hypervisor build complete"
+            echo "## Base hypervisor build complete (F${VERSION})"
             echo ""
-            echo "- \`${IMAGE_BASE}:${TAG}\`"
-            echo "- \`${IMAGE_BASE}:latest\`"
+            echo "- \`${IMAGE_BASE}:${VERSION}-${TAG}\`"
+            echo "- \`${IMAGE_BASE}:${VERSION}\`"
+            if [ "${VERSION}" = "${STABLE}" ]; then
+              echo "- \`${IMAGE_BASE}:latest\`"
+            fi
           } >> "$GITHUB_STEP_SUMMARY"
 
   build-variant:
-    needs: build-base
+    needs: [setup, build-base]
     runs-on: ubuntu-24.04
     timeout-minutes: 120
     permissions:
@@ -172,18 +220,19 @@ jobs:
           - name: amd
             image: hypervisor-amd
             containerfile: hypervisor-amd.Containerfile
-            versioned_tag_prefix: ''
-            floating_tag: latest
+            prefix: ''
+            floating: ''
           - name: nvidia-negativo17
             image: hypervisor-nvidia
             containerfile: hypervisor-nvidia-negativo17.Containerfile
-            versioned_tag_prefix: 'negativo17-'
-            floating_tag: negativo17
+            prefix: 'negativo17-'
+            floating: 'negativo17'
           - name: nvidia-rpmfusion
             image: hypervisor-nvidia
             containerfile: hypervisor-nvidia-rpmfusion.Containerfile
-            versioned_tag_prefix: 'rpmfusion-'
-            floating_tag: rpmfusion
+            prefix: 'rpmfusion-'
+            floating: 'rpmfusion'
+        fedora_version: ${{ fromJson(needs.setup.outputs.versions) }}
 
     steps:
       - name: Decide whether to build this variant
@@ -264,13 +313,16 @@ jobs:
         env:
           IMAGE: ${{ matrix.variant.image }}
           CONTAINERFILE: ${{ matrix.variant.containerfile }}
+          VERSION: ${{ matrix.fedora_version }}
+          OWNER: ${{ needs.build-base.outputs.owner }}
         run: |
           sudo podman build \
             --pull=always \
             --security-opt=label=disable \
             --security-opt=seccomp=unconfined \
             --cap-add=all \
             --ipc=host \
+            --build-arg BASE=ghcr.io/${OWNER}/hypervisor-bootc:${VERSION} \
             -f "${CONTAINERFILE}" \
             -t "localhost/${IMAGE}:build" \
             .
@@ -279,10 +331,11 @@ jobs:
         if: steps.gate.outputs.build == 'true'
         env:
           IMAGE: ${{ matrix.variant.image }}
+          RECHUNKER: ${{ needs.setup.outputs.rechunker }}
         run: |
           sudo podman run --rm --privileged \
             -v /var/lib/containers:/var/lib/containers \
-            "${RECHUNKER_IMAGE}" \
+            quay.io/fedora/fedora-bootc:${RECHUNKER} \
             /usr/libexec/bootc-base-imagectl rechunk \
             "localhost/${IMAGE}:build" \
             "localhost/${IMAGE}:rechunked"
@@ -294,20 +347,30 @@ jobs:
           OWNER: ${{ needs.build-base.outputs.owner }}
           BASE_TAG: ${{ needs.build-base.outputs.tag }}
           IMAGE: ${{ matrix.variant.image }}
-          PREFIX: ${{ matrix.variant.versioned_tag_prefix }}
-          FLOATING: ${{ matrix.variant.floating_tag }}
+          PREFIX: ${{ matrix.variant.prefix }}
+          FLOATING: ${{ matrix.variant.floating }}
+          VERSION: ${{ matrix.fedora_version }}
+          STABLE: ${{ needs.setup.outputs.stable }}
         run: |
           IMAGE_BASE="ghcr.io/${OWNER}/${IMAGE}"
-          VERSIONED_TAG="${PREFIX}${BASE_TAG}"
-
-          sudo podman tag "localhost/${IMAGE}:rechunked" "${IMAGE_BASE}:${VERSIONED_TAG}"
-          sudo podman push --digestfile /tmp/digest.txt "${IMAGE_BASE}:${VERSIONED_TAG}"
-          sudo podman tag "localhost/${IMAGE}:rechunked" "${IMAGE_BASE}:${FLOATING}"
-          sudo podman push "${IMAGE_BASE}:${FLOATING}"
+          VERSIONED="${PREFIX}${VERSION}-${BASE_TAG}"
+          FLOATING_TAG="${PREFIX}${VERSION}"
+
+          sudo podman tag "localhost/${IMAGE}:rechunked" "${IMAGE_BASE}:${VERSIONED}"
+          sudo podman push --digestfile /tmp/digest.txt "${IMAGE_BASE}:${VERSIONED}"
+          sudo podman tag "localhost/${IMAGE}:rechunked" "${IMAGE_BASE}:${FLOATING_TAG}"
+          sudo podman push "${IMAGE_BASE}:${FLOATING_TAG}"
+
+          if [ "${VERSION}" = "${STABLE}" ]; then
+            STABLE_FLOATING="${FLOATING:-latest}"
+            sudo podman tag "localhost/${IMAGE}:rechunked" "${IMAGE_BASE}:${STABLE_FLOATING}"
+            sudo podman push "${IMAGE_BASE}:${STABLE_FLOATING}"
+          fi
 
           {
             echo "image_base=${IMAGE_BASE}"
-            echo "versioned_tag=${VERSIONED_TAG}"
+            echo "versioned_tag=${VERSIONED}"
+            echo "floating_tag=${FLOATING_TAG}"
             echo "digest=$(cat /tmp/digest.txt)"
           } >> "$GITHUB_OUTPUT"
 
@@ -326,11 +389,11 @@ jobs:
           NAME: ${{ matrix.variant.name }}
           IMAGE_BASE: ${{ steps.push.outputs.image_base }}
           VERSIONED_TAG: ${{ steps.push.outputs.versioned_tag }}
-          FLOATING: ${{ matrix.variant.floating_tag }}
+          FLOATING_TAG: ${{ steps.push.outputs.floating_tag }}
         run: |
           {
-            echo "## Variant ${NAME} complete"
+            echo "## Variant ${NAME} (F${{ matrix.fedora_version }}) complete"
             echo ""
             echo "- \`${IMAGE_BASE}:${VERSIONED_TAG}\`"
-            echo "- \`${IMAGE_BASE}:${FLOATING}\`"
+            echo "- \`${IMAGE_BASE}:${FLOATING_TAG}\`"
           } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/build-minimal-bootc.yml

@@ -3,15 +3,11 @@ name: Build Fedora Minimal Bootc
 on:
   workflow_dispatch:
     inputs:
-      fedora_version:
-        description: 'Fedora version to build'
-        required: true
-        default: '43'
-        type: choice
-        options:
-          - '43'
-          - '44'
-          - 'rawhide'
+      versions_override:
+        description: 'JSON array of Fedora versions to build, e.g. [44] (empty = use fedora-versions.yml)'
+        required: false
+        default: ''
+        type: string
 
   schedule:
     - cron: '0 2 * * 6'
@@ -23,23 +19,50 @@ on:
       - 'policy-minimal.json.template'
       - 'cosign.pub'
       - '.github/workflows/build-minimal-bootc.yml'
+      - 'fedora-versions.yml'
 
 concurrency:
   group: build-minimal-bootc-${{ github.ref }}
   cancel-in-progress: false
 
 env:
-  STABLE_FEDORA_VERSION: '43'
   IMAGE_NAME: fedora-bootc-minimal
 
 jobs:
+  setup:
+    runs-on: ubuntu-24.04
+    outputs:
+      versions: ${{ steps.r.outputs.versions }}
+      stable: ${{ steps.r.outputs.stable }}
+      rechunker: ${{ steps.r.outputs.rechunker }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: r
+        run: |
+          curl -fsSL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 \
+            -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
+          if [ -n "${{ inputs.versions_override }}" ]; then
+            echo "versions=${{ inputs.versions_override }}"
+          else
+            echo "versions=$(yq -o=json -I=0 '.supported' fedora-versions.yml)"
+          fi >> "$GITHUB_OUTPUT"
+          {
+            echo "stable=$(yq '.stable' fedora-versions.yml)"
+            echo "rechunker=$(yq '.rechunker' fedora-versions.yml)"
+          } >> "$GITHUB_OUTPUT"
+
   build:
+    needs: setup
     runs-on: ubuntu-24.04
     timeout-minutes: 90
     permissions:
       contents: read
       packages: write
       id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        fedora_version: ${{ fromJson(needs.setup.outputs.versions) }}
 
     steps:
       - name: Checkout repository
@@ -48,14 +71,11 @@ jobs:
       - name: Resolve build parameters
         id: params
         env:
-          INPUT_VERSION: ${{ inputs.fedora_version }}
           OWNER_RAW: ${{ github.repository_owner }}
         run: |
-          VERSION="${INPUT_VERSION:-${STABLE_FEDORA_VERSION}}"
           OWNER=$(echo "$OWNER_RAW" | tr '[:upper:]' '[:lower:]')
           TAG=$(date +%Y%m%d-%H%M)
           {
-            echo "version=${VERSION}"
             echo "owner=${OWNER}"
             echo "tag=${TAG}"
             echo "image_base=ghcr.io/${OWNER}/${IMAGE_NAME}"
@@ -87,7 +107,7 @@ jobs:
 
       - name: Build minimal bootc image
         env:
-          VERSION: ${{ steps.params.outputs.version }}
+          VERSION: ${{ matrix.fedora_version }}
           TAG: ${{ steps.params.outputs.tag }}
         run: |
           sudo podman build \
@@ -104,11 +124,11 @@ jobs:
 
       - name: Rechunk image
         env:
-          VERSION: ${{ steps.params.outputs.version }}
+          RECHUNKER: ${{ needs.setup.outputs.rechunker }}
         run: |
           sudo podman run --rm --privileged \
             -v /var/lib/containers:/var/lib/containers \
-            quay.io/fedora/fedora-bootc:${VERSION} \
+            quay.io/fedora/fedora-bootc:${RECHUNKER} \
             /usr/libexec/bootc-base-imagectl rechunk \
             localhost/${IMAGE_NAME}:build \
             localhost/${IMAGE_NAME}:rechunked
@@ -125,11 +145,12 @@ jobs:
         id: push
         env:
           IMAGE_BASE: ${{ steps.params.outputs.image_base }}
-          VERSION: ${{ steps.params.outputs.version }}
+          VERSION: ${{ matrix.fedora_version }}
           TAG: ${{ steps.params.outputs.tag }}
+          STABLE: ${{ needs.setup.outputs.stable }}
         run: |
           TAGS=("${VERSION}-${TAG}" "${VERSION}")
-          if [ "${VERSION}" = "${STABLE_FEDORA_VERSION}" ]; then
+          if [ "${VERSION}" = "${STABLE}" ]; then
             TAGS+=("latest")
           fi
 
@@ -164,7 +185,7 @@ jobs:
           TAGS: ${{ steps.push.outputs.tags }}
         run: |
           {
-            echo "## Minimal bootc build complete"
+            echo "## Minimal bootc build complete (F${{ matrix.fedora_version }})"
             echo ""
             echo "Pushed and signed:"
             for t in $TAGS; do