ci: Work around broken grub2-2.12-47 in CentOS Stream 10 compose

jmarrero · jmarrero · commit 16c3759482be · 2026-06-05T12:05:23.000-04:00
The CentOS Stream 10 compose updated grub2 from 2.12-45 to 2.12-47
on 2026-06-03. The new version installs successfully but produces a
bootloader that fails to boot (VM stays frozen at ~5s CPU time while
2.12-45 boots normally).

Add BOOTC_COMPOSE_EXCLUDE support to enable-compose-repos, allowing
specific packages to be excluded from the compose repos so they fall
back to the base image version. Plumb it through the Dockerfile and
Justfile, and set it in CI to exclude grub2* until CentOS ships a fix.

Signed-off-by: Joseph Marrero Corchado &lt;jmarrero@redhat.com&gt;
Assisted-by: OpenCode (Claude Opus 4.6)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -23,6 +23,10 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  # Workaround: CentOS Stream 10 compose ships grub2-2.12-47 which fails to boot.
+  # Exclude it so builds fall back to the base image's grub2-2.12-45.
+  # TODO: Remove once CentOS ships a fixed grub2 build.
+  BOOTC_COMPOSE_EXCLUDE: "grub2*"
   # Something seems to be setting this in the default GHA runners, which breaks bcvk
   # as the default runner user doesn't have access
   LIBVIRT_DEFAULT_URI: "qemu:///session"
diff --git a/Dockerfile b/Dockerfile
@@ -48,9 +48,11 @@ RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=c
 FROM $base as target-base
 # Handle version skew between base image and mirrors for CentOS Stream
 # xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
+# BOOTC_COMPOSE_EXCLUDE: exclude broken packages from compose repos (e.g. "grub2*")
+ARG BOOTC_COMPOSE_EXCLUDE=""
 RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
-    /run/packaging/enable-compose-repos
+    BOOTC_COMPOSE_EXCLUDE="${BOOTC_COMPOSE_EXCLUDE}" /run/packaging/enable-compose-repos
 RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
 
 FROM scratch as fetch
diff --git a/Justfile b/Justfile
@@ -54,6 +54,8 @@ buildroot_base := env("BOOTC_buildroot_base", "quay.io/centos/centos:stream10")
 extra_src := env("BOOTC_extra_src", "")
 # Set to "1" to disable auto-detection of local Rust dependencies
 no_auto_local_deps := env("BOOTC_no_auto_local_deps", "")
+# Exclude specific packages from CentOS compose repos (e.g. "grub2*" to work around broken composes)
+compose_exclude := env("BOOTC_COMPOSE_EXCLUDE", "")
 
 # Internal variables
 nocache := env("BOOTC_nocache", "")
@@ -72,7 +74,8 @@ base_buildargs := generic_buildargs + " " + _extra_src_args \
                   + " --build-arg=boot_type=" + boot_type \
                   + " --build-arg=seal_state=" + seal_state \
                   + " --build-arg=filesystem=" + filesystem \
-                  + " --build-arg=baseconfigs=" + baseconfigs
+                  + " --build-arg=baseconfigs=" + baseconfigs \
+                  + " --build-arg=BOOTC_COMPOSE_EXCLUDE=" + compose_exclude
 buildargs := base_buildargs \
              + " --cap-add=all --security-opt=label=type:container_runtime_t --device /dev/fuse" \
              + " --secret=id=secureboot_key,src=target/test-secureboot/db.key --secret=id=secureboot_cert,src=target/test-secureboot/db.crt"
diff --git a/contrib/packaging/enable-compose-repos b/contrib/packaging/enable-compose-repos
@@ -19,6 +19,16 @@ case "${ID}" in
       exit 1
     fi
 
+    # BOOTC_COMPOSE_EXCLUDE: space-separated list of package globs to exclude
+    # from the compose repos. Useful when a compose ships a broken package
+    # (e.g. grub2) that needs to fall back to the base image version.
+    compose_exclude="${BOOTC_COMPOSE_EXCLUDE:-}"
+    exclude_line=""
+    if [[ -n "${compose_exclude}" ]]; then
+      exclude_line="exclude=${compose_exclude}"
+      echo "Excluding from compose repos: ${compose_exclude}"
+    fi
+
     cat > /etc/yum.repos.d/centos-compose.repo << EOF
 [compose-baseos]
 name=CentOS Stream \$releasever Compose BaseOS
@@ -27,6 +37,7 @@ gpgcheck=1
 enabled=1
 priority=1
 gpgkey=${gpgkey}
+${exclude_line}
 
 [compose-appstream]
 name=CentOS Stream \$releasever Compose AppStream
@@ -35,6 +46,7 @@ gpgcheck=1
 enabled=1
 priority=1
 gpgkey=${gpgkey}
+${exclude_line}
 EOF
     echo "Enabled CentOS Stream compose repos (gpgkey: ${gpgkey})"
     ;;
