Add Debusine builder images

simonbeaudoin0935 · Copilot · simonbeaudoin0935 · commit 2a980f2a6649 · 2026-04-23T16:32:10.000-07:00
Create Debusine-oriented Debian builder images in qcom-build-utils and add a GHCR publishing workflow for them.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/qcom-debusine-container-build-and-upload.yml b/.github/workflows/qcom-debusine-container-build-and-upload.yml
@@ -0,0 +1,69 @@
+name: Debusine Container Build And Upload
+description: |
+  Builds and uploads to GHCR the Debian builder images used by the Debusine-based
+  reusable workflows. Images are built natively on an arm64 runner and published
+  on push, scheduled runs, and manual dispatches.
+
+on:
+  schedule:
+    - cron: '0 0 * * 1'
+
+  pull_request:
+    branches:
+      - main
+      - development
+    paths:
+      - '.github/workflows/qcom-debusine-container-build-and-upload.yml'
+      - 'Dockerfiles/debusine-builder/**'
+
+  push:
+    branches:
+      - main
+      - development
+    paths:
+      - '.github/workflows/qcom-debusine-container-build-and-upload.yml'
+      - 'Dockerfiles/debusine-builder/**'
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  QCOM_ORG_NAME: qualcomm-linux
+  IMAGE_NAME: debusine-pkg-builder
+
+jobs:
+  build-debian-arm64:
+    name: Build ${{ matrix.suite }} image
+    runs-on: ubuntu-24.04-arm
+    strategy:
+      fail-fast: false
+      matrix:
+        suite:
+          - trixie
+          - sid
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Build Debian image
+        run: |
+          docker build \
+            -t ghcr.io/${{ env.QCOM_ORG_NAME }}/${{ env.IMAGE_NAME }}:${{ matrix.suite }} \
+            -f Dockerfiles/debusine-builder/Dockerfile.${{ matrix.suite }} \
+            Dockerfiles/debusine-builder
+
+      - name: Log in to GHCR
+        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Debian image
+        if: ${{ github.event_name == 'schedule' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+        run: docker push ghcr.io/${{ env.QCOM_ORG_NAME }}/${{ env.IMAGE_NAME }}:${{ matrix.suite }}
diff --git a/Dockerfiles/debusine-builder/Dockerfile.sid b/Dockerfiles/debusine-builder/Dockerfile.sid
@@ -0,0 +1,17 @@
+FROM debian:sid
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+COPY base-packages.txt /tmp/base-packages.txt
+
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y \
+        $(tr '\n' ' ' < /tmp/base-packages.txt) \
+        debusine-client \
+        python3-debusine && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/base-packages.txt
+
+WORKDIR /workspace
+
+CMD ["bash"]
diff --git a/Dockerfiles/debusine-builder/Dockerfile.trixie b/Dockerfiles/debusine-builder/Dockerfile.trixie
@@ -0,0 +1,18 @@
+FROM debian:trixie
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+COPY base-packages.txt /tmp/base-packages.txt
+COPY trixie-backports.sources /etc/apt/sources.list.d/trixie-backports.sources
+
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y \
+        $(tr '\n' ' ' < /tmp/base-packages.txt) \
+        debusine-client/trixie-backports \
+        python3-debusine/trixie-backports && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/base-packages.txt
+
+WORKDIR /workspace
+
+CMD ["bash"]
diff --git a/Dockerfiles/debusine-builder/base-packages.txt b/Dockerfiles/debusine-builder/base-packages.txt
@@ -0,0 +1,10 @@
+ca-certificates
+curl
+dctrl-tools
+devscripts
+dpkg-dev
+git
+git-buildpackage
+python3-tenacity
+python3-yaml
+yq
diff --git a/Dockerfiles/debusine-builder/trixie-backports.sources b/Dockerfiles/debusine-builder/trixie-backports.sources
@@ -0,0 +1,5 @@
+Types: deb
+URIs: http://deb.debian.org/debian
+Suites: trixie-backports
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
diff --git a/README.md b/README.md
@@ -43,10 +43,13 @@ qcom-build-utils/
 │   │   └── push_to_repo/         # Publish packages to staging APT repo
 │   └── workflows/                # Reusable workflow definitions
 │       ├── qcom-build-pkg-reusable-workflow.yml
+│       ├── qcom-debusine-container-build-and-upload.yml
 │       ├── qcom-promote-upstream-reusable-workflow.yml
 │       ├── qcom-upstream-pr-pkg-build-reusable-workflow.yml
 │       ├── qcom-release-reusable-workflow.yml
 │       └── qcom-preflight-checks.yml
+├── Dockerfiles/
+│   └── debusine-builder/         # GHCR builder images for the Debusine workflow
 ├── scripts/                      # Python & shell build utilities
 │   ├── deb_abi_checker.py        # ABI comparison tool (libabigail)
 │   ├── ppa_interface.py          # APT repository interface
@@ -77,6 +80,12 @@ Package repositories call these workflows from their own `.github/workflows/` di
 | **qcom-release-reusable-workflow** | Triggers a formal release — finalizes the changelog, builds packages, uploads to S3, and notifies downstream consumers. |
 | **qcom-preflight-checks** | Security and quality gates — runs repolinter, semgrep, license checks, and dependency review. |
 
+## Builder Images
+
+`qcom-build-utils` also owns the Debian container images used by the Debusine-based
+build path. The image sources live under `Dockerfiles/debusine-builder/`, and the
+`qcom-debusine-container-build-and-upload.yml` workflow publishes them to GHCR.
+
 ## Composite Actions
 
 | Action | Description |
