Run Debusine builds inside GHCR container

simonbeaudoin0935 · Copilot · simonbeaudoin0935 · commit 60e94d77b422 · 2026-04-23T16:49:08.000-07:00
Switch the reusable Debusine build workflow from Incus orchestration to a job-level container image, execute source package generation directly in the mounted workspace, and expand builder image coverage for bookworm and forky.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/qcom-build-pkg-reusable-workflow.yml b/.github/workflows/qcom-build-pkg-reusable-workflow.yml
@@ -60,6 +60,11 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/qualcomm-linux/debusine-pkg-builder:${{ inputs.suite == 'unstable' && 'sid' || inputs.suite }}
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
     outputs:
       workspace: ${{ steps.build.outputs.workspace }}
@@ -97,35 +102,23 @@ jobs:
         run: |
           set -ex
 
-          qcom-build-utils/scripts/ci/prepare-incus
-          qcom-build-utils/scripts/ci/prepare-debusine
-
           if [ "${{ inputs.release }}" = "true" ]; then
             echo "::group::Prepare release"
-            sudo apt-get install --update --no-install-recommends -y devscripts dpkg-dev git-buildpackage
             SUITE=${{ inputs.suite }} qcom-build-utils/scripts/ci/prepare-release
             echo "::endgroup::"
           fi
 
-          echo "::group::Generate source package"
-          sudo apt-get install --update --no-install-recommends -y devscripts dctrl-tools
           SUITE=${{ inputs.suite }} qcom-build-utils/scripts/ci/generate-source-package
-          # Push the files referenced by the source package Debusine imports
-          # (.dsc + orig tarball + Debian tarball), not just the .changes set.
-          dcmd sudo incus file push *.dsc debusine/root/
-          echo "::endgroup::"
-
-          sudo incus exec debusine env \
+          env \
             "GITHUB_REPOSITORY_ID=${{ github.repository_id }}" \
             "GITHUB_RUN_ID=${{ github.run_id }}" \
             "GITHUB_RUN_ATTEMPT=${{ github.run_attempt }}" \
             "DEBUSINE_HOST=${{ vars.DEBUSINE_HOST }}" \
             "DEBUSINE_SCOPE=${{ vars.DEBUSINE_SCOPE }}" \
-            "DEBUSINE_USER=${{ secrets.DEBUSINE_USER }}" \
             "DEBUSINE_TOKEN=${{ secrets.DEBUSINE_TOKEN }}" \
             "SUITE=${{ inputs.suite }}" \
-            lib/ci/build
-          sudo incus exec debusine cat output >> "$GITHUB_OUTPUT"
+            qcom-build-utils/scripts/ci/build
+          cat output >> "$GITHUB_OUTPUT"
 
 # Place this in the release workflow
 #      - name: Upload release bundle
diff --git a/.github/workflows/qcom-debusine-container-build-and-upload.yml b/.github/workflows/qcom-debusine-container-build-and-upload.yml
@@ -42,6 +42,8 @@ jobs:
       fail-fast: false
       matrix:
         suite:
+          - bookworm
+          - forky
           - trixie
           - sid
 
diff --git a/Dockerfiles/debusine-builder/Dockerfile.bookworm b/Dockerfiles/debusine-builder/Dockerfile.bookworm
@@ -0,0 +1,18 @@
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+COPY base-packages.txt /tmp/base-packages.txt
+COPY bookworm-backports.sources /etc/apt/sources.list.d/bookworm-backports.sources
+
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y \
+        $(tr '\n' ' ' < /tmp/base-packages.txt) \
+        debusine-client/bookworm-backports \
+        python3-debusine/bookworm-backports && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/base-packages.txt
+
+WORKDIR /workspace
+
+CMD ["bash"]
diff --git a/Dockerfiles/debusine-builder/Dockerfile.forky b/Dockerfiles/debusine-builder/Dockerfile.forky
@@ -0,0 +1,17 @@
+FROM debian:forky
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+COPY base-packages.txt /tmp/base-packages.txt
+
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y \
+        $(tr '\n' ' ' < /tmp/base-packages.txt) \
+        debusine-client \
+        python3-debusine && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/base-packages.txt
+
+WORKDIR /workspace
+
+CMD ["bash"]
diff --git a/Dockerfiles/debusine-builder/bookworm-backports.sources b/Dockerfiles/debusine-builder/bookworm-backports.sources
@@ -0,0 +1,5 @@
+Types: deb
+URIs: http://deb.debian.org/debian
+Suites: bookworm-backports
+Components: main
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
diff --git a/README.md b/README.md
@@ -141,9 +141,9 @@ See [pkg-example](https://github.com/qualcomm-linux/pkg-example) for a complete
 
 | Component | Details |
 |-----------|---------|
-| **Container images** | `ghcr.io/qualcomm-linux/pkg-builder:{arch}-{distro}` — pre-built for `arm64`/`amd64` across `noble`, `questing`, `resolute`, `trixie`, `sid` |
+| **Container images** | `ghcr.io/qualcomm-linux/debusine-pkg-builder:{suite}` for Debusine-based package workflow execution, with suites such as `bookworm`, `forky`, `trixie`, and `sid` |
 | **Staging APT repo** | [pkg-oss-staging-repo](https://github.com/qualcomm-linux/pkg-oss-staging-repo) served via GitHub Pages |
-| **Runners** | Self-hosted ARM64 runners (`lecore-prd-u2404-arm64-xlrg-od-ephem`) |
+| **Runners** | Standard GitHub-hosted runners (`ubuntu-latest`) for the Debusine build path; Debusine performs the actual package compilation remotely |
 | **Artifact storage** | S3 for release builds |
 
 ## Build & Utility Scripts
diff --git a/scripts/ci/build b/scripts/ci/build
@@ -4,10 +4,8 @@ set -o pipefail
 
 # Send a source package to Debusine for building and wait for build completion
 
-# Run inside the container created with `lib/ci/prepare-debusine`
-
 # Dependencies:
-#   `debusine` incus container (Debusine will be configured)
+#   debusine client packages available in the current execution environment
 
 # Inputs:
 #   GITHUB_REPOSITORY_ID
@@ -24,6 +22,8 @@ set -o pipefail
 
 echo "::group::Build in Debusine"
 
+script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+
 child_ci_suffix=gh-${GITHUB_REPOSITORY_ID}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}
 workspace="ci-${child_ci_suffix}"
 
@@ -41,7 +41,7 @@ EOF
 )
 
 workflow_id=$(echo "suffix: $child_ci_suffix"|debusine workflow start -w ci --yaml create-child-workspace|yq -r .id)
-lib/ci/poll_workflow.py "$workflow_id"
+"$script_dir/poll_workflow.py" "$workflow_id"
 debusine archive suite create --architecture all --architecture amd64 --architecture arm64 ${SUITE}
 debusine workflow-template create debian_pipeline debian-pipeline <<END
 static_parameters:
@@ -66,7 +66,7 @@ debusine_pipeline_output=$(echo "source_artifact: ${artifact_id}@artifacts" | de
 echo "debusine workflow start (debian-pipeline) output: $debusine_pipeline_output"
 workflow_id=$(echo "$debusine_pipeline_output" | yq -r .id)
 echo "workflow_id: $workflow_id"
-lib/ci/poll_workflow.py "$workflow_id"
+"$script_dir/poll_workflow.py" "$workflow_id"
 
 echo "workspace=$workspace" > output
 echo "::endgroup::"
diff --git a/scripts/ci/generate-source-package b/scripts/ci/generate-source-package
@@ -9,23 +9,14 @@ set -ex
 # achieve. This script should contain all the knowledge required to build
 # source packages from these exceptional source trees.
 
-# The `dpkg-buildpackage -S` step is specifically done inside a container that
-# matches the target suite in case there are nuances that break when not done
-# this way.
-
-# This script should run from a host system with Incus available. It will do
-# the work inside a container as needed.
-
-# Run on the host
-
 # Dependencies:
-#     incus (configured)
 #     devscripts
 #     dctrl-tools
+#     git-buildpackage
 
 # Inputs:
-#     $PWD/srcpkg/: checked out source tree
-#     $SUITE: target suite to prepare in (eg. 'trixie')
+#     Current working directory contains srcpkg/ checked out from the package repo
+#     Execution environment already matches the target Debian suite
 
 # Outputs:
 #     Parent directory: .changes files for source package together with all
@@ -37,28 +28,18 @@ set -ex
 # 2. Install build dependencies before building the source package
 
 echo "::group::Prepare source package"
-sudo incus launch "images:debian/$SUITE" srcbuild
-# incus file push -r skips hidden directories (e.g. .git), so use tar to
-# transfer the full source tree including .git into the container.
-tar -C . -czf - srcpkg | sudo incus exec srcbuild -- tar -xzf - -C /root/
-sudo incus exec srcbuild -- sh - <<END
-set -ex
-apt-get install --update --no-install-recommends -y devscripts dpkg-dev git-buildpackage
-# The transferred files are owned by the runner UID rather than root, which
-# causes git to refuse the repository (safe.directory). Mark it as trusted.
-git config --global --add safe.directory /root/srcpkg
 cd srcpkg
+# GitHub Actions job containers mount the workspace from the host, so mark the
+# repository as trusted before invoking git-buildpackage.
+git config --global --add safe.directory "$(pwd)"
 # For non-native packages (3.0 quilt), the orig tarball must exist before
 # dpkg-buildpackage -S can produce the source package. Export it from the
 # upstream git tree (upstream/VERSION tag, falling back to upstream/latest).
 if grep -q "quilt" debian/source/format 2>/dev/null; then
     gbp export-orig
 fi
 dpkg-buildpackage -S -d -nc
-END
-for artifact_file in $(sudo incus exec srcbuild -- sh -c 'cd /root && dcmd echo *.changes'); do
-    sudo incus file pull "srcbuild/root/$artifact_file" .
-done
+cd ..
 
 cat >> "$GITHUB_OUTPUT" <<END
 srcpkg_name=$(grep-dctrl -nsSource . *.dsc)
