coreos
diff --git a/‎.copr/Makefile‎
Lines changed: 1 addition & 1 deletion b/‎.copr/Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.dockerignore‎
Lines changed: 54 additions & 3 deletions b/‎.dockerignore‎
Lines changed: 54 additions & 3 deletions
diff --git a/‎.github/actions/bootc-ubuntu-setup/action.yml‎
Lines changed: 71 additions & 19 deletions b/‎.github/actions/bootc-ubuntu-setup/action.yml‎
Lines changed: 71 additions & 19 deletions
diff --git a/‎.github/workflows/container-build.yml‎
Lines changed: 58 additions & 0 deletions b/‎.github/workflows/container-build.yml‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 25 additions & 0 deletions b/‎Cargo.toml‎
Lines changed: 25 additions & 0 deletions
@@ -5,7 +5,7 @@ srpm:
 	# if we have a git repo with remotes, fetch tags so `git describe` gives a nice NEVRA when
 	# building the RPM
 	if git remote | grep origin; then git fetch origin --tags; fi
-	git submodule update --init --recursive
+	if [ -d .git ]; then git submodule update --init --recursive; fi
 	# Our primary CI build goes via RPM rather than direct to binaries
 	# to better test that path, including our vendored spec file, etc.
 	make -C packaging -f Makefile.dist-packaging srpm
 
@@ -1,3 +1,54 @@
-.cosa
-target
-compose-cache/
+# Exclude everything by default, then include just what we need
+# Especially note this means that .git is not included, and not tests/
+# to avoid spurious rebuilds.
+*
+
+# Autotools build files
+!Makefile*.am
+!Makefile-*.am
+!Makefile*.inc
+!Makefile.bindings
+!configure.ac
+!autogen.sh
+
+# Generated C++/Rust bridge files (checked into git)
+!rpmostree-cxxrs.h
+!rpmostree-cxxrs.cxx
+!rpmostree-cxxrsutil.hpp
+
+# Build configuration
+!buildutil/
+!build-aux/
+!m4/
+
+# Source code
+!src/
+!rust/
+
+# Rust build files
+!Cargo.toml
+!Cargo.lock
+!build.rs
+!.cargo/
+
+# Git submodules (needed by autogen.sh)
+!libglnx/
+!libdnf/
+
+# Build system integration
+!packaging/
+!ci/
+!.copr/
+
+# Test data for integration tests
+!tests/
+
+# Documentation (for man pages, etc.)
+!docs/
+!man/
+
+# Shell completion
+!completion/
+
+# API documentation generation
+!api-doc/
@@ -1,9 +1,39 @@
-# Keep this in sync with the copy in bootc-dev/bootc
 name: 'Bootc Ubuntu Setup'
 description: 'Default host setup'
+inputs:
+  libvirt:
+    description: 'Install libvirt and virtualization stack'
+    required: false
+    default: 'false'
 runs:
   using: 'composite'
   steps:
+    # The default runners have TONS of crud on them...
+    - name: Free up disk space on runner
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        sudo df -h
+        unwanted_pkgs=('^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*'
+                       azure-cli google-chrome-stable firefox mono-devel)
+        unwanted_dirs=(/usr/share/dotnet /opt/ghc /usr/local/lib/android /opt/hostedtoolcache/CodeQL)
+        # Start background removal operations as systemd units; if this causes
+        # races in the future around disk space we can look at waiting for cleanup
+        # before starting further jobs, but right now we spent a lot of time waiting
+        # on the network and scripts and such below, giving these plenty of time to run.
+        n=0
+        runcleanup() {
+          sudo systemd-run -r -u action-cleanup-${n} -- "$@"
+          n=$(($n + 1))
+        }
+        runcleanup docker image prune --all --force
+        for x in ${unwanted_dirs[@]}; do
+          runcleanup rm -rf "$x"
+        done
+        # Apt removals in foreground, as we can't parallelize these
+        for x in ${unwanted_pkgs[@]}; do
+          /bin/time -f '%E %C' sudo apt-get remove -y $x
+        done
     # We really want support for heredocs
     - name: Update podman and install just
       shell: bash
@@ -14,29 +44,14 @@ runs:
         test "${IDV}" = "ubuntu-24.04"
         # plucky is the next release
         echo 'deb http://azure.archive.ubuntu.com/ubuntu plucky universe main' | sudo tee /etc/apt/sources.list.d/plucky.list
-        sudo apt update
+        /bin/time -f '%E %C' sudo apt update
         # skopeo is currently older in plucky for some reason hence --allow-downgrades
-        sudo apt install -y --allow-downgrades crun/plucky podman/plucky skopeo/plucky just
-    # The default runners have TONS of crud on them...
-    - name: Free up disk space on runner
-      shell: bash
-      run: |
-        sudo df -h
-        unwanted=('^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*'
-                  azure-cli google-chrome-stable firefox mono-devel)
-        for x in ${unwanted[@]}; do
-          sudo apt-get remove -y $x > /dev/null
-        done
-        # Start other removal operations in parallel
-        sudo docker image prune --all --force > /dev/null &
-        sudo rm -rf /usr/share/dotnet /opt/ghc /usr/local/lib/android &
-        # Wait for all background processes to complete
-        wait
-        sudo df -h
+        /bin/time -f '%E %C' sudo apt install -y --allow-downgrades crun/plucky podman/plucky skopeo/plucky just
     # This is the default on e.g. Fedora derivatives, but not Debian
     - name: Enable unprivileged /dev/kvm access
       shell: bash
       run: |
+        set -xeuo pipefail
         echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
         sudo udevadm control --reload-rules
         sudo udevadm trigger --name-match=kvm
@@ -46,4 +61,41 @@ runs:
       id: set_arch
       shell: bash
       run: echo "ARCH=$(arch)" >> $GITHUB_ENV
+    # We often use Rust, so set up opinionated default caching
+    - name: Setup Rust cache
+      uses: Swatinem/rust-cache@v2
+      with:
+        cache-all-crates: true
+        # Only generate caches on push to git main
+        save-if: ${{ github.ref == 'refs/heads/main' }}
+        # Suppress actually using the cache for builds running from
+        # git main so that we avoid incremental compilation bugs
+        lookup-only: ${{ github.ref == 'refs/heads/main' }}
+    # Install libvirt stack if requested
+    - name: Install libvirt and virtualization stack
+      if: ${{ inputs.libvirt == 'true' }}
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        export BCVK_VERSION=0.5.3
+        /bin/time -f '%E %C' sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system
+        # Something in the stack is overriding this, but we want session right now for bcvk
+        echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV
+        td=$(mktemp -d)
+        cd $td
+        # Install bcvk
+        target=bcvk-$(arch)-unknown-linux-gnu
+        /bin/time -f '%E %C' curl -LO https://github.com/bootc-dev/bcvk/releases/download/v${BCVK_VERSION}/${target}.tar.gz
+        tar xzf ${target}.tar.gz
+        sudo install -T ${target} /usr/bin/bcvk
+        cd -
+        rm -rf "$td"
 
+        # Also bump the default fd limit as a workaround for https://github.com/bootc-dev/bcvk/issues/65
+        sudo sed -i -e 's,^\* hard nofile 65536,* hard nofile 524288,' /etc/security/limits.conf
+    - name: Cleanup status
+      shell: bash
+      run: |
+        set -xeuo pipefail
+        systemctl list-units 'action-cleanup*'
+        df -h
@@ -0,0 +1,58 @@
+# Container Build CI Workflow
+#
+# Builds rpm-ostree from source in a container using the Dockerfile and Justfile.
+# This workflow follows the pattern established in bootc for containerized builds.
+name: Container Build
+
+permissions:
+  actions: read
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+
+env:
+  CARGO_TERM_COLOR: always
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Build container and run basic validation
+  build-and-validate:
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        base_image:
+          - name: fedora-42
+            image: quay.io/fedora/fedora-bootc:42
+          # TODO: Enable CentOS Stream 10 once tests support it
+          # - name: centos-10
+          #   image: quay.io/centos-bootc/centos-bootc:stream10
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          submodules: true
+
+      - name: Bootc Ubuntu Setup
+        uses: ./.github/actions/bootc-ubuntu-setup
+
+      - name: Run validation
+        run: |
+          just validate
+
+      - name: Build container
+        run: |
+          set -xeuo pipefail
+          just build --build-arg=base=${{ matrix.base_image.image }}
+
+      - name: Run container integration tests
+        run: |
+          just test-container-integration
@@ -134,3 +134,28 @@ bin-unit-tests = []
 sanitizers = []
 
 default = []
+
+[lints]
+workspace = true
+
+[workspace.lints.rust]
+# Absolutely must handle errors
+unused_must_use = "forbid"
+missing_debug_implementations = "deny"
+# Feel free to comment this one out locally during development of a patch.
+dead_code = "deny"
+
+# We aren't using these yet
+# [workspace.lints.rust]
+# unsafe_code = "deny"
+# missing_docs = "deny"
+
+[workspace.lints.clippy]
+disallowed_methods = "deny"
+# These should only be in local code
+dbg_macro = "deny"
+todo = "deny"
+# These two are in my experience the lints which are most likely
+# to trigger, and among the least valuable to fix.
+needless_borrow = "allow"
+needless_borrows_for_generic_args = "allow"