build-sys: Split up the rootfs from commit phases

This allows someone forking this to inject their own content
into the middle in a clean and obvious, container-native
way.

Containerfile

@@ -39,15 +39,29 @@ COPY . /src
 WORKDIR /src
 RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
+
+# Construct the base rootfs
 RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
     --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
 set -xeuo pipefail
-rpm-ostree compose image --image-config fedora-bootc-config.json \
-       --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
-       --source-root=/repos /buildcontext/out.ociarchive
+mkdir /tmp-ostree
+ostree --repo=/tmp-ostree init --mode=bare-user
+rm /workdir/target-rootfs -rf
+rpm-ostree compose install --unified-core --cachedir=/workdir --repo=/tmp-ostree --source-root=/repos ${MANIFEST} /workdir/target-rootfs
 EORUN
 
+# Add whatever you want here! e.g.
+# FROM quay.io/examplecorp/someartifact:latest as artifacts
+# COPY --from=artifacts /usr /usr
+
+# Final steps: postprocess and commit, then generate an OCI archive
+RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared <<EORUN
+set -xeuo pipefail
+rpm-ostree compose commit --repo=/tmp-ostree --write-commitid-to=/tmp/commit.txt ${MANIFEST} /workdir/target-rootfs/rootfs
+rpm-ostree compose container-encapsulate --repo=/tmp-ostree --image-config fedora-bootc-config.json $(cat /tmp/commit.txt) oci-archive:/buildcontext/out.ociarchive
+EORUN
+# At this point we're done with the builder image and we have our OCI archive.
+
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.