From 77ec4be7278473a09ef1b4dd346c3b71d0b6b64d Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 18 Apr 2024 17:35:51 -0400
Subject: [PATCH] Add Containerfile.fedora-40

Let's build this again.
---
 .github/workflows/build-image.yml |  2 ++
 Containerfile.fedora-40           | 40 +++++++++++++++++++++++++++++++
 fedora-bootc.yaml                 |  4 ++--
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 Containerfile.fedora-40

diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index fab2fc9..b1450bf 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -18,6 +18,8 @@ jobs:
             version: stream9
           - os: centos
             version: stream10
+          - os: fedora
+            version: 40
 
     steps:
       - name: Update podman
diff --git a/Containerfile.fedora-40 b/Containerfile.fedora-40
new file mode 100644
index 0000000..840fd8d
--- /dev/null
+++ b/Containerfile.fedora-40
@@ -0,0 +1,40 @@
+# This container build uses some special features of podman that allow
+# a process executing as part of a container build to generate a new container
+# image "from scratch".
+#
+# This container build uses nested containerization, so you must build with e.g.
+# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
+#
+# # Why are we doing this?
+#
+# Today this base image build process uses rpm-ostree.  There is a lot of things that
+# rpm-ostree does when generating a container image...but important parts include:
+#
+# - auto-updating labels in the container metadata
+# - Generating "chunked" content-addressed reproducible image layers (notice
+#   how there are ~60 layers in the generated image)
+#
+# The latter bit in particular is currently impossible to do from Containerfile.
+# A future goal is adding some support for this in a way that can be honored by
+# buildah (xref https://github.com/containers/podman/discussions/12605)
+#
+# # Why does this build process require additional privileges?
+#
+# Because it's generating a base image and uses containerbuildcontextization features itself.
+# In the future some of this can be lifted.
+
+FROM quay.io/fedora/fedora:40 as repos
+
+FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
+ARG MANIFEST=fedora-bootc.yaml
+COPY --from=repos /etc/dnf/vars /etc/dnf/vars
+COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
+COPY . /src
+RUN rm -vf /src/*.repo
+COPY --from=repos /etc/yum.repos.d/*.repo /src
+RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image --cachedir=/workdir --format=ociarchive --initialize /src/${MANIFEST} /buildcontext/out.ociarchive
+
+FROM oci-archive:./out.ociarchive
+# Need to reference builder here to force ordering. But since we have to run
+# something anyway, we might as well cleanup after ourselves.
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive
diff --git a/fedora-bootc.yaml b/fedora-bootc.yaml
index e4cabcd..bef362d 100644
--- a/fedora-bootc.yaml
+++ b/fedora-bootc.yaml
@@ -3,8 +3,8 @@ variables:
   distro: "fedora"
 
 repos:
-  - fedora-devel
-  - fedora-updates
+  - fedora
+  - updates
 
 metadata:
   name: fedora-boot-tier1