From ca05ee400e806cbd21203525bd5eb10d21eeae13 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 15 May 2026 11:39:34 +0000 Subject: [PATCH 1/3] ci(container-stack): run podman rootful so the smoke gate works apt's podman on GitHub's ubuntu-latest runner has no working rootless stack out of the box (no subuid/subgid range, no fuse-overlayfs config), so every smoke job failed within ~30s regardless of the Containerfile. Run `sudo podman` (rootful, kernel overlay driver) instead. https://claude.ai/code/session_014cznZXkqptPSoZDFhp7bhc --- .github/workflows/container-stack-smoke.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-stack-smoke.yml b/.github/workflows/container-stack-smoke.yml index d61db72..5d1bdf9 100644 --- a/.github/workflows/container-stack-smoke.yml +++ b/.github/workflows/container-stack-smoke.yml @@ -54,10 +54,15 @@ jobs: sudo apt-get update sudo apt-get install -y --no-install-recommends podman + # Run podman rootful (sudo). apt's podman on ubuntu-latest has no + # working rootless stack out of the box (missing subuid/subgid range + # and fuse-overlayfs config), which made every smoke job fail within + # ~30s regardless of the Containerfile. Rootful podman uses the + # kernel overlay driver and Just Works on the runner. - name: podman version - run: podman version + run: sudo podman version - name: podman build ${{ matrix.component }} continue-on-error: ${{ matrix.continue-on-error == true }} working-directory: container-stack/${{ matrix.component }} - run: podman build -f Containerfile -t "stapeln-smoke/${{ matrix.component }}:ci" . + run: sudo podman build -f Containerfile -t "stapeln-smoke/${{ matrix.component }}:ci" . From 68130cf39de74c835960ea3f1978740c07bd8811 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 15 May 2026 11:41:14 +0000 Subject: [PATCH 2/3] ci(container-stack): install containers-common + crun for podman MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit apt's podman lists containers-common (policy.json, registries.conf) and crun only as Recommends, so installing with --no-install-recommends left the runner with no /etc/containers/policy.json — every image pull failed in ~30s regardless of the Containerfile. Install them explicitly. https://claude.ai/code/session_014cznZXkqptPSoZDFhp7bhc --- .github/workflows/container-stack-smoke.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-stack-smoke.yml b/.github/workflows/container-stack-smoke.yml index 5d1bdf9..fb65af4 100644 --- a/.github/workflows/container-stack-smoke.yml +++ b/.github/workflows/container-stack-smoke.yml @@ -48,11 +48,15 @@ jobs: # podman is no longer preinstalled on GitHub's ubuntu-latest runner # image, so install it explicitly (the smoke build is podman-based - # per stapeln#17's recommendation). + # per stapeln#17's recommendation). containers-common (policy.json + + # registries.conf) and a runtime (crun) are pulled in explicitly: + # they are only Recommends of the podman package, so installing with + # --no-install-recommends left every image pull failing on a missing + # /etc/containers/policy.json. - name: Install podman run: | sudo apt-get update - sudo apt-get install -y --no-install-recommends podman + sudo apt-get install -y podman containers-common crun # Run podman rootful (sudo). apt's podman on ubuntu-latest has no # working rootless stack out of the box (missing subuid/subgid range From acb987575f73e5db60c0744989d31bf1801dd510 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 15 May 2026 11:43:51 +0000 Subject: [PATCH 3/3] ci(container-stack): docker build as the gate, podman non-blocking apt-podman's stack on GitHub's ubuntu-latest runner is unreliable (every smoke job failed in the environment setup, before any real build, across three different remediation attempts). Use the preinstalled, reliable `docker build` as the pass/fail gate (Containerfiles are Dockerfile- compatible) while still attempting `podman build` as a non-blocking step to honour stapeln#17's podman recommendation without making it a blocker. https://claude.ai/code/session_014cznZXkqptPSoZDFhp7bhc --- .github/workflows/container-stack-smoke.yml | 51 +++++++++++---------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/.github/workflows/container-stack-smoke.yml b/.github/workflows/container-stack-smoke.yml index fb65af4..9737915 100644 --- a/.github/workflows/container-stack-smoke.yml +++ b/.github/workflows/container-stack-smoke.yml @@ -1,13 +1,20 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -# Smoke-builds every container-stack/ Containerfile with `podman build`. +# Smoke-builds every container-stack/ Containerfile. # # Rationale (stapeln#17): the container-stack/ subdirectories are advertised # as the canonical Containerfiles for each component, yet four of five shipped # a Containerfile that failed on a clean build (stale Alire URL, uncommitted # Cargo.lock, npm/rescript-vs-Deno layout mismatch, un-parseable Deno install # script). Every one of those bugs lives in an early build step, so a real -# `podman build` on each Containerfile is the durable guard that keeps the -# whole class from regressing. +# image build of each Containerfile is the durable guard that keeps the whole +# class from regressing. +# +# Engine choice: the pass/fail gate uses `docker build` because Docker is +# preinstalled and reliable on GitHub's ubuntu-latest runner, and the +# Containerfiles are Dockerfile-syntax-compatible. stapeln#17 specifically +# recommends podman, so a non-blocking `podman build` is also attempted on +# every run to keep that signal visible without making the unreliable +# apt-podman-on-GHA stack a merge blocker. name: container-stack smoke build on: push: @@ -24,7 +31,7 @@ permissions: jobs: build: - name: podman build (${{ matrix.component }}) + name: build (${{ matrix.component }}) runs-on: ubuntu-latest timeout-minutes: 45 strategy: @@ -46,27 +53,21 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - # podman is no longer preinstalled on GitHub's ubuntu-latest runner - # image, so install it explicitly (the smoke build is podman-based - # per stapeln#17's recommendation). containers-common (policy.json + - # registries.conf) and a runtime (crun) are pulled in explicitly: - # they are only Recommends of the podman package, so installing with - # --no-install-recommends left every image pull failing on a missing - # /etc/containers/policy.json. - - name: Install podman + # Hard gate: docker is preinstalled on ubuntu-latest and builds the + # Dockerfile-compatible Containerfiles reliably. + - name: docker build ${{ matrix.component }} + continue-on-error: ${{ matrix.continue-on-error == true }} + working-directory: container-stack/${{ matrix.component }} + run: docker build -f Containerfile -t "stapeln-smoke/${{ matrix.component }}:ci" . + + # Non-blocking: also attempt the build with podman per stapeln#17's + # recommendation. apt-podman's rootless stack is unreliable on the + # GHA runner, so this never blocks merge — it only surfaces whether + # podman can build the same Containerfile. + - name: podman build ${{ matrix.component }} (non-blocking) + continue-on-error: true + working-directory: container-stack/${{ matrix.component }} run: | sudo apt-get update sudo apt-get install -y podman containers-common crun - - # Run podman rootful (sudo). apt's podman on ubuntu-latest has no - # working rootless stack out of the box (missing subuid/subgid range - # and fuse-overlayfs config), which made every smoke job fail within - # ~30s regardless of the Containerfile. Rootful podman uses the - # kernel overlay driver and Just Works on the runner. - - name: podman version - run: sudo podman version - - - name: podman build ${{ matrix.component }} - continue-on-error: ${{ matrix.continue-on-error == true }} - working-directory: container-stack/${{ matrix.component }} - run: sudo podman build -f Containerfile -t "stapeln-smoke/${{ matrix.component }}:ci" . + sudo podman build -f Containerfile -t "stapeln-smoke/${{ matrix.component }}:podman" .