Currently we build production images by going pungi -> rpm-ostree -> https://pagure.io/cloud-image-uploader/, and there is no gating CI in that process. Switching to Konflux will give us a container-native flow and ability to more tightly integrate CI gating, and help align us with existing CentOS Stream and RHEL. ## References - https://lists.centos.org/hyperkitty/list/devel@lists.centos.org/thread/64IUY3DVQ74WFBZ5EJ54TZBIAA4VEKFA/ ## Status GitOps repo for Konflux CRs: https://gitlab.com/fedora/infrastructure/konflux/tenants-config/-/merge_requests/26 Custom build/release pipelines used in Konflux (https://gitlab.com/fedora/bootc/tekton-catalog) are built and published to: - https://quay.io/bootc-devel/tekton-catalog/pipeline-buildah-build-bootc-multi-platform-oci-ta - https://quay.io/bootc-devel/tekton-catalog/pipeline-push-to-external-registry Renovate configuration for automatic updates: - [x] Composes: https://gitlab.com/fedora/bootc/compose-images/-/blob/main/renovate.json - [x] Minimal, Minimal Plus, Standard and IoT: https://gitlab.com/fedora/bootc/base-images/-/blob/main/renovate.json MRs enabling builds: - [x] Compose image MR: https://gitlab.com/fedora/bootc/compose-images/-/merge_requests/1 - [x] Minimal image MR: https://gitlab.com/fedora/bootc/base-images/-/merge_requests/156 - [x] Minimal Plus image MR: https://gitlab.com/fedora/bootc/base-images/-/merge_requests/157 - [x] Standard Image MR: https://gitlab.com/fedora/bootc/base-images/-/merge_requests/70 - [x] IoT Image MR: https://gitlab.com/fedora/bootc/base-images/-/merge_requests/176 - [x] Enable `ppc64le` and `s390x` builds: https://gitlab.com/fedora/bootc/base-images/-/merge_requests/292 Initial fedora rawhide images have been successfully built with konflux and published to: - [x] Compose image: https://quay.io/bootc-devel/fedora-bootc-rawhide-compose - [x] Minimal image: https://quay.io/bootc-devel/fedora-bootc-rawhide-minimal - [x] Minimal Plus image: https://quay.io/bootc-devel/fedora-bootc-rawhide-minimal-plus - [x] Standard Image: https://quay.io/bootc-devel/fedora-bootc-rawhide-standard - [x] IoT Image: https://quay.io/bootc-devel/fedora-bootc-rawhide-iot Initial fedora 43 images have been successfully built with konflux and published to: - [x] Compose image: https://quay.io/bootc-devel/fedora-bootc-43-compose - [x] Minimal image: https://quay.io/bootc-devel/fedora-bootc-43-minimal - [x] Minimal Plus image:https://quay.io/bootc-devel/fedora-bootc-43-minimal-plus - [x] Standard Image: https://quay.io/bootc-devel/fedora-bootc-43-standard - [x] IoT Image: https://quay.io/bootc-devel/fedora-bootc-43-iot Initial fedora 42 images have been successfully built with konflux and published to: - [x] Compose image: https://quay.io/bootc-devel/fedora-bootc-42-compose - [x] Minimal image: https://quay.io/bootc-devel/fedora-bootc-42-minimal - [x] Minimal Plus image:https://quay.io/bootc-devel/fedora-bootc-42-minimal-plus - [x] Standard Image: https://quay.io/bootc-devel/fedora-bootc-42-standard - [x] IoT Image: https://quay.io/bootc-devel/fedora-bootc-42-iot Initial fedora 41 images have been successfully built with konflux and published to: - [x] Compose image: https://quay.io/bootc-devel/fedora-bootc-41-compose - [ ] Minimal image: https://quay.io/bootc-devel/fedora-bootc-41-minimal - [ ] Minimal Plus image:https://quay.io/bootc-devel/fedora-bootc-41-minimal-plus - [ ] Standard Image: https://quay.io/bootc-devel/fedora-bootc-41-standard - [ ] IoT Image: https://quay.io/bootc-devel/fedora-bootc-41-iot ## Larger tasks ### Switch to having pungi trigger this build Basically the main fedora compose process runs pungi. In this flow, pungi would build and push "repos" container image `quay.io/fedoraci/fedora-compose-base:$branch-$timestamp` that has an `/etc/yum.repos.d/` that points to the *in progress* compose location. Pungi then starts (and monitors) a konflux pipeline initiated from a build that is effectively `podman build --from=` or so of this repo. We'd push that container image to `quay.io/fedoraci/fedora-bootc:$branch-$timestamp`. (And branch this for `:minimal` vs `:standard` too) ### Push from compose to production The "publish to production" path after compose is tricky of course. My strawman here is that our process is just - Run final sanity checks on target images - `skopeo copy` effectively ### Shift left testing Instead of rerunning expensive (especially possibly flaky) CI we aim to "shift left" as much testing as possible - especially to the two key change points: - Key rpm changes (kernel, systemd, bootc, ...) - Substantial changes to the input git repo (like the base image rework I just landed, new packages, etc)