# Demonstrate skew from the builder
FROM quay.io/centos/centos:stream10 as repos

# You must run this build with `-v /path/to/rpm-ostree:/run/build/rpm-ostree:ro`
FROM quay.io/fedora/fedora-bootc:41 as builder
RUN <<EORUN
set -xeuo pipefail
# Our goal here though is to test the updated rpm-ostree binary.
# Right now there are a very few things that live outside the binary
# like rpm-ostree-0-integration.conf, but we should probably move those in.
# nocache 0228
install /run/build/rpm-ostree /usr/bin
EORUN
# Copy in our source code.
COPY . /src
WORKDIR /src
# also test using a cache in this flow
RUN --mount=type=bind,from=repos,src=/,dst=/repos,rw --mount=type=cache,rw,target=/cache <<EORUN
set -xeuo pipefail
env RUST_LOG=debug rpm-ostree compose rootfs --cachedir=/cache --source-root-rw=/repos manifest.yaml /target-rootfs
# just the fact that we got here means we didn't hit EXDEV
# but also sanity-check that there are actual RPMs in the cache
nrpms=$(find /cache -name '*.rpm' | wc -l)
if [ $nrpms = 0 ]; then
  echo "No RPMs found in cache!"; exit 1
fi
EORUN

# This pulls in the rootfs generated in the previous step
FROM scratch
COPY --from=builder /target-rootfs/ /
RUN <<EORUN
set -xeuo pipefail
# Validate we aren't using ostree-container format
test '!' -f /ostree/repo/config
# Validate executable bit for others on /
test $(($(stat -c '0%a' /) % 2)) = 1
# Validate we have file caps
getfattr -d -m security.capability /usr/bin/newuidmap
# Validate we don't have user.ostreemeta
if getfattr -n user.ostreemeta /usr/bin/bash >/dev/null; then
    echo "found user.ostreemeta"; exit 1
fi
bootc container lint
EORUN
LABEL containers.bootc 1
# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
ENV container=oci
# Make systemd the default
STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]


