From 43ba50ef6ad80d4f748bbe227d8db15e9c8b7c7d Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <florian.wilhelm02@sap.com>
Date: Fri, 25 Oct 2024 10:27:56 +0200
Subject: [PATCH 1/7] build bare image

---
 .github/workflows/ci.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ec854c8..02dd0cf 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -94,10 +94,24 @@ jobs:
       - name: Check images created
         run: buildah images | grep '${{ env.IMAGE_NAME }}'
 
+      - run: |
+          podman save --format oci-archive ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} > glvd.oci
+
+          podman pull ghcr.io/gardenlinux/gardenlinux:1592
+          podman save --format oci-archive ghcr.io/gardenlinux/gardenlinux:1592 > gardenlinux.oci
+
+          ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux.oci glvd.oci glvd_bare.oci
+
+          image="$(podman load < glvd_bare.oci | awk '{ print $NF }')"
+          podman tag "$image" ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare
+
+
       - name: Check manifest
         run: |
           set -x
           buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}
+          buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare
+
 
       - name: Push To ghcr.io
         id: push-to-ghcr

From b3f6984aae46f8427f15660e9008ca89cc8c5279 Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <florian.wilhelm02@sap.com>
Date: Fri, 25 Oct 2024 10:39:12 +0200
Subject: [PATCH 2/7] test

---
 .github/workflows/ci.yaml | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 02dd0cf..b8d76ff 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -91,9 +91,6 @@ jobs:
           echo "Tags: ${{ steps.build_image.outputs.tags }}"
           echo "Tagged Image: ${{ steps.build_image.outputs.image-with-tag }}"
 
-      - name: Check images created
-        run: buildah images | grep '${{ env.IMAGE_NAME }}'
-
       - run: |
           podman save --format oci-archive ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} > glvd.oci
 
@@ -105,13 +102,13 @@ jobs:
           image="$(podman load < glvd_bare.oci | awk '{ print $NF }')"
           podman tag "$image" ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare
 
+      - name: Check images created
+        run: buildah images | grep '${{ env.IMAGE_NAME }}'
 
       - name: Check manifest
         run: |
           set -x
           buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}
-          buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare
-
 
       - name: Push To ghcr.io
         id: push-to-ghcr
@@ -124,6 +121,17 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Push To ghcr.io
+        id: push-to-ghcr
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          tags: latest_bare
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Print image url
         if: ${{ github.event_name != 'pull_request' }}
         run: echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}"

From 5732085cb4a245e3227d369312e2ae0727673bd1 Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <florian.wilhelm02@sap.com>
Date: Fri, 25 Oct 2024 10:40:08 +0200
Subject: [PATCH 3/7] fix

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b8d76ff..c13ac8d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -122,7 +122,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push To ghcr.io
-        id: push-to-ghcr
+        id: push-to-ghcr-bare
         if: ${{ github.event_name != 'pull_request' }}
         uses: redhat-actions/push-to-registry@v2
         with:

From f47d1c75b03076db27cc02dd90a151a3a7f18beb Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <florian.wilhelm02@sap.com>
Date: Mon, 28 Oct 2024 11:04:00 +0100
Subject: [PATCH 4/7] build bare

---
 .github/workflows/ci.yaml | 28 ++++++++++------------------
 build_bare.sh             | 22 ++++++++++++++++++++++
 2 files changed, 32 insertions(+), 18 deletions(-)
 create mode 100755 build_bare.sh

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c13ac8d..b2f2ac7 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -91,17 +91,6 @@ jobs:
           echo "Tags: ${{ steps.build_image.outputs.tags }}"
           echo "Tagged Image: ${{ steps.build_image.outputs.image-with-tag }}"
 
-      - run: |
-          podman save --format oci-archive ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} > glvd.oci
-
-          podman pull ghcr.io/gardenlinux/gardenlinux:1592
-          podman save --format oci-archive ghcr.io/gardenlinux/gardenlinux:1592 > gardenlinux.oci
-
-          ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux.oci glvd.oci glvd_bare.oci
-
-          image="$(podman load < glvd_bare.oci | awk '{ print $NF }')"
-          podman tag "$image" ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare
-
       - name: Check images created
         run: buildah images | grep '${{ env.IMAGE_NAME }}'
 
@@ -121,16 +110,19 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push To ghcr.io
-        id: push-to-ghcr-bare
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: redhat-actions/push-to-registry@v2
+      - name: Log in to ghcr.io
+        uses: redhat-actions/podman-login@v1
         with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: latest_bare
-          registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+
+      - name: Build bare images
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          ./build_bare.sh
+          podman push ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare
+          podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare
 
       - name: Print image url
         if: ${{ github.event_name != 'pull_request' }}
diff --git a/build_bare.sh b/build_bare.sh
new file mode 100755
index 0000000..6e41826
--- /dev/null
+++ b/build_bare.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+GLVD_API_IMAGE_REPOSITORY=ghcr.io/gardenlinux/glvd-api
+GLVD_API_IMAGE_TAG=latest
+
+build () {
+    local ARCH="${1}"; shift
+
+    SHA_GLVD=$(podman pull -q --arch="$ARCH" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG)
+    podman save --format oci-archive "$SHA_GLVD" > glvd-"$ARCH".oci
+
+    SHA_GL=$(podman pull -q --arch="$ARCH" ghcr.io/gardenlinux/gardenlinux:1592)
+    podman save --format oci-archive "$SHA_GL" > gardenlinux-"$ARCH".oci
+
+    ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux-"$ARCH".oci glvd-"$ARCH".oci glvd_bare-"$ARCH".oci
+
+    image="$(podman load < glvd_bare-"$ARCH".oci | awk '{ print $NF }')"
+    podman tag "$image" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG-linux"$ARCH"_bare
+}
+
+build amd64
+build arm64

From f7053a48131cd36c5cffaabc942578d063e41aa6 Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <florian.wilhelm02@sap.com>
Date: Mon, 28 Oct 2024 16:51:51 +0100
Subject: [PATCH 5/7] test

---
 build.sh   | 19 -------------------
 unbase_oci |  4 ++--
 2 files changed, 2 insertions(+), 21 deletions(-)
 delete mode 100755 build.sh

diff --git a/build.sh b/build.sh
deleted file mode 100755
index 51e2ec7..0000000
--- a/build.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-set -eufo pipefail
-
-if [[ ! -f build/libs/glvd-0.0.1-SNAPSHOT.jar ]]; then
-    ./gradlew bootJar
-fi
-
-podman build --tag ghcr.io/gardenlinux/glvd-api:edge .
-
-podman save --format oci-archive ghcr.io/gardenlinux/glvd-api:edge > glvd.oci
-
-podman pull ubuntu:22.04
-podman save --format oci-archive ubuntu:22.04 > ubuntu.oci
-
-./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree ubuntu.oci glvd.oci glvd_bare.oci
-
-image="$(podman load < glvd_bare.oci | awk '{ print $NF }')"
-podman tag "$image" ghcr.io/gardenlinux/glvd-api:edge_bare
diff --git a/unbase_oci b/unbase_oci
index 1a6db1b..3e536d0 100755
--- a/unbase_oci
+++ b/unbase_oci
@@ -2,7 +2,7 @@
 
 set -eufo pipefail
 
-container_image=ghcr.io/gardenlinux/unbase_oci:233f4213036fadd4b91b965b4ca71b457f1a6b88
+container_image=localhost/unbase_oci
 container_engine=podman
 
 container_mount_opts=()
@@ -52,4 +52,4 @@ container_mount_opts+=(-v "$(realpath "$1"):/mnt$(realpath "$1")")
 container_mount_opts+=(-v "$(realpath "$3"):/mnt$(realpath "$3")")
 args+=("/mnt$(realpath "$1")" "/mnt$(realpath "$2")" "/mnt$(realpath "$3")")
 
-"$container_engine" run --rm --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"
+"$container_engine" run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --security-opt label=disable --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"

From 221ae5b682936fdf0f9c86fe930c4b7d6479099d Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <florian.wilhelm02@sap.com>
Date: Mon, 28 Oct 2024 16:54:43 +0100
Subject: [PATCH 6/7] test

---
 unbase_oci | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/unbase_oci b/unbase_oci
index 3e536d0..f2634fc 100755
--- a/unbase_oci
+++ b/unbase_oci
@@ -2,7 +2,7 @@
 
 set -eufo pipefail
 
-container_image=localhost/unbase_oci
+container_image=ghcr.io/gardenlinux/unbase_oci:8e33b68bf7b93d392fa8ef3248adb0a65d43c67a
 container_engine=podman
 
 container_mount_opts=()

From 17ff1a748ec85d438382b8831edaaa0242da9ed6 Mon Sep 17 00:00:00 2001
From: Florian Wilhelm <florian.wilhelm02@sap.com>
Date: Mon, 28 Oct 2024 17:19:54 +0100
Subject: [PATCH 7/7] deploy bare image

---
 .github/workflows/ci.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b2f2ac7..6e50cf2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -119,10 +119,12 @@ jobs:
 
       - name: Build bare images
         if: ${{ github.event_name != 'pull_request' }}
+        id: bare
         run: |
           ./build_bare.sh
-          podman push ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare
+          podman push --digestfile=bare-amd64-digest ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare
           podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare
+          echo "bare-amd64-digest=$(cat ./bare-amd64-digest)" >> $GITHUB_OUTPUT
 
       - name: Print image url
         if: ${{ github.event_name != 'pull_request' }}
@@ -147,7 +149,7 @@ jobs:
 
       - name: Deploy the image
         if: ${{ github.event_name != 'pull_request' }}
-        run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest@${{ steps.push-to-ghcr.outputs.digest }}
+        run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare@${{ steps.bare.outputs.bare-amd64-digest }}
 
   dependency-submission: