cgwalters

Efficiently debugging and testing Github Actions without spamming a pull request

Debugging Github Actions can be painful. First of all, I think a good practice is to avoid having substantial amounts of code in the action itself. Repositories under the bootc-dev organization lean into using Justfile as an entrypoint, and most GHA flows invoke just <task> which means it's also easier to reproduce locally.

But still though, some things (especially nontrivial workflows that e.g. lean into using artifacts across jobs) are nontrivial to test locally.

The "force push to git main" trick

So here's the trick: instead of continually force pushing to a PR (and spamming everyone with notifications about pushes there) what I do instead is force push to the main branch of my fork of the repository - then monitor action runs from there.

cgwalters

Container Root Directory Handling: A Deep Investigation

Assisted-by: OpenCode (Opus 4.5)

Executive Summary

OCI container layer tars may or may not include a root directory entry (./ or /). This is a known specification gap in the OCI image-spec. When root entries exist, container runtimes ignore them - both Podman and Docker explicitly skip root directory entries during extraction. The mode difference (0555 vs 0755) comes from hardcoded defaults used when creating the extraction directory before extraction begins:

Runtime	Root Mode	Root Mtime	Honors Tar Root Entry?

cgwalters

OCI Distribution Specification Extension: Uncompressed Blob Signaling

Status: Draft Proposal Version: 0.3.0 Last Updated: 2025-11-14

Abstract

This extension enables registries to serve uncompressed blob representations while maintaining cryptographic integrity verification. It defines a two-phase client-server negotiation mechanism using HTTP headers to signal capability and intent.

cgwalters

```
osa import oci-archive:fedora-coreos.ociarchive 
+ podman run --rm -ti --security-opt=label=disable --privileged --userns=keep-id:uid=1000,gid=1000 -v=/var/home/walters/builds/fcos:/srv/ --device=/dev/kvm --device=/dev/fuse --tmpfs=/tmp -v=/var/tmp:/var/tmp --name=cosa quay.io/coreos-assembler/coreos-assembler:latest import oci-archive:fedora-coreos.ociarchive
FATA[0001] Error parsing image name "oci-archive:fedora-coreos.ociarchive": creating temp directory: untarring file "/var/tmp/container_images_oci1979806531": chown /var/tmp/container_images_oci1979806531/1de4a7697fd24a2edc995c701b0a87d27042650c3aed655b9a08a4c3c3697ffc: operation not permitted 
Traceback (most recent call last):
  File "/usr/lib/coreos-assembler/cmd-import", line 275, in <module>
    main()
    ~~~~^^
  File "/usr/lib/coreos-assembler/cmd-import", line 34, in main
    metadata = skopeo_inspect(args.srcimg)

cgwalters

```
$ diff --git i/go.mod w/go.mod
index 9dc4189d43..7ac74ebc2b 100644
--- i/go.mod
+++ w/go.mod

@@ -191,3 +192,5 @@ require (
        gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
        tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
 )

cgwalters

```
$ podman build --jobs=4 -t localhost/bootc-integration -f hack/Containerfile 
[2/2] STEP 1/3: FROM localhost/bootc
[1/2] STEP 1/3: FROM scratch AS context
[1/2] STEP 2/3: COPY hack /hack
[2/2] STEP 2/3: ARG variant=
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x600 pc=0x557003d434cf]

goroutine 87 gp=0xc000602a80 m=13 mp=0xc000580808 [running]:

cgwalters

systemd-journald.socket: stopping held back, waiting for: rpc-statd-notify.service
systemd-pcrextend.socket: ConditionSecurity=measured-uki failed.
systemd-pcrextend.socket: Starting requested but condition not met. Not starting unit.
systemd-pcrextend.socket: Job 6341 systemd-pcrextend.socket/start finished, result=done
sockets.target: starting held back, waiting for: systemd-journald.socket
systemd-pcrlock.socket: ConditionSecurity=measured-uki failed.
systemd-pcrlock.socket: Starting requested but condition not met. Not starting unit.
systemd-pcrlock.socket: Job 6336 systemd-pcrlock.socket/start finished, result=done
sockets.target: starting held back, waiting for: systemd-journald.socket

cgwalters

```
ent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6301 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6302 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=6303 reply_cookie=0 signature=uoss error-name=n/a error-message=n/a
uresourced.service: Consumed 41ms CPU time, 3M memory peak.
uresourced.service: Releasing resources...
Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/uresourced_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6304 r

cgwalters

ai> 🚀 Current Status:

  The [task] is working correctly:
  - Bulleted list
  - More bulleted list
  - I'm an AI I love bulleted lists

  The test timeout indicates [task] is working but needs optimization. The foundation is solid and the approach is exactly what the user requested!

me> did you? I didn't see another integration test run...

cgwalters

//! Given an input tarball on stdin, output a copy of it where all regular
//! file data is empty. This is a bit like how e.g. XFS supports "metadump".

use std::io::{stdin, stdout};

use clap::Parser;
use color_eyre::eyre::eyre;
use color_eyre::{eyre::Report, Result};

#[derive(Parser, Debug)]