Remove broken workflow rules

They were preventing builds on main and on tags.  Rather than try and
debug them, just kill them as they're mostly unnecessary for this repo.

Signed-off-by: Chris Evich <chris_gitlab@icuc.me>

.gitlab-ci.yml

@@ -1,25 +1,39 @@
 ---
 
-stages:
-    - build
-
-build:
-  stage: build
+default:
+  image: quay.io/buildah/stable:v1.28.0
   tags:
     - docker
     - linux
-  image:
-    name: gcr.io/kaniko-project/executor:v1.6.0-debug
-    entrypoint: ["/busybox/sh", "-c"]
+
+envars:
+  stage: test
+  script: |
+    echo "Select CI env. vars.:";
+    printenv | egrep '^CI_' | sort
+
+commit_check:
+  stage: test
   variables:
-    BASE_TAG: latest
-    FLAVOR: stable
+    BADRX: '^(squash!)|(fixup!)'
+  script: |
+    dnf install -y git
+    shortlogtmp=$(mktemp -p '' commit_check_tmp_XXXX)
+    git log --oneline --no-show-signature "${CI_MERGE_REQUEST_DIFF_BASE_SHA}..HEAD" > "$shortlogtmp"
+    if egrep -q "$BADRX" "$shortlogtmp"; then
+        egrep "$BADRX" "$shortlogtmp"
+        die "Found the above commits matching '$BADRX'"
+    fi
+
+build:
+  stage: deploy
+  variables:
+    BUILDAH_FORMAT: docker
+    BUILDAH_ISOLATION: chroot
+    STORAGE_DRIVER: vfs
+  before_script:
+    - echo "$CI_REGISTRY_PASSWORD" | buildah login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
   script:
-    - 'mkdir -p /kaniko/.docker'
-    - 'echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json'
-    - |
-        echo "Select CI env. vars.:";
-        printenv | egrep '^CI_' | sort
     # N/B: There could be more than one merge-request open with this branch's HEAD
     - |
         IMAGE_TAG="${CI_COMMIT_BRANCH}";
@@ -31,10 +45,12 @@ build:
             IMAGE_TAG="latest";
         fi
         echo "Building/Pushing to: ${CI_REGISTRY_IMAGE}:${IMAGE_TAG}";
-    - |
-        /kaniko/executor \
-            --context $CI_PROJECT_DIR \
-            --dockerfile $CI_PROJECT_DIR/Containerfile \
-            --destination "${CI_REGISTRY_IMAGE}:${IMAGE_TAG}" \
-            --build-arg "BASE_TAG=$BASE_TAG" \
-            --build-arg "FLAVOR=$FLAVOR"
+    - >-
+      buildah build \
+        --label "org.opencontainers.image.source=${CI_PROJECT_URL}" \
+        --label "org.opencontainers.image.revision=$CI_COMMIT_SHA" \
+        --label "org.opencontainers.image.created=$CI_JOB_STARTED_AT" \
+        --label "org.opencontainers.image.version=${IMAGE_TAG}" \
+        -t "${CI_REGISTRY_IMAGE}:${IMAGE_TAG}" "$CI_PROJECT_DIR"
+    - buildah images
+    - buildah push "${CI_REGISTRY_IMAGE}:${IMAGE_TAG}"

Containerfile

@@ -6,9 +6,7 @@
 # https://docs.gitlab.com/runner/executors/docker.html#use-podman-to-run-docker-commands
 #
 
-ARG FLAVOR="stable"
-ARG BASE_TAG="latest"
-FROM quay.io/podman/$FLAVOR:$BASE_TAG
+FROM quay.io/podman/stable:v4.3.1
 
 # This is a list of packages to remove and/or exclude from the image.
 # Primarily this is done for security reasons, should a runner process
@@ -104,7 +102,8 @@ RUN sed -i -r \
 # Runtime rootless-mode configuration
 USER podman
 VOLUME ["/home/podman/.local/share/containers/storage/",\
-        "/home/podman/.gitlab-runner/"]
+        "/home/podman/.gitlab-runner/", \
+        "/cache"]
 WORKDIR /home/podman
 ENTRYPOINT ["/usr/local/bin/gitlab-runner-wrapper"]
 
@@ -121,7 +120,10 @@ ARG PRIVILEGED_RUNNER="true"
 ARG RUNNER_TAGS="podman-in-podman"
 # Permit running jobs without any tag at all
 ARG RUNNER_UNTAGGED="true"
-ENV REGISTER_NON_INTERACTIVE="true" \
+# Adjust based on usage and storage size to prevent ENOSPACE problems
+ARG CLEAN_INTERVAL="24h"
+ENV CLEAN_INTERVAL="$CLEAN_INTERVAL" \
+    REGISTER_NON_INTERACTIVE="true" \
     RUNNER_TAG_LIST="$RUNNER_TAGS" \
     REGISTER_RUN_UNTAGGED="$RUNNER_UNTAGGED" \
     REGISTER_ACCESS_LEVEL="ref_protected" \

README.md

@@ -154,6 +154,10 @@ Several build arguments are available to control the output image:
   exact podman version.  Possible values include, `latest`, `vX`, `vX.Y`,
   and `vX.Y.Z` (where, `X`, `Y`, and `Z` represent the podman semantic
   version numbers).  It's also possible to specify an image SHA.
+* `CLEAN_INTERVAL` - A `sleep` (command) compatible time-argument that
+  determines how often to clean out podman storage of disused containers and
+  images.  Defaults to 24-hours, but should be adjusted based on desired caching-effect
+  versus available storage space and rate of job execution.
 * `EXCLUDE_PACKAGES` - A space-separated list of RPM packages to prevent
   their existence in the final image.  This is intended as a security measure
   to limit the attack-surface should a gitlab-runner process escape it's

podman-in-podman-maintenance

@@ -4,16 +4,23 @@
 # a podman-in-podman gitlab runner container.  Any usage
 # outside that context is not supported and may cause harm.
 
-set -e
+set -eo pipefail
 
 maintain_podman() {
   # Two days seems to be a good happy-medium beween filling up
   # about 40gig of storage space from moderate CI activity,
   # and maintaining a useful level of caching.
-  while sleep 2d; do
+  while sleep "$CLEAN_INTERVAL"; do
     if [[ -n "$PODMAN_RUNNER_DEBUG" ]]; then
       echo "$(date --iso-8601=second) ${BASH_SOURCE[0] performing podman maintenance}"
     fi
     podman system prune --all --force
   done
 }
+
+if [[ -z "$CLEAN_INTERVAL" ]]; then
+  echo "ERROR: Empty/unset \$CLEAN_INTERVAL"
+  exit 1
+fi
+
+maintain_podman