FIXUP: Make release image job reusable

.github/workflows/build-push-image.yml

@@ -20,6 +20,9 @@ on:
         required: true
 
 
+env:
+  BUILDKIT_IMAGE: "docker.io/moby/buildkit:v19.0@sha256:14aa1b4dd92ea0a4cd03a54d0c6079046ea98cd0c0ae6176bdd7036ba370cbbe"
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -52,7 +55,6 @@ jobs:
       - name: Compute image parameters
         id: params
         run: |
-          source Dockerfile.env
           DEBIAN_ARCHIVE_DATE=$(date -u +'%Y%m%d')
           SOURCE_DATE_EPOCH=$(date -u -d ${DEBIAN_ARCHIVE_DATE} +"%s")
           TAG=${DEBIAN_ARCHIVE_DATE}-$(git describe --long --first-parent | tail -c +2)
@@ -62,20 +64,19 @@ jobs:
           echo "source_date_epoch=${SOURCE_DATE_EPOCH}" >> $GITHUB_OUTPUT
           echo "tag=${DEBIAN_ARCHIVE_DATE}-${TAG}" >> $GITHUB_OUTPUT
           echo "full_image_name=${FULL_IMAGE_NAME}" >> $GITHUB_OUTPUT
-          echo "buildkit_image=${BUILDKIT_IMAGE}" >> $GITHUB_OUTPUT
 
   build:
     name: Build ${{ matrix.platform.name }} image
-    runs-on: ${{ matrix.platform.runs-on }}
+    runs-on: ubuntu-24.04${{ matrix.platform.suffix }}
     needs:
       - prepare
     strategy:
       fail-fast: false
       matrix:
         platform:
-          - runs-on: "ubuntu-24.04"
+          - suffix: ""
             name: "linux/amd64"
-          - runs-on: "ubuntu-24.04-arm"
+          - suffix: "-arm"
             name: "linux/arm64"
     steps:
       - uses: actions/checkout@v4
@@ -97,7 +98,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
-          driver-opts: image=${{ needs.prepare.outputs.buildkit_image }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
 
       - name: Build and push by digest
         id: build
@@ -109,7 +110,7 @@ jobs:
             DEBIAN_ARCHIVE_DATE=${{ needs.prepare.outputs.debian_archive_date }}
             SOURCE_DATE_EPOCH=${{ needs.prepare.outputs.source_date_epoch }}
           provenance: false
-          outputs: type=image,"name=${{ inputs.registry }}/${{ inputs.image_name }}",push-by-digest=true,push=true,rewrite-timestamp=true,name-canonical=true
+          outputs: type=image,"name=${{ inputs.registry }}/${{ needs.image_name }}",push-by-digest=true,push=true,rewrite-timestamp=true,name-canonical=true
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -131,7 +132,7 @@ jobs:
   merge:
     runs-on: ubuntu-latest
     needs:
-      - prepare  # implied by build, but required here to access image params
+      - prepare
       - build
     outputs:
       digest_root: ${{ steps.image.outputs.digest_root }}
@@ -192,11 +193,11 @@ jobs:
   # the container registry.
   provenance:
     needs:
-      - prepare  # implied by merge, but required here to access image params
+      - prepare
       - merge
     strategy:
       matrix:
-        manifest_type:
+        digest:
           - root
           - amd64
           - arm64
@@ -216,16 +217,16 @@ jobs:
   check-reproducibility:
     if: ${{ inputs.reproduce }}
     needs:
-      - prepare  # implied by merge, but required here to access image params
+      - prepare
       - merge
-    runs-on: ${{ matrix.platform.runs-on }}
+    runs-on: ubuntu-24.04${{ matrix.platform.suffix }}
     strategy:
       fail-fast: false
       matrix:
         platform:
-          - runs-on: "ubuntu-24.04"
+          - suffix: ""
             name: "amd64"
-          - runs-on: "ubuntu-24.04-arm"
+          - suffix: "-arm"
             name: "arm64"
     steps:
       - uses: actions/checkout@v4

.github/workflows/release-container-image.yml

@@ -19,4 +19,4 @@ jobs:
       image_name: dangerzone/dangerzone
       reproduce: true
     secrets:
-      registry_token: ${{ secrets.GITHUB_TOKEN }}
+      registry_token : ${{ github.token }}

Dockerfile

@@ -182,11 +182,8 @@ RUN mkdir -p \
     /new_root/tmp \
     /new_root/home/dangerzone/dangerzone-image/rootfs
 
-# Copy the /etc and /var directories under the new root directory. Also,
+# XXX: Remove /etc/resolv.conf, so that the network configuration of the host
-# copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
+# does not leak.
-#
-# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
-# servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
     && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \

Dockerfile.env

@@ -7,7 +7,3 @@ GVISOR_ARCHIVE_DATE=20250217
 # Can be bumped to the latest version and checksum from https://github.com/ebandal/H2Orestart/releases
 H2ORESTART_CHECKSUM=452331f8603ef456264bd72db6fa8a11ca72b392019a8135c0b2f3095037d7b1
 H2ORESTART_VERSION=v0.7.1
-
-# Buildkit image (taken from freedomofpress/repro-build)
-BUILDKIT_IMAGE="docker.io/moby/buildkit:v19.0@sha256:14aa1b4dd92ea0a4cd03a54d0c6079046ea98cd0c0ae6176bdd7036ba370cbbe"
-BUILDKIT_IMAGE_ROOTLESS="docker.io/moby/buildkit:v0.19.0-rootless@sha256:e901cffdad753892a7c3afb8b9972549fca02c73888cf340c91ed801fdd96d71"

Dockerfile.in

@@ -182,11 +182,8 @@ RUN mkdir -p \
     /new_root/tmp \
     /new_root/home/dangerzone/dangerzone-image/rootfs
 
-# Copy the /etc and /var directories under the new root directory. Also,
+# XXX: Remove /etc/resolv.conf, so that the network configuration of the host
-# copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
+# does not leak.
-#
-# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
-# servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
     && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \

dangerzone/container_utils.py

@@ -128,21 +128,23 @@ def get_expected_tag() -> str:
 def load_image_tarball() -> None:
     log.info("Installing Dangerzone container image...")
     tarball_path = get_resource_path("container.tar")
-    try:
+    with open(tarball_path) as f:
-        res = subprocess.run(
+        try:
-            [get_runtime(), "load", "-i", tarball_path],
+            res = subprocess.run(
-            startupinfo=get_subprocess_startupinfo(),
+                [get_runtime(), "load"],
-            capture_output=True,
+                stdin=f,
-            check=True,
+                startupinfo=get_subprocess_startupinfo(),
-        )
+                capture_output=True,
-    except subprocess.CalledProcessError as e:
+                check=True,
-        if e.stderr:
+            )
-            error = e.stderr.decode()
+        except subprocess.CalledProcessError as e:
-        else:
+            if e.stderr:
-            error = "No output"
+                error = e.stderr.decode()
-        raise errors.ImageInstallationException(
+            else:
-            f"Could not install container image: {error}"
+                error = "No output"
-        )
+            raise errors.ImageInstallationException(
+                f"Could not install container image: {error}"
+            )
 
     # Loading an image built with Buildkit in Podman 3.4 messes up its name. The tag
     # somehow becomes the name of the loaded image [1].

dangerzone/isolation_provider/qubes.py

@@ -130,7 +130,7 @@ def is_qubes_native_conversion() -> bool:
         # This disambiguates if it is running a Qubes targetted build or not
         # (Qubes-specific builds don't ship the container image)
 
-        container_image_path = get_resource_path("container.tar")
+        compressed_container_path = get_resource_path("container.tar")
-        return not os.path.exists(container_image_path)
+        return not os.path.exists(compressed_container_path)
     else:
         return False

dev_scripts/repro-build

@@ -220,22 +220,7 @@ def oci_normalize_path(path):
 
 
 def oci_get_file_from_tarball(tar: tarfile.TarFile, path: str) -> dict:
-    """Get file from an OCI tarball.
+    return
-
-    If the filename cannot be found, search again by prefixing it with "./", since we
-    have encountered path names in OCI tarballs prefixed with "./".
-    """
-    try:
-        return tar.extractfile(path).read().decode()
-    except KeyError:
-        if not path.startswith("./") and not path.startswith("/"):
-            path = "./" + path
-            try:
-                return tar.extractfile(path).read().decode()
-            except KeyError:
-                # Do not raise here, so that we can raise the original exception below.
-                pass
-        raise
 
 
 def oci_parse_manifest(tar: tarfile.TarFile, path: str, platform: dict | None) -> dict:
@@ -246,7 +231,7 @@ def oci_parse_manifest(tar: tarfile.TarFile, path: str, platform: dict | None) -
     carry it from the previous manifest and include in the info here.
     """
     path = oci_normalize_path(path)
-    contents = oci_get_file_from_tarball(tar, path)
+    contents = tar.extractfile(path).read().decode()
     digest = "sha256:" + hashlib.sha256(contents.encode()).hexdigest()
     contents_dict = json.loads(contents)
     media_type = get_key(contents_dict, "mediaType")

dev_scripts/reproduce-image.py

@@ -102,7 +102,7 @@ def main():
         f"Check that the reproduced image has the expected digest: {args.digest}"
     )
     run(
-        "./dev_scripts/repro-build.py",
+        "./dev_scripts/repro-build",
         "analyze",
         "--show-contents",
         "share/container.tar",

install/common/build-image.py

@@ -122,7 +122,7 @@ def main():
 
     subprocess.run(
         [
-            "./dev_scripts/repro-build.py",
+            "./dev_scripts/repro-build",
             "build",
             "--runtime",
             args.runtime,