osbuild · thozza · May 6, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/check-ci-config.yml b/.github/workflows/check-ci-config.yml
@@ -0,0 +1,20 @@
+name: Check CI config
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  check-ci-config:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: pip install pyyaml
+
+      - name: Regenerate .gitlab-ci.yml
+        run: python3 test/generate_ci.py > .gitlab-ci.yml.generated
+
+      - name: Check .gitlab-ci.yml is up to date
+        run: diff -u .gitlab-ci.yml .gitlab-ci.yml.generated
diff --git a/.github/workflows/update-images.yml b/.github/workflows/update-images.yml
@@ -0,0 +1,43 @@
+name: Update images library ref
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 12 * * 0"
+
+jobs:
+  update-and-push:
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.SCHUTZBOT_GITHUB_ACCESS_TOKEN }}
+      GITHUB_TOKEN: ${{ secrets.SCHUTZBOT_GITHUB_ACCESS_TOKEN }}
+    steps:
+      - name: Clone
+        run: |
+          git clone --depth=1 --branch main https://github.com/$GITHUB_REPOSITORY ./src
+
+      - name: User config
+        working-directory: ./src
+        run: |
+          git config user.name "schutzbot"
+          git config user.email "schutzbot@gmail.com"
+
+      - name: Update Schutzfile
+        working-directory: ./src
+        run: python3 test/update-schutzfile-images
+
+      - name: Open PR
+        working-directory: ./src
+        run: |
+          if git diff --exit-code; then echo "No changes"; exit 0; fi
+          branch="schutzfile-images-$(date -I)"
+          git checkout -b "${branch}"
+          git add Schutzfile
+          git commit -m "schutzfile: Update images library commit ref"
+          remote="https://oauth2:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}"
+          git push -f "${remote}" "${branch}"
+          gh pr create \
+            --title "Update images library commit ref" \
+            --body-file "github_pr_body.txt" \
+            --base "main" \
+            --head "${branch}"
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,7 @@
 /*.local.sh
 /*.local.yaml
+github_pr_body.txt
+_images/
+build/
+*.pyc
+__pycache__/
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,8 +1,296 @@
----
 stages:
+  - init
   - test
+  - finish
 
-no-op:
+init:
+  stage: init
+  interruptible: true
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh start
+
+finish:
+  stage: finish
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh finish
+
+fail:
+  stage: finish
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh fail
+    - exit 1
+  when: on_failure
+
+.base:
+  interruptible: true
+  variables:
+    PYTHONUNBUFFERED: '1'
+  before_script:
+    - cat schutzbot/team_ssh_keys.txt | tee -a ~/.ssh/authorized_keys > /dev/null
+    - test/setup.sh
+  after_script:
+    - schutzbot/unregister.sh || true
+
+.terraform:
+  extends: .base
+  tags:
+    - terraform
+
+.terraform/openstack:
+  extends: .base
+  tags:
+    - terraform/openstack
+
+stream9-qcow2-x86_64:
+  stage: test
+  extends: .terraform/openstack
+  variables:
+    RUNNER: rhos-01/fedora-43-x86_64
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-amd64/**/*
+        - stream9-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh stream9-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 x86_64 centos-9
+    - test/boot.sh
+
+stream9-qcow2-aarch64:
+  stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-aarch64
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-arm64/**/*
+        - stream9-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh stream9-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 aarch64 centos-9
+    - test/boot.sh
+
+stream10-qcow2-x86_64:
+  stage: test
+  extends: .terraform/openstack
+  variables:
+    RUNNER: rhos-01/fedora-43-x86_64
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-amd64/**/*
+        - stream10-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh stream10-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 x86_64 centos-10
+    - test/boot.sh
+
+stream10-qcow2-aarch64:
+  stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-aarch64
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-arm64/**/*
+        - stream10-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh stream10-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 aarch64 centos-10
+    - test/boot.sh
+
+stream10-installer-x86_64:
+  stage: test
+  extends: .terraform/openstack
+  variables:
+    RUNNER: rhos-01/fedora-43-x86_64-large
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-amd64/**/*
+        - stream10-installer
+        - stream10-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh stream10-installer)
+    - PAYLOAD_REF=$(test/get-container.sh stream10-qcow2)
+    - test/build.sh "$CONTAINER_REF" bootc-generic-iso x86_64 centos-10 "$PAYLOAD_REF"
+    - test/boot.sh
+
+rhel-10-azure-x86_64:
+  stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-x86_64
+    SUBSCRIPTION_NEEDED: true
+    RH_REGISTRY_LOGIN_NEEDED: true
+  rules:
+    - changes:
+        - Schutzfile
+        - azure-amd64/**/*
+        - azure/**/*
+        - rhel-10-azure
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh rhel-10-azure)
+    - test/build.sh "$CONTAINER_REF" vhd x86_64 rhel-10
+    - test/boot.sh
+
+rhel-10-ec2-x86_64:
+  stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-x86_64
+    SUBSCRIPTION_NEEDED: true
+    RH_REGISTRY_LOGIN_NEEDED: true
+  rules:
+    - changes:
+        - Schutzfile
+        - ec2-amd64/**/*
+        - ec2/**/*
+        - rhel-10-ec2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh rhel-10-ec2)
+    - test/build.sh "$CONTAINER_REF" ami x86_64 rhel-10
+    - test/boot.sh
+
+rhel-10-ec2-aarch64:
+  stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-aarch64
+    SUBSCRIPTION_NEEDED: true
+    RH_REGISTRY_LOGIN_NEEDED: true
+  rules:
+    - changes:
+        - Schutzfile
+        - ec2-arm64/**/*
+        - ec2/**/*
+        - rhel-10-ec2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh rhel-10-ec2)
+    - test/build.sh "$CONTAINER_REF" ami aarch64 rhel-10
+    - test/boot.sh
+
+rhel-10-gcp-x86_64:
+  stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-x86_64
+    SUBSCRIPTION_NEEDED: true
+    RH_REGISTRY_LOGIN_NEEDED: true
+  rules:
+    - changes:
+        - Schutzfile
+        - gcp-amd64/**/*
+        - gcp/**/*
+        - rhel-10-gcp
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh rhel-10-gcp)
+    - test/build.sh "$CONTAINER_REF" gce x86_64 rhel-10
+    - test/boot.sh
+
+rhel-10-installer-x86_64:
+  stage: test
+  extends: .terraform/openstack
+  variables:
+    RUNNER: rhos-01/fedora-43-x86_64-large
+    SUBSCRIPTION_NEEDED: true
+    RH_REGISTRY_LOGIN_NEEDED: true
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-amd64/**/*
+        - rhel-10-installer
+        - rhel-10-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh rhel-10-installer)
+    - PAYLOAD_REF=$(test/get-container.sh rhel-10-qcow2)
+    - test/build.sh "$CONTAINER_REF" bootc-generic-iso x86_64 rhel-10 "$PAYLOAD_REF"
+    - test/boot.sh
+
+rhel-10-qcow2-x86_64:
+  stage: test
+  extends: .terraform/openstack
+  variables:
+    RUNNER: rhos-01/fedora-43-x86_64
+    SUBSCRIPTION_NEEDED: true
+    RH_REGISTRY_LOGIN_NEEDED: true
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-amd64/**/*
+        - rhel-10-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh rhel-10-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 x86_64 rhel-10
+    - test/boot.sh
+
+rhel-10-qcow2-aarch64:
+  stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-aarch64
+    SUBSCRIPTION_NEEDED: true
+    RH_REGISTRY_LOGIN_NEEDED: true
+  rules:
+    - changes:
+        - Schutzfile
+        - qcow2-arm64/**/*
+        - rhel-10-qcow2
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh rhel-10-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 aarch64 rhel-10
+    - test/boot.sh
+
+hummingbird-qcow2-x86_64:
+  stage: test
+  extends: .terraform/openstack
+  variables:
+    RUNNER: rhos-01/fedora-43-x86_64
+  rules:
+    - changes:
+        - Schutzfile
+        - hummingbird-qcow2
+        - hummingbird-qcow2-amd64/**/*
+        - qcow2-amd64/**/*
+        - test/**/*
+  script:
+    - CONTAINER_REF=$(test/get-container.sh hummingbird-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 x86_64 hummingbird
+    - test/boot.sh
+
+hummingbird-qcow2-aarch64:
   stage: test
+  extends: .terraform
+  variables:
+    RUNNER: aws/fedora-43-aarch64
+  rules:
+    - changes:
+        - Schutzfile
+        - hummingbird-qcow2
+        - hummingbird-qcow2-arm64/**/*
+        - qcow2-arm64/**/*
+        - test/**/*
   script:
-    - echo "no-op"
+    - CONTAINER_REF=$(test/get-container.sh hummingbird-qcow2)
+    - test/build.sh "$CONTAINER_REF" qcow2 aarch64 hummingbird
+    - test/boot.sh
diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -6,6 +6,9 @@ ignore: |
 
 rules:
   document-start: disable
+  indentation:
+    spaces: 2
+    indent-sequences: consistent
   line-length:
     max: 200
   truthy: disable
diff --git a/Makefile b/Makefile
@@ -15,3 +15,11 @@ fmt: fmt-shell
 .PHONY: fmt-shell
 fmt-shell:
 	find . -name '*.sh' -not -path '*/.git/*' -exec shfmt -w -i 4 {} \;
+
+.PHONY: test
+test:
+	python3 -m pytest test/ -v
+
+.PHONY: generate-ci
+generate-ci:
+	python3 test/generate_ci.py > .gitlab-ci.yml