Support <version>-immutable tagged stable images

.cirrus.yml

@@ -6,9 +6,7 @@ env:
     CIRRUS_SHELL: "/bin/bash"
     # No need to go crazy, but grab enough to cover most PRs
     CIRRUS_CLONE_DEPTH: 10
-    # Prefix git URL for every container tool's repo home
-    REPO_PREFIX: https://github.com/containers
-    IMAGE_SUFFIX: "c20240320t153921z-f39f38d13"
+    IMAGE_SUFFIX: "c20240410t200635z-f39f38d13"
 
 gcp_credentials: ENCRYPTED[88b219cf6b4f2d70c4ff7f8c6c3186396102e14a27b47b985e40a0a0bc5337a270f9eee195b36ff6b3e2f07558998a95]
 
@@ -40,12 +38,11 @@ test_build-push_task:
         zone: "us-central1-a"
         disk: 200
     script: |
-      bash ./build-push/.install.sh
-      bash ./build-push/test.sh
+        ./ci/test.sh
 
 test_image_build_task:
     alias: test_image_build
-    name: Test build ${REPO_NAME}/${FLAVOR_NAME} image
+    name: Test build ${CTX_SUB}/${FLAVOR_NAME} image
     only_if: *is_pr
     depends_on:
         - test_build-push
@@ -61,29 +58,30 @@ test_image_build_task:
               FLAVOR_NAME: upstream
           matrix: &pbs_images
                 - env:
-                      REPO_NAME: podman
-                      skip: "!changesInclude('.cirrus.yml', 'build-push/**/*', 'podman/**/*')"
+                      CTX_SUB: podman
+                      skip: "!changesInclude('.cirrus.yml', 'ci/containers_build_push.sh', 'ci/tag_version.sh', 'podman/**/*')"
                 - env:
-                      REPO_NAME: buildah
-                      skip: "!changesInclude('.cirrus.yml', 'build-push/**/*', 'buildah/**/*')"
+                      CTX_SUB: buildah
+                      skip: "!changesInclude('.cirrus.yml', 'ci/containers_build_push.sh', 'ci/tag_version.sh', 'buildah/**/*')"
                 - env:
-                      REPO_NAME: skopeo
-                      skip: "!changesInclude('.cirrus.yml', 'build-push/**/*', 'skopeo/**/*')"
+                      CTX_SUB: skopeo
+                      skip: "!changesInclude('.cirrus.yml', 'ci/containers_build_push.sh', 'ci/tag_version.sh', 'skopeo/**/*')"
         - env:
               FLAVOR_NAME: testing
           matrix: *pbs_images
         - env:
               FLAVOR_NAME: stable
           matrix: *pbs_images
+        - env:
+              FLAVOR_NAME: immutable
+          matrix: *pbs_images
     script: &pbs_script |
-        bash ./build-push/.install.sh
         source /etc/automation_environment
-        # The '.' prefix to repo URL is significant - it means do not clone.
-        containers_build_push.sh .${REPO_PREFIX}/${REPO_NAME}.git ${REPO_NAME} ${FLAVOR_NAME}
+        ./ci/containers_build_push.sh ${CIRRUS_REPO_CLONE_URL} ${CTX_SUB} ${FLAVOR_NAME}
 
 cron_image_build_task:
     alias: cron_image_build
-    name: Build ${REPO_NAME}/${FLAVOR_NAME} image
+    name: Build ${CTX_SUB}/${FLAVOR_NAME} image
     only_if: $CIRRUS_CRON == 'cron_image_build_task'
     gce_instance: *build_push
     env:

README.md

@@ -23,10 +23,15 @@ The container images are tagged as follows, where `*` represents either `podman`
 or `skopeo`:
 
   * `quay.io/containers/*:<version>` and `quay.io/*/stable:<version>` -
-    These images are built daily.  They are intended to contain an unchanging
-    and stable version of their container image. For the most recent `<version>` tags (`vX`,
+    These images are built daily.  They are intended to contain the latest stable
+    versions of their respective container tool. For the most recent `<version>` tags (`vX`,
     `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
     (especially) security updates.
+  * `quay.io/containers/*:<version>-immutable` -  Uses the same source as the 'stable'
+    images, is built daily, but version-tags are never overwritten once pushed.  This is
+    intended for users that value an unchanging image tag and digest over having daily
+    security updates.  All three `<version>` values are available, `vX-immutable`,
+    `vX.Y-immutable` and `vX.Y.Z-immutable`.
   * `quay.io/containers/*:latest` and `quay.io/*/stable:latest` -
     Built daily using the same `Containerfile` as above.  The tool versions
     will remain the "latest" available in Fedora.

ci/README.md

@@ -0,0 +1,5 @@
+# DO NOT USE
+
+This directory contains elements only intended to be run by
+CI under in a very specific environments.  Any use of these
+scripts outside their intended environments may cause harm.