build-sys: Always build packages as separate stage

We were previously trying to support a direct `podman/docker build`
*and* injecting externally built packages (for CI).

Looking to rework for sealed images it was too hacky; let's
just accept that a raw `podman build` no longer works, the canonical
entry for local build is `just build` which builds both a package
and a container.

This way CI and local work exactly the same.

Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Dockerfile

@@ -83,18 +83,9 @@ ARG rootfs=""
 RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/configure-rootfs "${variant}" "${rootfs}"
 COPY --from=packaging /usr-extras/ /usr/
 
-# Default target for source builds (just build)
-# Installs packages from the internal build stage
+# Final target: installs pre-built packages from /run/packages volume mount.
+# Use with: podman build --target=final -v path/to/packages:/run/packages:ro
 FROM final-common as final
-RUN --mount=type=bind,from=packaging,target=/run/packaging \
-    --mount=type=bind,from=build,target=/build-output \
-    --network=none \
-    /run/packaging/install-rpm-and-setup /build-output/out
-RUN bootc container lint --fatal-warnings
-
-# Alternative target for pre-built packages (CI workflow)
-# Use with: podman build --target=final-from-packages -v path/to/packages:/run/packages:ro
-FROM final-common as final-from-packages
 RUN --mount=type=bind,from=packaging,target=/run/packaging \
     --network=none \
     /run/packaging/install-rpm-and-setup /run/packages

Justfile

@@ -70,22 +70,25 @@ _git-build-vars:
 # Note commonly you might want to override the base image via e.g.
 # `just build --build-arg=base=quay.io/fedora/fedora-bootc:42`
 #
-# The Dockerfile builds RPMs internally in its 'build' stage, so we don't need
-# to call 'package' first. This avoids cache invalidation from external files.
-build: _keygen
-    #!/bin/bash
-    set -xeuo pipefail
-    eval $(just _git-build-vars)
-    podman build {{base_buildargs}} --target=final \
-        --build-arg=SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
-        --build-arg=pkgversion=${VERSION} \
-        -t {{base_img}}-bin {{buildargs}} .
-    ./hack/build-sealed {{variant}} {{base_img}}-bin {{base_img}} {{sealed_buildargs}}
+# This first builds RPMs via the `package` target, then injects them
+# into the container image.
+build: package _keygen
+    @just _build-from-package target/packages
 
 # Generate Secure Boot keys (only for our own CI/testing)
 _keygen:
     ./hack/generate-secureboot-keys
 
+# Internal helper: build container image from packages at PATH
+_build-from-package PATH:
+    #!/bin/bash
+    set -xeuo pipefail
+    # Resolve to absolute path for podman volume mount
+    # Use :z for SELinux relabeling
+    pkg_path=$(realpath "{{PATH}}")
+    podman build --target=final -v "${pkg_path}":/run/packages:ro,z -t {{base_img}}-bin {{buildargs}} .
+    ./hack/build-sealed {{variant}} {{base_img}}-bin {{base_img}} {{sealed_buildargs}}
+
 # Build a sealed image from current sources.
 build-sealed:
     @just --justfile {{justfile()}} variant=composefs-sealeduki-sdboot build
@@ -108,34 +111,6 @@ package: _packagecontainer
     chmod a+r target/packages/*.rpm
     podman rmi localhost/bootc-pkg
 
-# Copy pre-existing packages from PATH into target/packages/
-# Note: This is mainly for CI artifact extraction; build-from-package
-# now uses volume mounts directly instead of copying to target/packages/.
-copy-packages-from PATH:
-    #!/bin/bash
-    set -xeuo pipefail
-    if ! compgen -G "{{PATH}}/*.rpm" > /dev/null; then
-        echo "Error: No packages found in {{PATH}}" >&2
-        exit 1
-    fi
-    mkdir -p target/packages
-    rm -vf target/packages/*.rpm
-    cp -v {{PATH}}/*.rpm target/packages/
-    chmod a+rx target target/packages
-    chmod a+r target/packages/*.rpm
-
-# Build the container image using pre-existing packages from PATH
-# Uses the 'final-from-packages' target with a volume mount to inject packages,
-# avoiding Docker context cache invalidation issues.
-build-from-package PATH: _keygen
-    #!/bin/bash
-    set -xeuo pipefail
-    # Resolve to absolute path for podman volume mount
-    # Use :z for SELinux relabeling
-    pkg_path=$(realpath "{{PATH}}")
-    podman build {{base_buildargs}} --target=final-from-packages -v "${pkg_path}":/run/packages:ro,z -t {{base_img}}-bin {{buildargs}} .
-    ./hack/build-sealed {{variant}} {{base_img}}-bin {{base_img}} {{sealed_buildargs}}
-
 # Pull images used by hack/lbi
 _pull-lbi-images:
     podman pull -q --retry 5 --retry-delay 5s {{lbi_images}}
@@ -146,8 +121,8 @@ build-integration-test-image: build _pull-lbi-images
     ./hack/build-sealed {{variant}} {{integration_img}}-bin {{integration_img}} {{sealed_buildargs}}
 
 # Build integration test image using pre-existing packages from PATH
-build-integration-test-image-from-package PATH: _pull-lbi-images
-    @just build-from-package {{PATH}}
+build-integration-test-image-from-package PATH: _keygen _pull-lbi-images
+    @just _build-from-package {{PATH}}
     cd hack && podman build {{base_buildargs}} -t {{integration_img}}-bin -f Containerfile .
     ./hack/build-sealed {{variant}} {{integration_img}}-bin {{integration_img}} {{sealed_buildargs}}