ci: Add C10S containerized ephemeral test workflow

Add a complete end-to-end test workflow for running ephemeral integration
tests in a CentOS Stream 10 container environment. This tests two things
very different from the default main.yml workflow:

- Running in a nested container environment
- bcvk on RHEL-based systems where qemu is at /usr/libexec/qemu-kvm

The implementation provides both GitHub Actions CI and local testing:

**CI Workflow (.github/workflows/main-c10s.yml):**
- Simplified single-job workflow that builds and runs the test container
- Uses the ubuntu-24.04 runner with privileged podman
- All 13 ephemeral integration tests run in the container

**Local Testing (just test-ephemeral-c10s):**
- Builds the test container from tests/fixtures/Containerfile
- Runs with KVM device access and container storage volume
- Provides quick iteration for C10S-specific testing

**Container Structure (tests/fixtures/Containerfile):**
- Multi-stage build: compile bcvk and create nextest archive in build stage
- Runtime stage: C10S base with qemu/libvirt/podman dependencies
- Includes full workspace structure for nextest archive execution
- Pulls test images and runs ephemeral tests by default

**Supporting Files:**
- .dockerignore: Includes .config/ for nextest configuration
- Justfile: Adds build-image-c10s and test-ephemeral-c10s targets

Successfully tested locally with all 13 ephemeral tests passing.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

.dockerignore

@@ -0,0 +1,19 @@
+# Exclude everything by default, then include just what we need
+# Especially note this means that .git is not included, and not tests/
+# to avoid spurious rebuilds.
+*
+
+# Toplevel build bits
+!Makefile
+!Cargo.*
+# Docs
+!docs
+# We use the spec file
+!packaging/
+# Workaround for podman bug with secrets + remote
+# https://github.com/containers/podman/issues/25314
+!podman-build-secret*
+# Nextest configuration
+!.config/
+# And finally of course all the Rust sources
+!crates/

.github/workflows/main-c10s.yml

@@ -0,0 +1,24 @@
+name: CI (c10s)
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  test-ephemeral:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build C10S test container
+        run: podman build -f tests/fixtures/Containerfile -t localhost/bcvk:c10s .
+
+      - name: Run ephemeral integration tests
+        run: |
+          podman run --rm --privileged --device=/dev/kvm \
+            -v bcvk-test-storage:/var/lib/containers \
+            localhost/bcvk:c10s

Justfile

@@ -96,3 +96,10 @@ archive: build
 install: build
     cp target/release/bck ~/.local/bin/
 
+build-image-c10s:
+    podman build -f tests/fixtures/Containerfile -t localhost/bcvk:c10s .
+
+test-ephemeral-c10s: build-image-c10s
+    # TODO try downgrading to --cap-add=all --security-opt=label=type:container_runtime_t, I think
+    # we'll need to assume `--net=host` mainly in bcvk in this situation.
+    podman run --rm --privileged --device=/dev/kvm -v bcvk-test-storage:/var/lib/containers localhost/bcvk:c10s

tests/fixtures/Containerfile

@@ -0,0 +1,77 @@
+# Container for running bcvk ephemeral tests on C10S
+# This mirrors the CI workflow in .github/workflows/main-c10s.yml
+
+ARG base=quay.io/centos/centos:stream10
+FROM $base as build
+
+# Install build dependencies
+RUN dnf clean all && \
+    dnf -y install dnf-utils && \
+    dnf config-manager --set-enabled crb && \
+    dnf install -y pkgconfig go-md2man gcc make openssl-devel openssh-clients
+
+# Install Rust
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+# Install nextest
+RUN cargo install cargo-nextest --locked
+
+# Copy source code
+COPY . /src
+WORKDIR /src
+
+# Build bcvk and create integration test archive
+RUN make && \
+    cargo nextest archive --release -P integration -p integration-tests --archive-file integration-tests.tar.zst
+
+# Runtime stage
+FROM $base
+
+# Install runtime dependencies for running VMs
+RUN dnf clean all && \
+    dnf -y install dnf-utils && \
+    dnf config-manager --set-enabled crb && \
+    dnf install -y \
+        libvirt-daemon \
+        libvirt-daemon-driver-qemu \
+        libvirt-client \
+        qemu-kvm \
+        virtiofsd \
+        podman && \
+    dnf clean all
+
+# Install Rust (needed for cargo nextest)
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+# Install nextest
+RUN cargo install cargo-nextest --locked
+
+# Copy built artifacts
+COPY --from=build /src/target/release/bcvk /usr/local/bin/bcvk
+COPY --from=build /src/integration-tests.tar.zst /tests/integration-tests.tar.zst
+
+# Copy source tree metadata needed by nextest
+# Nextest needs the workspace structure even when using archives
+COPY --from=build /src/Cargo.toml /src/Cargo.lock /tests/
+COPY --from=build /src/.config /tests/.config
+COPY --from=build /src/crates /tests/crates
+
+# Set up environment
+ENV BCVK_PATH=/usr/local/bin/bcvk
+ENV LIBVIRT_DEFAULT_URI=qemu:///system
+WORKDIR /tests
+
+# Create entrypoint script that pulls images and runs tests
+RUN printf '#!/bin/bash\n\
+set -euo pipefail\n\
+echo "Pulling test images..."\n\
+podman pull -q quay.io/fedora/fedora-bootc:42 quay.io/centos-bootc/centos-bootc:stream9 quay.io/centos-bootc/centos-bootc:stream10\n\
+echo "Running ephemeral integration tests..."\n\
+exec cargo nextest run --archive-file integration-tests.tar.zst --workspace-remap /tests ephemeral\n\
+' > /usr/local/bin/run-tests.sh && \
+    chmod +x /usr/local/bin/run-tests.sh
+
+# Default command runs the test script
+CMD ["/usr/local/bin/run-tests.sh"]