ci: Add support for bootc end-to-end validation tests

[richm]

NOTE: This also requires upgrading to tox-lsr 3.10.0, and some
hacks to workaround a podman issue in ubuntu.

These tests run the role during a bootc container image build, deploy
the container into a QEMU VM, boot that, and validate the expected
configuration there. They run in two different tox environments, and
thus have to be run in two steps (preparation in buildah, validation in
QEMU). The preparation is expected to output a qcow2 image in
tests/tmp/TESTNAME/qcow2/disk.qcow2, i.e. the output structure of
https://github.com/osbuild/bootc-image-builder.

There are two possibilities:

• Have separate bootc end-to-end tests. These are tagged with
  tests::bootc-e2 and are skipped in the normal qemu-* scenarios.
  They run as part of the container-* ones.

• Modify an existing test: These need to build a qcow2 image exactly
  once (via calling bootc-buildah-qcow.sh) and skip setup/cleanup
  and role invocations in validation mode, i.e. when
  __bootc_validation is true.

In the container scenario, run the QEMU validation as a separate step in
the workflow.

See https://issues.redhat.com/browse/RHEL-88396

[sourcery-ai]

Reviewer's Guide

This PR implements full bootc end-to-end validation by upgrading tox-lsr, injecting a Podman 5.x workaround for Ubuntu, fine-tuning tox invocation in the QEMU workflow, and adding a dedicated GH Actions step to run and log bootc validation inside a QEMU VM.

Sequence Diagram for Bootc End-to-End Test Execution

sequenceDiagram
    participant GHA as GitHub Actions
    participant ToxPrep as Tox (Prep Env)
    participant Builder as bootc-image-builder/Buildah
    participant Role as Ansible Role
    participant ArtifactStore as Artifact (disk.qcow2)
    participant ToxVal as Tox (Validate Env)
    participant QEMU as QEMU VM

    GHA->>ToxPrep: Start Preparation Stage
    ToxPrep->>Builder: Run image build (with Ansible Role)
    activate Builder
    Builder->>Role: Execute Role during build
    Role-->>Builder: Role applied
    Builder-->>ArtifactStore: Produce disk.qcow2
    deactivate Builder
    ArtifactStore-->>ToxPrep: disk.qcow2 ready
    ToxPrep-->>GHA: Preparation Complete

    GHA->>ToxVal: Start Validation Stage
    ToxVal->>ArtifactStore: Retrieve disk.qcow2
    ArtifactStore-->>ToxVal: disk.qcow2
    ToxVal->>QEMU: Deploy disk.qcow2 & Boot VM
    activate QEMU
    QEMU-->>ToxVal: VM Ready
    ToxVal->>QEMU: Run validation checks (validates Role effects)
    QEMU-->>ToxVal: Validation Results
    deactivate QEMU
    ToxVal-->>GHA: Validation Complete

Loading

File-Level Changes

Change	Details	Files
Upgrade tox-lsr to 3.10.0 across GitHub workflows	Updated pip3 install lines to reference [email protected] Applied change in multiple workflow files to keep version consistent	.github/workflows/qemu-kvm-integration-tests.yml .github/workflows/ansible-lint.yml .github/workflows/ansible-managed-var-comment.yml .github/workflows/ansible-test.yml .github/workflows/python-unit-test.yml
Add Ubuntu Podman 5.x hack for bootc scenarios	Conditionally inject ‘plucky’ apt source listings when image ends with '-bootc' Pinned and installed Podman 5.x and related packages via apt preferences	.github/workflows/qemu-kvm-integration-tests.yml
Refine tox invocation parameters for QEMU tests	Introduced $TOX_ARGS expansion in the tox command Replaced existing skip-tags with skip-tags tests::bootc-e2e	.github/workflows/qemu-kvm-integration-tests.yml
Add bootc end-to-end validation step in QEMU	Loop over generated qcow2 images to invoke validation mode via __bootc_validation flag Capture output logs into test-specific PASS/FAIL files and exit on failure	.github/workflows/qemu-kvm-integration-tests.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @richm - I've reviewed your changes - here's some feedback:

• The podman pinning hack is quite fragile—consider extracting it into a named reusable step or clearly document its removal condition to avoid future confusion.
• You’re skipping tests::bootc-e2e in the QEMU run but your PR description calls the tag tests::bootc-e2—please verify the tag name is consistent everywhere.
• You’ve duplicated the pip3 install [email protected] update across multiple workflows—consider centralizing that step or using a reusable workflow to reduce repetition.

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Review instructions: all looks good
• 🟢 Testing: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}