image digests and correct pip creation script

CI_CD_PIPELINE_SETUP_GUIDE.md

@@ -1067,8 +1067,10 @@ Before proceeding with Section 7, you need to understand the environment variabl
 - **Format**: Must be a full digest reference including the registry URL (e.g., `quay.io/podman/stable@sha256:...`)
 - **How to obtain**:
   ```bash
+  # Host arch (should print amd64)
+  podman info --format '{{.Host.Arch}}'
   # Get Podman client image digest
-  DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[0].digest')
+  DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest')
   # Combine with registry URL to create full digest reference
   export PODMAN_CLIENT_IMG_DIGEST="quay.io/podman/stable@${DIGEST}"
   echo "PODMAN_CLIENT_IMG_DIGEST=${PODMAN_CLIENT_IMG_DIGEST}"
@@ -1183,33 +1185,33 @@ The CI pipeline now includes comprehensive integration testing:
 
 ```bash
 # Test PiP connectivity through secure socket
-podman exec ci-pip podman version
+podman exec ci-pip-local podman version
 
 # Start PostgreSQL for integration tests
-podman exec ci-pip podman run -d \
+podman exec ci-pip-local podman run -d \
   --name test-postgres \
   -e POSTGRES_PASSWORD=testpassword \
   -e POSTGRES_USER=testuser \
   -e POSTGRES_DB=testdb \
   -p 5432:5432 \
-  postgres:15-alpine
+  "${POSTGRES_IMG_DIGEST}"
 
 # Wait for PostgreSQL to be ready
-podman exec ci-pip timeout 60 bash -c 'until podman exec test-postgres pg_isready -h localhost -p 5432 -U testuser; do sleep 1; done'
+podman exec ci-pip-local timeout 60 bash -c 'until podman exec test-postgres pg_isready -h localhost -p 5432 -U testuser; do sleep 1; done'
 
 # Run backend unit tests
-podman exec ci-pip podman run --rm \
-  -v $(pwd):/workspace \
+podman exec ci-pip-local podman run --rm \
+  -v $(pwd)/backend:/workspace \
   -w /workspace \
-  rust:latest \
+  "${RUST_IMG_DIGEST}" \
   sh -c "cargo test --lib -- --test-threads=1"
 
 # Run backend integration tests with real database
 podman exec ci-pip podman run --rm \
-  -v $(pwd):/workspace \
+  -v $(pwd)/backend:/workspace \
   -w /workspace \
   -e DATABASE_URL=postgres://testuser:testpassword@localhost:5432/testdb \
-  rust:latest \
+  "${RUST_IMG_DIGEST}" \
   sh -c "cargo test --test '*' -- --test-threads=1"
 ```
 
@@ -2143,7 +2145,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
 - **`PODMAN_CLIENT_IMG_DIGEST`**: Used for secure ephemeral PiP containers in CI
   ```bash
   # Get Podman client image digest and create full reference
-  DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[0].digest')
+  DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest')
   export PODMAN_CLIENT_IMG_DIGEST="quay.io/podman/stable@${DIGEST}"
   echo "PODMAN_CLIENT_IMG_DIGEST=${PODMAN_CLIENT_IMG_DIGEST}"
   # Result: quay.io/podman/stable@sha256:5dd9f78bd233970ea4a36bb65d5fc63b7edbb9c7f800ab7901fa912564f36415
@@ -2152,7 +2154,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
 - **`RUST_IMG_DIGEST`**: Used for Rust backend testing and building
   ```bash
   # Get Rust image digest and create full reference
-  DIGEST=$(podman manifest inspect docker.io/library/rust:latest | jq -r '.manifests[0].digest')
+  DIGEST=$(podman manifest inspect docker.io/library/rust:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest')
   export RUST_IMG_DIGEST="docker.io/library/rust@${DIGEST}"
   echo "RUST_IMG_DIGEST=${RUST_IMG_DIGEST}"
   # Result: docker.io/library/rust@sha256:...
@@ -2161,7 +2163,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
 - **`NODE_IMG_DIGEST`**: Used for Node.js frontend testing and building
   ```bash
   # Get Node.js image digest and create full reference
-  DIGEST=$(podman manifest inspect docker.io/library/node:latest | jq -r '.manifests[0].digest')
+  DIGEST=$(podman manifest inspect docker.io/library/node:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest')
   export NODE_IMG_DIGEST="docker.io/library/node@${DIGEST}"
   echo "NODE_IMG_DIGEST=${NODE_IMG_DIGEST}"
   # Result: docker.io/library/node@sha256:...
@@ -2170,7 +2172,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
 - **`POSTGRES_IMG_DIGEST`**: Used for PostgreSQL database in integration tests
   ```bash
   # Get PostgreSQL image digest and create full reference
-  DIGEST=$(podman manifest inspect docker.io/library/postgres:latest | jq -r '.manifests[0].digest')
+  DIGEST=$(podman manifest inspect docker.io/library/postgres:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest')
   export POSTGRES_IMG_DIGEST="docker.io/library/postgres@${DIGEST}"
   echo "POSTGRES_IMG_DIGEST=${POSTGRES_IMG_DIGEST}"
   # Result: docker.io/library/postgres@sha256:...

secure_pip_setup.sh

@@ -5,6 +5,7 @@ RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-local}}"
 PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
 RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
 SOCKET_PATH="${SOCKET_PATH:-${RUNTIME_DIR}/podman-host/podman.sock}"
+SOCKET_DIR="$(dirname "$SOCKET_PATH")"
 WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"
 PIP_UID="${PIP_UID:-1000}"
 PIP_GID="${PIP_GID:-1000}"
@@ -40,9 +41,9 @@ podman run -d \
   --network=none \
   --tmpfs /run:rw,size=64M \
   --tmpfs /tmp:rw,size=256M \
-  -v "${SOCKET_PATH}:/var/run/podman.sock" \
+  -v "${SOCKET_DIR}:/run/podman-host:rw" \
   -v "${WORKSPACE}:/workspace:rw" \
-  -e CONTAINER_HOST="unix:///var/run/podman.sock" \
+  -e CONTAINER_HOST="unix:///run/podman-host/podman.sock" \
   "${PODMAN_CLIENT_IMG_DIGEST}" \
   sleep infinity