fix(chunkah): skip chunkah for small apps with no component repo

Kontainer is a small KDE/Qt app (~750 KiB) with no rpmdb and no files
>=1MB. chunkah requires at least one component repo and exits with
'no supported component repo found in rootfs'.

Add x-skip-chunkah: true support to build.yml: when set, CHUNKED is set
to LABELED and chunkah is bypassed entirely. Set x-skip-chunkah: true in
Kontainer's manifest.yaml.

Document the pattern and the failure mode in skills/pipeline.md.

Assisted-by: Claude Sonnet 4.6 via OpenCode

Author: castrojo

.github/workflows/build.yml

@@ -526,53 +526,33 @@ jobs:
           fi
           echo "==> MAX_LAYERS=${MAX_LAYERS}"
 
-          # podman inspect produces the array format chunkah's parse_config accepts.
-          # Must use LABELED (has labels) not INPUT (pre-label image).
-          export CHUNKAH_CONFIG_STR
-          CHUNKAH_CONFIG_STR=$(podman inspect "${LABELED}" | jq -c '.[0]')
-
-          # podman build internally uses Buildah code but ships as part of podman 5.x
-          # (installed via Homebrew above). All flags are identical to buildah build.
-          #
-          # Custom Containerfile replaces the upstream Containerfile.splitter URL
-          # to inject a user.component xattr on the rootfs before chunkah scans it.
-          # chunkah requires at least one "component repo" (xattr, rpmdb, or
-          # bigfiles >= 1MB). Flatpak manifest.yaml apps (e.g. Kontainer) may have
-          # no large files and no rpmdb, so bigfiles and rpm repos both return None.
-          # Setting user.component on / activates the xattr repo; all files inherit
-          # it via directory inheritance. The mount uses rw so setfattr can write to
-          # the overlay layer. attr (setfattr) is installed from Fedora 43 (~1s).
-          CHUNKAH_CONTAINERFILE=$(mktemp)
-          printf '%s\n' \
-            'ARG CHUNKAH=quay.io/jlebon/chunkah:latest' \
-            'ARG CHUNKAH_ARGS=""' \
-            'ARG CHUNKAH_CONFIG_STR' \
-            'ARG APP_ID="app"' \
-            '' \
-            'FROM overridden AS target' \
-            'FROM ${CHUNKAH} AS chunkah' \
-            'ARG CHUNKAH_CONFIG_STR' \
-            'ARG CHUNKAH_ARGS' \
-            'ARG APP_ID' \
-            'RUN --mount=type=bind,target=/run/src,rw \' \
-            '    --mount=from=target,target=/chunkah,rw \' \
-            '      dnf5 install -y --setopt=install_weak_deps=False --nodocs attr \' \
-            '      && setfattr -n user.component -v "${APP_ID}" /chunkah \' \
-            '      && chunkah build ${CHUNKAH_ARGS} > /run/src/out.ociarchive' \
-            '' \
-            'FROM oci-archive:out.ociarchive' \
-            > "${CHUNKAH_CONTAINERFILE}"
-          echo "==> Running chunkah via podman build"
-          podman build \
-            --skip-unused-stages=false \
-            --from "${LABELED}" \
-            -t "${CHUNKED}" \
-            -v "$(pwd):/run/src" \
-            --security-opt=label=disable \
-            --build-arg CHUNKAH_CONFIG_STR \
-            --build-arg "CHUNKAH_ARGS=--max-layers ${MAX_LAYERS}" \
-            --build-arg "APP_ID=${APP}" \
-            -f "${CHUNKAH_CONTAINERFILE}"
+          # Per-app chunkah skip: x-skip-chunkah: true in manifest.yaml bypasses chunkah
+          # entirely (CHUNKED == LABELED). Use for small apps with no rpmdb and no files
+          # >= 1MB — chunkah fails with "no supported component repo found in rootfs".
+          SKIP_CHUNKAH="false"
+          if [[ -f "flatpaks/${APP}/manifest.yaml" ]]; then
+            SKIP_CHUNKAH=$(yq '.["x-skip-chunkah"] // false' "flatpaks/${APP}/manifest.yaml")
+          fi
+
+          if [[ "${SKIP_CHUNKAH}" == "true" ]]; then
+            echo "==> Skipping chunkah (x-skip-chunkah: true in manifest.yaml)"
+            CHUNKED="${LABELED}"
+          else
+            # podman inspect produces the array format chunkah's parse_config accepts.
+            # Must use LABELED (has labels) not INPUT (pre-label image).
+            export CHUNKAH_CONFIG_STR
+            CHUNKAH_CONFIG_STR=$(podman inspect "${LABELED}" | jq -c '.[0]')
+            echo "==> Running chunkah"
+            podman run --rm \
+              --mount=type=image,src="${LABELED}",dst=/chunkah \
+              -e CHUNKAH_CONFIG_STR \
+              quay.io/jlebon/chunkah:v0.3.0 build \
+              --max-layers "${MAX_LAYERS}" \
+              > "${APP}.ociarchive"
+            CHUNKED_ID=$(podman load < "${APP}.ociarchive" | grep -oP '(?<=sha256:)[a-f0-9]+' | head -1)
+            podman tag "${CHUNKED_ID}" "${CHUNKED}"
+            rm -f "${APP}.ociarchive"
+          fi
 
           # Verify labels survived the round-trip
           podman inspect "${CHUNKED}" \
@@ -581,9 +561,13 @@ jobs:
           echo "==> Flatpak labels OK"
           LAYER_COUNT=$(podman inspect "${CHUNKED}" | jq '.[0].RootFS.Layers | length')
           echo "==> Layer count: ${LAYER_COUNT}"
-          [[ "${LAYER_COUNT}" -gt 1 ]] \
-            && echo "==> chunkah split succeeded" \
-            || echo "==> WARNING: chunkah produced only 1 layer"
+          if [[ "${SKIP_CHUNKAH}" == "true" ]]; then
+            echo "==> chunkah skipped (x-skip-chunkah: true) — single layer expected"
+          else
+            [[ "${LAYER_COUNT}" -gt 1 ]] \
+              && echo "==> chunkah split succeeded" \
+              || echo "==> WARNING: chunkah produced only 1 layer"
+          fi
           # Export for use in subsequent steps
           echo "CHUNKED=${CHUNKED}" >> "$GITHUB_ENV"
           echo "LAYER_COUNT=${LAYER_COUNT}" >> "$GITHUB_ENV"

flatpaks/io.github.DenysMb.Kontainer/manifest.yaml

@@ -27,3 +27,4 @@ app-id: io.github.DenysMb.Kontainer
 x-version: '1.4.1'
 x-arches:
 - x86_64
+x-skip-chunkah: true

skills/pipeline.md

@@ -82,6 +82,34 @@ Upstream default is 64; we cap lower for Flatpak use (fewer is fine, more = bett
 **Before modifying any chunkah invocation:** fetch upstream README and verify the pattern
 matches the pinned version. Do not rely on memory of prior usage patterns.
 
+### x-skip-chunkah
+
+chunkah requires at least one "component repo" to be detected in the rootfs: an rpmdb,
+files >= 1MB (bigfiles), or `user.component` xattrs. Small apps built via `flatpak-builder`
+(e.g. a tiny KDE/Qt widget like Kontainer, ~750 KiB) have none of these — no rpmdb,
+no large files, and no xattrs. chunkah exits with "no supported component repo found in rootfs".
+
+Attempting to inject xattrs via `setfattr` in a `RUN --mount` inside a custom Containerfile
+(the "xattr injection" approach) does NOT work: the xattr is set on the mount-point directory
+in the chunkah container's namespace, not on a file inside the mounted rootfs overlay, so
+chunkah's scanner never sees it.
+
+**Fix:** Add `x-skip-chunkah: true` to the app's `manifest.yaml`. The pipeline detects this
+flag and sets `CHUNKED="${LABELED}"`, skipping chunkah entirely. The image is pushed as a
+single layer, which is fine — the app is too small to benefit from layer deduplication.
+
+**Rule:** Any manifest.yaml app that is a small GUI widget or utility (< ~5MB total,
+no system dependencies beyond the SDK) should use `x-skip-chunkah: true`.
+
+```yaml
+# flatpaks/<app>/manifest.yaml
+x-skip-chunkah: true
+```
+
+Note: `x-skip-chunkah` is only supported for `manifest.yaml` apps (flatpak-builder path).
+Bundle-repack (`release.yaml`) apps typically have large upstream bundles and do not
+need this flag.
+
 ## Push path
 
 - `just loop` → `skopeo copy --dest-tls-verify=false` → `localhost:5000`