From dc28e9f75e6e1a1999cba7a5452db60fe74dc572 Mon Sep 17 00:00:00 2001
From: ver4a <ver4a@uncontrol.me>
Date: Mon, 18 Nov 2024 11:05:48 +0100
Subject: [PATCH] Use flock instead of checking for running pulls using pgrep

The previous solution is potentially racey, it only prevents starting a
pull if there is already one running, but there is still a tiny window
of time where both pulls could start after the checks and run at the
same time. This new solution should fill that gap, since the locking
should be atomic.
---
 .forgejo/workflows/build-image.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.forgejo/workflows/build-image.yaml b/.forgejo/workflows/build-image.yaml
index 4dac6df..07be94d 100644
--- a/.forgejo/workflows/build-image.yaml
+++ b/.forgejo/workflows/build-image.yaml
@@ -12,8 +12,7 @@ jobs:
       # base
       - run:  mkdir cache
         # Waits for all "podman pull"s to exit before starting a pull
-      - run:  while [[ $(pgrep -f '^podman pull') ]]; do sleep 2; done
-      - run:  podman pull quay.io/fedora-ostree-desktops/kinoite:41
+      - run:  flock -x /tmp/CI-podman-pull-lock -c 'podman pull quay.io/fedora-ostree-desktops/kinoite:41'
       - run:  podman build . -f Dockerfile.kde --no-cache --pull=never -v ${PWD}/cache:/var/cache/libdnf5:Z --squash -t ${{ vars.REGISTRY_DOMAIN }}/ver4a/onc-kde:main
       - run:  podman push --compression-format=zstd --compression-level=${{ vars.COMPRESSION_LEVEL }} ${{ vars.REGISTRY_DOMAIN }}/ver4a/onc-kde:main ${{ vars.REGISTRY_DOMAIN }}/ver4a/onc-kde:main
       # base + nvidia
@@ -36,8 +35,7 @@ jobs:
       # base
       - run:  mkdir cache
         # Waits for all "podman pull"s to exit before starting a pull
-      - run:  while [[ $(pgrep -f '^podman pull') ]]; do sleep 2; done
-      - run:  podman pull quay.io/fedora-ostree-desktops/silverblue:41
+      - run:  flock -x /tmp/CI-podman-pull-lock -c 'podman pull quay.io/fedora-ostree-desktops/silverblue:41'
       - run:  podman build . -f Dockerfile.gnome --no-cache --pull=never -v ${PWD}/cache:/var/cache/libdnf5:Z --squash -t ${{ vars.REGISTRY_DOMAIN }}/ver4a/onc-gnome:main
       - run:  podman push --compression-format=zstd --compression-level=${{ vars.COMPRESSION_LEVEL }} ${{ vars.REGISTRY_DOMAIN }}/ver4a/onc-gnome:main ${{ vars.REGISTRY_DOMAIN }}/ver4a/onc-gnome:main
       # base + nvidia