From f3df8e5cf2340a8b28d715fe5a5e598bdd388bf3 Mon Sep 17 00:00:00 2001
From: bootc-dev Bot <bot@bootc.dev>
Date: Wed, 28 Jan 2026 21:59:01 +0000
Subject: [PATCH] Sync common files from infra repository

Synchronized from bootc-dev/infra@e15b9622fcef58276464960124823108858dc646.

Signed-off-by: bootc-dev Bot <bot@bootc.dev>
---
 .bootc-dev-infra-commit.txt                   |  2 +-
 .devcontainer/devcontainer.json               | 11 ++++++++---
 .github/actions/bootc-ubuntu-setup/action.yml | 10 +++++++---
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt
index da99b0c..d241aec 100644
--- a/.bootc-dev-infra-commit.txt
+++ b/.bootc-dev-infra-commit.txt
@@ -1 +1 @@
-5a0900533a2b015c83b81e21f1ef78c6f7ad6067
+e15b9622fcef58276464960124823108858dc646
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 26e62a2..3916c02 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -13,9 +13,14 @@
   },
   "features": {},
   "runArgs": [
-    // Because we want to be able to run podman and also use e.g. /dev/kvm
-    // among other things
-    "--privileged"
+    // Minimal security options for nested podman (avoids --privileged):
+    // - label=disable: Required for mounting /proc in nested user namespace
+    // - unmask=/proc/*: Allows access to /proc paths needed for nested containers
+    "--security-opt", "label=disable",
+    "--security-opt", "unmask=/proc/*",
+    // Device access for nested containers and VMs
+    "--device", "/dev/net/tun",
+    "--device", "/dev/kvm"
   ],
   "postCreateCommand": {
     // Our init script
diff --git a/.github/actions/bootc-ubuntu-setup/action.yml b/.github/actions/bootc-ubuntu-setup/action.yml
index 63f5e00..4548775 100644
--- a/.github/actions/bootc-ubuntu-setup/action.yml
+++ b/.github/actions/bootc-ubuntu-setup/action.yml
@@ -14,7 +14,8 @@ runs:
       run: |
         set -xeuo pipefail
         sudo df -h
-        unwanted_pkgs=('^aspnetcore-.*' '^dotnet-.*' '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*'
+        # Use globs for package patterns (apt and dpkg both support fnmatch globs)
+        unwanted_pkgs=('aspnetcore-*' 'dotnet-*' 'llvm-*' 'php*' 'mongodb-*' 'mysql-*'
                        azure-cli google-chrome-stable firefox mono-devel)
         unwanted_dirs=(/usr/share/dotnet /opt/ghc /usr/local/lib/android /opt/hostedtoolcache/CodeQL)
         # Start background removal operations as systemd units; if this causes
@@ -30,9 +31,12 @@ runs:
         for x in ${unwanted_dirs[@]}; do
           runcleanup rm -rf "$x"
         done
-        # Apt removals in foreground, as we can't parallelize these
+        # Apt removals in foreground, as we can't parallelize these.
+        # Only attempt removal if matching packages are installed.
         for x in ${unwanted_pkgs[@]}; do
-          /bin/time -f '%E %C' sudo apt-get remove -y $x
+          if dpkg -l "$x" >/dev/null 2>&1; then
+            /bin/time -f '%E %C' sudo apt-get remove -y "$x"
+          fi
         done
     # We really want support for heredocs
     - name: Update podman and install just