container tasks: move network access out of build chain

yocto-check-layer reports an error for any task between do_fetch and
do_build that has network enabled. Two changes fix this:

container-bundle.bbclass: Move do_fetch_containers from a standalone
task into a do_fetch postfunc. When remote containers are configured,
the anonymous function adds extend_recipe_sysroot as a do_fetch
prefunc (so skopeo-native is available) and do_fetch_containers as a
postfunc. Network access during do_fetch is permitted by the QA check.

container-registry-index: Remove do_container_registry_index from the
build dependency chain (drop "before do_build"). Registry push is a
deployment action requiring explicit invocation:
  bitbake container-registry-index -c container_registry_index
The default do_build task now prints usage instructions.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

1 files changed, 12 insertions, 1 deletions

diff --git a/recipes-containers/container-registry/container-registry-index.bb b/recipes-containers/container-registry/container-registry-index.bb
index 590e89b3..7d53e28e 100644
--- a/recipes-containers/container-registry/container-registry-index.bb
+++ b/recipes-containers/container-registry/container-registry-index.bb
@@ -84,7 +84,18 @@ python do_container_registry_index() {
     bb.plain(f"Pushed {len(pushed_refs)} image references to {registry}")
 }
 
-addtask do_container_registry_index before do_build
+addtask do_container_registry_index
+
+python do_build() {
+    bb.plain("")
+    bb.plain("Container registry push requires explicit invocation (network access")
+    bb.plain("is not permitted during the normal build chain).")
+    bb.plain("")
+    bb.plain("To push OCI images to the registry, run:")
+    bb.plain("")
+    bb.plain("  bitbake container-registry-index -c container_registry_index")
+    bb.plain("")
+}
 
 # Generate a helper script with paths baked in
 # Script is placed alongside registry storage (outside tmp/) so it persists