From df7bddc2be040b27e12cdbbbf5e5f64a0c899952 Mon Sep 17 00:00:00 2001
From: bloodearnest <bloodearnest@gmail.com>
Date: Mon, 19 Jan 2026 09:55:47 +0000
Subject: [PATCH 1/2] Ensure apt is updated after enabling ESM repos.

Otherwise, we could get some confusion in package metadata.
---
 docker-apt-install.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/docker-apt-install.sh b/docker-apt-install.sh
index e412411..4fd6137 100755
--- a/docker-apt-install.sh
+++ b/docker-apt-install.sh
@@ -2,12 +2,11 @@
 # Useful utility to install system packages from a file
 # It does so in the lowest footprint way possible, in a single RUN command.
 set -euo pipefail
+set -x
 
 pro_attached=0
 pro_token_file=/run/secrets/ubuntu_pro_token
 
-# ensure apt lists are populated
-apt-get update
 
 if grep -q 'VERSION_ID="20.04"' /etc/os-release; then
     # enable ubuntu pro, based on the example in the Canonical docs:
@@ -22,6 +21,7 @@ if grep -q 'VERSION_ID="20.04"' /etc/os-release; then
     #  - esm-infra: core infra packages
     #  - esm-apps: applications and server packages
     if test -s "$pro_token_file"; then
+        apt-get update
         apt-get install --no-install-recommends -y ubuntu-pro-client ca-certificates
         cat > /tmp/pro-attach-config.yaml <<EOF
 token: $(cat "$pro_token_file")
@@ -35,6 +35,9 @@ EOF
     fi
 fi
 
+# ensure apt lists are populated
+apt-get update
+
 # do we want to upgrade too?
 test "${UPGRADE:-}" = "yes" && apt-get upgrade --yes
 

From 0d9cc8cb447c207dc316f5f04e922a5ede6eb035 Mon Sep 17 00:00:00 2001
From: bloodearnest <bloodearnest@gmail.com>
Date: Mon, 19 Jan 2026 11:49:10 +0000
Subject: [PATCH 2/2] Require the Ubuntu Pro secret for 20.04 in
 docker-apt-install.sh

Without this, downstream builds can fail with confusing messages about
broken apt packaging. Better to explicitly fail, as all downstream
images *must* use ESM.
---
 Justfile              | 7 ++++---
 docker-apt-install.sh | 3 +++
 docker-compose.yaml   | 3 +++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Justfile b/Justfile
index 7490aae..72d4325 100644
--- a/Justfile
+++ b/Justfile
@@ -46,9 +46,10 @@ test: build
   else
     export RUN_ARGS=
   fi
-  docker run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests $ACTION_IMAGE_NAME:20.04 ./tests.sh
-  docker run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests $ACTION_IMAGE_NAME:22.04 ./tests.sh
-  docker run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests $ACTION_IMAGE_NAME:24.04 ./tests.sh
+
+  docker compose run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests "$ACTION_IMAGE_NAME-20.04" ./tests.sh
+  docker compose run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests "$ACTION_IMAGE_NAME-22.04" ./tests.sh
+  docker compose run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests "$ACTION_IMAGE_NAME-24.04" ./tests.sh
   ./check.sh
 
 # Update the files tracking the SHAs of ubuntu docker image
diff --git a/docker-apt-install.sh b/docker-apt-install.sh
index 4fd6137..5513ed7 100755
--- a/docker-apt-install.sh
+++ b/docker-apt-install.sh
@@ -32,6 +32,9 @@ EOF
         pro attach --attach-config /tmp/pro-attach-config.yaml
         rm -f /tmp/pro-attach-config.yaml
         pro_attached=1
+    else
+        echo "ubuntu_pro_token secret is required for 20.04 build"
+        exit 1
     fi
 fi
 
diff --git a/docker-compose.yaml b/docker-compose.yaml
index dad7657..ca67651 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -13,6 +13,9 @@ services:
         # env vars supplied by make/just
         - BASE_CREATED
         - BASE_GITREF
+    # we also need to pass the secret at runtime for tests.sh to use.
+    secrets:
+      - ubuntu_pro_token
     init: true
 
   base-docker-20.04: