veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

fix(bluebuild): move brand-leak check recipe RUN -> CI smoke-test
Some checks failed
Build veilor-os Installer ISO / Build installer ISO (push) Failing after 28s
Details
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 3h10m14s
Details

Browse source 
- STEP 14/30 hung under buildah fuse-overlayfs scanning
  /usr/share/veilor-os on ~130-layer secureblue base (Forgejo run 171,
  2026-05-07, hit 360-min timeout, no error logged).
- Brand-leak grep -rqi removed from bluebuild/recipe.yml RUN snippet;
  one-line comment left in its place pointing at the new location.
- Added equivalent assertion at the end of the Smoke-test OCI image
  step in .github/workflows/build-bluebuild.yml. Runs once on the
  sealed image (no overlayfs in flight), uses `find -type f` over
  bounded paths + name globs (text files only), then a single grep
  invocation — much faster than recursive grep over the whole tree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
s8n-ru 2026-05-08 00:52:09 +01:00
parent c272050890
commit 702702650a
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/build-bluebuild.yml vendored
View file

@ -240,6 +240,9 @@ jobs:
echo "-- yggdrasil"; rpm -q yggdrasil || echo "not installed"
echo "-- tailscale"; rpm -q tailscale || echo "not installed"
echo "-- veilor-firstboot unit"; ls -la /etc/systemd/system/veilor-firstboot.service 2>&1 || true
echo "-- brand-leak scan (text files only, bounded paths)"
HITS=$(find /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os /usr/local/bin/veilor-* -type f \( -name "*.sh" -o -name "*.conf" -o -name "*.service" -o -name "*.timer" -o -name "*.txt" -o -name "*.md" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "os-release" \) -exec grep -liE "onyx|192\.168\.0\.|fedora\.local|xynki\.dev" {} + 2>/dev/null || true)
if [ -n "$HITS" ]; then echo "[ERR] brand leak detected:"; echo "$HITS"; exit 1; fi
'
# ── GitHub-only signing/SBOM/attest ────────────────────────────

5
bluebuild/recipe.yml
View file

@ -63,11 +63,8 @@ modules:
-e 's|^ID=.*|ID=veilor|' \
-e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
/etc/os-release || true ; \
fi ; \
if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
/etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then \
echo "[ERR] brand leak detected" ; exit 1 ; \
fi
# brand-leak check moved to CI smoke-test (STEP 14 hang under buildah overlayfs, run 171 2026-05-07)
# ── 3. Override secureblue's run0-only — restore sudo ───────────
# secureblue removes sudo + replaces with run0. Too disruptive for