From 702702650abe64bdaacb934629f0d2b410e44c4c Mon Sep 17 00:00:00 2001
From: s8n-ru <279801990+s8n-ru@users.noreply.github.com>
Date: Fri, 8 May 2026 00:52:09 +0100
Subject: [PATCH] fix(bluebuild): move brand-leak check recipe RUN -> CI
 smoke-test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- STEP 14/30 hung under buildah fuse-overlayfs scanning
  /usr/share/veilor-os on ~130-layer secureblue base (Forgejo run 171,
  2026-05-07, hit 360-min timeout, no error logged).
- Brand-leak grep -rqi removed from bluebuild/recipe.yml RUN snippet;
  one-line comment left in its place pointing at the new location.
- Added equivalent assertion at the end of the Smoke-test OCI image
  step in .github/workflows/build-bluebuild.yml. Runs once on the
  sealed image (no overlayfs in flight), uses `find -type f` over
  bounded paths + name globs (text files only), then a single grep
  invocation — much faster than recursive grep over the whole tree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-bluebuild.yml | 3 +++
 bluebuild/recipe.yml                  | 5 +----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index c4b9841..c79303f 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -240,6 +240,9 @@ jobs:
             echo "-- yggdrasil"; rpm -q yggdrasil || echo "not installed"
             echo "-- tailscale"; rpm -q tailscale || echo "not installed"
             echo "-- veilor-firstboot unit"; ls -la /etc/systemd/system/veilor-firstboot.service 2>&1 || true
+            echo "-- brand-leak scan (text files only, bounded paths)"
+            HITS=$(find /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os /usr/local/bin/veilor-* -type f \( -name "*.sh" -o -name "*.conf" -o -name "*.service" -o -name "*.timer" -o -name "*.txt" -o -name "*.md" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "os-release" \) -exec grep -liE "onyx|192\.168\.0\.|fedora\.local|xynki\.dev" {} + 2>/dev/null || true)
+            if [ -n "$HITS" ]; then echo "[ERR] brand leak detected:"; echo "$HITS"; exit 1; fi
           '
 
       # ── GitHub-only signing/SBOM/attest ────────────────────────────
diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index cad5e62..79fa713 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -63,11 +63,8 @@ modules:
                 -e 's|^ID=.*|ID=veilor|' \
                 -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
                 /etc/os-release || true ; \
-            fi ; \
-            if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
-                /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then \
-              echo "[ERR] brand leak detected" ; exit 1 ; \
             fi
+            # brand-leak check moved to CI smoke-test (STEP 14 hang under buildah overlayfs, run 171 2026-05-07)
 
   # ── 3. Override secureblue's run0-only — restore sudo ───────────
   # secureblue removes sudo + replaces with run0. Too disruptive for