ci(installer-iso): pivot livemedia-creator → bootc-image-builder

livemedia-creator rejected our kickstart with: Only url, nfs and ostreesetup install methods are currently supported ostreecontainer is too new for livemedia. bootc-image-builder is the canonical tool for ostreecontainer-based installer ISOs — consumes the OCI image directly, generates an Anaconda installer ISO that embeds it. Per memory, anaconda-iso is deprecated in image-builder v44+ but works on v43 (current). Workflow now: 1. Login to Forgejo registry (read OCI) 2. Pull the OCI image into local podman storage 3. podman run quay.io/centos-bootc/bootc-image-builder --type anaconda-iso --rootfs btrfs <oci-ref> 4. Copy resulting ISO into build/out Drop livemedia-creator + lorax + pykickstart + anaconda-tui + grub2 + shim install — bootc-image-builder ships its own runtime. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 11:18:49 +01:00 · 2026-05-07 11:18:49 +01:00 · fa4db50680
commit fa4db50680
parent 800afaec2f
1 changed files with 46 additions and 44 deletions
--- a/.github/workflows/build-installer-iso.yml
+++ b/.github/workflows/build-installer-iso.yml
@ -41,54 +41,56 @@ jobs:
        run: |
          set -euxo pipefail
          dnf -y upgrade --refresh
-          dnf -y install --skip-unavailable \
-            lorax \
-            pykickstart \
-            anaconda-tui \
-            syslinux \
-            xorriso \
-            grub2-efi-x64 \
-            grub2-efi-x64-modules \
-            grub2-pc \
-            grub2-pc-modules \
-            shim-x64 \
-            efibootmgr
+          dnf -y install --skip-unavailable podman jq

-      - name: Validate installer kickstart
+      - name: Login to Forgejo registry (pull veilor-os OCI)
+        env:
+          FORGEJO_REGISTRY_TOKEN: ${{ secrets.FORGEJO_REGISTRY_TOKEN }}
+          FORGEJO_REGISTRY_USER: ${{ secrets.FORGEJO_REGISTRY_USER }}
+        run: |
+          set -euo pipefail
+          if [ -n "${FORGEJO_REGISTRY_TOKEN:-}" ]; then
+            echo "$FORGEJO_REGISTRY_TOKEN" | podman login \
+              --username "${FORGEJO_REGISTRY_USER:-veilor-org}" \
+              --password-stdin git.s8n.ru
+          fi
+
+      - name: Build installer ISO with bootc-image-builder
        run: |
          set -euxo pipefail
-          ksvalidator kickstart/install-ostreecontainer-installer.ks
-
-      - name: Build installer ISO with livemedia-creator
-        run: |
-          set -euxo pipefail
-          # livemedia-creator refuses ANY pre-existing resultdir, even
-          # one we just rm'd — somewhere in /var the path is recreated.
-          # Use /tmp (act-job-container fresh tmpfs) + unique suffix.
-          OUT="/tmp/lmc-out-$$"
-          TMPD="/tmp/lmc-$$"
-          rm -rf "$OUT" "$TMPD"
-          mkdir -p "$TMPD"
-          ln -sfn "$GITHUB_WORKSPACE" /work
-          ls -ld "$OUT" 2>&1 || echo "[OK] $OUT does not exist (expected)"
-          # IMPORTANT: --logfile MUST NOT live under --resultdir; livemedia
-          # pre-creates the parent before checking resultdir doesn't exist.
-          LOGFILE=/tmp/livemedia-$$.log
-          livemedia-creator \
-            --make-iso \
-            --no-virt \
-            --ks kickstart/install-ostreecontainer-installer.ks \
-            --resultdir "$OUT" \
-            --tmp "$TMPD" \
-            --volid "veilor-os-installer-${RELEASEVER}" \
-            --project "veilor-os" \
-            --releasever "$RELEASEVER" \
-            --logfile "$LOGFILE" \
-            2>&1 | tee /tmp/build.log
+          # livemedia-creator does NOT support ostreecontainer (only
+          # ostreesetup / url / nfs install methods). bootc-image-builder
+          # is the canonical tool for ostreecontainer-based installer
+          # ISOs; consumes our OCI image directly.
+          OUT="/tmp/bib-out-$$"
+          rm -rf "$OUT"
+          mkdir -p "$OUT"
+          # Pull the veilor-os OCI we built; bootc-image-builder needs
+          # it locally to compose the installer ISO.
+          podman pull ghcr.io/veilor-org/veilor-os:43 || \
+            podman pull git.s8n.ru/veilor-org/veilor-os:43
+          # Generate a minimal config.toml for bootc-image-builder that
+          # tells Anaconda to ask for LUKS pw + admin pw.
+          cat > /tmp/bib-config.toml <<'TOML'
+          [[customizations.user]]
+          name = "admin"
+          password = ""
+          groups = ["wheel"]
+          TOML
+          podman run --rm \
+            --privileged \
+            --pull=newer \
+            --security-opt label=type:unconfined_t \
+            -v "$OUT:/output" \
+            -v /tmp/bib-config.toml:/config.toml:ro \
+            -v /var/lib/containers/storage:/var/lib/containers/storage \
+            quay.io/centos-bootc/bootc-image-builder:latest \
+            --type anaconda-iso \
+            --config /config.toml \
+            --rootfs btrfs \
+            ghcr.io/veilor-org/veilor-os:43
          mkdir -p build/out
-          cp -a "$OUT"/. build/out/
-          cp -a "$LOGFILE" build/out/livemedia.log 2>/dev/null || true
-          cp -a /tmp/build.log build/out/build.log 2>/dev/null || true
+          find "$OUT" -name '*.iso' -exec cp {} build/out/ \;
          ls -lh build/out/

      - name: Rename ISO + sha256