diff --git a/.github/workflows/build-installer-iso.yml b/.github/workflows/build-installer-iso.yml index c1bb3d4..c8f8c50 100644 --- a/.github/workflows/build-installer-iso.yml +++ b/.github/workflows/build-installer-iso.yml @@ -41,54 +41,56 @@ jobs: run: | set -euxo pipefail dnf -y upgrade --refresh - dnf -y install --skip-unavailable \ - lorax \ - pykickstart \ - anaconda-tui \ - syslinux \ - xorriso \ - grub2-efi-x64 \ - grub2-efi-x64-modules \ - grub2-pc \ - grub2-pc-modules \ - shim-x64 \ - efibootmgr + dnf -y install --skip-unavailable podman jq - - name: Validate installer kickstart + - name: Login to Forgejo registry (pull veilor-os OCI) + env: + FORGEJO_REGISTRY_TOKEN: ${{ secrets.FORGEJO_REGISTRY_TOKEN }} + FORGEJO_REGISTRY_USER: ${{ secrets.FORGEJO_REGISTRY_USER }} + run: | + set -euo pipefail + if [ -n "${FORGEJO_REGISTRY_TOKEN:-}" ]; then + echo "$FORGEJO_REGISTRY_TOKEN" | podman login \ + --username "${FORGEJO_REGISTRY_USER:-veilor-org}" \ + --password-stdin git.s8n.ru + fi + + - name: Build installer ISO with bootc-image-builder run: | set -euxo pipefail - ksvalidator kickstart/install-ostreecontainer-installer.ks - - - name: Build installer ISO with livemedia-creator - run: | - set -euxo pipefail - # livemedia-creator refuses ANY pre-existing resultdir, even - # one we just rm'd — somewhere in /var the path is recreated. - # Use /tmp (act-job-container fresh tmpfs) + unique suffix. - OUT="/tmp/lmc-out-$$" - TMPD="/tmp/lmc-$$" - rm -rf "$OUT" "$TMPD" - mkdir -p "$TMPD" - ln -sfn "$GITHUB_WORKSPACE" /work - ls -ld "$OUT" 2>&1 || echo "[OK] $OUT does not exist (expected)" - # IMPORTANT: --logfile MUST NOT live under --resultdir; livemedia - # pre-creates the parent before checking resultdir doesn't exist. - LOGFILE=/tmp/livemedia-$$.log - livemedia-creator \ - --make-iso \ - --no-virt \ - --ks kickstart/install-ostreecontainer-installer.ks \ - --resultdir "$OUT" \ - --tmp "$TMPD" \ - --volid "veilor-os-installer-${RELEASEVER}" \ - --project "veilor-os" \ - --releasever "$RELEASEVER" \ - --logfile "$LOGFILE" \ - 2>&1 | tee /tmp/build.log + # livemedia-creator does NOT support ostreecontainer (only + # ostreesetup / url / nfs install methods). bootc-image-builder + # is the canonical tool for ostreecontainer-based installer + # ISOs; consumes our OCI image directly. + OUT="/tmp/bib-out-$$" + rm -rf "$OUT" + mkdir -p "$OUT" + # Pull the veilor-os OCI we built; bootc-image-builder needs + # it locally to compose the installer ISO. + podman pull ghcr.io/veilor-org/veilor-os:43 || \ + podman pull git.s8n.ru/veilor-org/veilor-os:43 + # Generate a minimal config.toml for bootc-image-builder that + # tells Anaconda to ask for LUKS pw + admin pw. + cat > /tmp/bib-config.toml <<'TOML' + [[customizations.user]] + name = "admin" + password = "" + groups = ["wheel"] + TOML + podman run --rm \ + --privileged \ + --pull=newer \ + --security-opt label=type:unconfined_t \ + -v "$OUT:/output" \ + -v /tmp/bib-config.toml:/config.toml:ro \ + -v /var/lib/containers/storage:/var/lib/containers/storage \ + quay.io/centos-bootc/bootc-image-builder:latest \ + --type anaconda-iso \ + --config /config.toml \ + --rootfs btrfs \ + ghcr.io/veilor-org/veilor-os:43 mkdir -p build/out - cp -a "$OUT"/. build/out/ - cp -a "$LOGFILE" build/out/livemedia.log 2>/dev/null || true - cp -a /tmp/build.log build/out/build.log 2>/dev/null || true + find "$OUT" -name '*.iso' -exec cp {} build/out/ \; ls -lh build/out/ - name: Rename ISO + sha256