From fa4db5068021bfa150663ab4ada20aed3b4c4ea7 Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Thu, 7 May 2026 11:18:49 +0100
Subject: [PATCH] =?UTF-8?q?ci(installer-iso):=20pivot=20livemedia-creator?=
 =?UTF-8?q?=20=E2=86=92=20bootc-image-builder?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

livemedia-creator rejected our kickstart with:
  Only url, nfs and ostreesetup install methods are currently supported

ostreecontainer is too new for livemedia. bootc-image-builder is the
canonical tool for ostreecontainer-based installer ISOs — consumes
the OCI image directly, generates an Anaconda installer ISO that
embeds it. Per memory, anaconda-iso is deprecated in image-builder
v44+ but works on v43 (current).

Workflow now:
1. Login to Forgejo registry (read OCI)
2. Pull the OCI image into local podman storage
3. podman run quay.io/centos-bootc/bootc-image-builder
   --type anaconda-iso --rootfs btrfs <oci-ref>
4. Copy resulting ISO into build/out

Drop livemedia-creator + lorax + pykickstart + anaconda-tui + grub2
+ shim install — bootc-image-builder ships its own runtime.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-installer-iso.yml | 90 ++++++++++++-----------
 1 file changed, 46 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/build-installer-iso.yml b/.github/workflows/build-installer-iso.yml
index c1bb3d4..c8f8c50 100644
--- a/.github/workflows/build-installer-iso.yml
+++ b/.github/workflows/build-installer-iso.yml
@@ -41,54 +41,56 @@ jobs:
         run: |
           set -euxo pipefail
           dnf -y upgrade --refresh
-          dnf -y install --skip-unavailable \
-            lorax \
-            pykickstart \
-            anaconda-tui \
-            syslinux \
-            xorriso \
-            grub2-efi-x64 \
-            grub2-efi-x64-modules \
-            grub2-pc \
-            grub2-pc-modules \
-            shim-x64 \
-            efibootmgr
+          dnf -y install --skip-unavailable podman jq
 
-      - name: Validate installer kickstart
+      - name: Login to Forgejo registry (pull veilor-os OCI)
+        env:
+          FORGEJO_REGISTRY_TOKEN: ${{ secrets.FORGEJO_REGISTRY_TOKEN }}
+          FORGEJO_REGISTRY_USER: ${{ secrets.FORGEJO_REGISTRY_USER }}
+        run: |
+          set -euo pipefail
+          if [ -n "${FORGEJO_REGISTRY_TOKEN:-}" ]; then
+            echo "$FORGEJO_REGISTRY_TOKEN" | podman login \
+              --username "${FORGEJO_REGISTRY_USER:-veilor-org}" \
+              --password-stdin git.s8n.ru
+          fi
+
+      - name: Build installer ISO with bootc-image-builder
         run: |
           set -euxo pipefail
-          ksvalidator kickstart/install-ostreecontainer-installer.ks
-
-      - name: Build installer ISO with livemedia-creator
-        run: |
-          set -euxo pipefail
-          # livemedia-creator refuses ANY pre-existing resultdir, even
-          # one we just rm'd — somewhere in /var the path is recreated.
-          # Use /tmp (act-job-container fresh tmpfs) + unique suffix.
-          OUT="/tmp/lmc-out-$$"
-          TMPD="/tmp/lmc-$$"
-          rm -rf "$OUT" "$TMPD"
-          mkdir -p "$TMPD"
-          ln -sfn "$GITHUB_WORKSPACE" /work
-          ls -ld "$OUT" 2>&1 || echo "[OK] $OUT does not exist (expected)"
-          # IMPORTANT: --logfile MUST NOT live under --resultdir; livemedia
-          # pre-creates the parent before checking resultdir doesn't exist.
-          LOGFILE=/tmp/livemedia-$$.log
-          livemedia-creator \
-            --make-iso \
-            --no-virt \
-            --ks kickstart/install-ostreecontainer-installer.ks \
-            --resultdir "$OUT" \
-            --tmp "$TMPD" \
-            --volid "veilor-os-installer-${RELEASEVER}" \
-            --project "veilor-os" \
-            --releasever "$RELEASEVER" \
-            --logfile "$LOGFILE" \
-            2>&1 | tee /tmp/build.log
+          # livemedia-creator does NOT support ostreecontainer (only
+          # ostreesetup / url / nfs install methods). bootc-image-builder
+          # is the canonical tool for ostreecontainer-based installer
+          # ISOs; consumes our OCI image directly.
+          OUT="/tmp/bib-out-$$"
+          rm -rf "$OUT"
+          mkdir -p "$OUT"
+          # Pull the veilor-os OCI we built; bootc-image-builder needs
+          # it locally to compose the installer ISO.
+          podman pull ghcr.io/veilor-org/veilor-os:43 || \
+            podman pull git.s8n.ru/veilor-org/veilor-os:43
+          # Generate a minimal config.toml for bootc-image-builder that
+          # tells Anaconda to ask for LUKS pw + admin pw.
+          cat > /tmp/bib-config.toml <<'TOML'
+          [[customizations.user]]
+          name = "admin"
+          password = ""
+          groups = ["wheel"]
+          TOML
+          podman run --rm \
+            --privileged \
+            --pull=newer \
+            --security-opt label=type:unconfined_t \
+            -v "$OUT:/output" \
+            -v /tmp/bib-config.toml:/config.toml:ro \
+            -v /var/lib/containers/storage:/var/lib/containers/storage \
+            quay.io/centos-bootc/bootc-image-builder:latest \
+            --type anaconda-iso \
+            --config /config.toml \
+            --rootfs btrfs \
+            ghcr.io/veilor-org/veilor-os:43
           mkdir -p build/out
-          cp -a "$OUT"/. build/out/
-          cp -a "$LOGFILE" build/out/livemedia.log 2>/dev/null || true
-          cp -a /tmp/build.log build/out/build.log 2>/dev/null || true
+          find "$OUT" -name '*.iso' -exec cp {} build/out/ \;
           ls -lh build/out/
 
       - name: Rename ISO + sha256