- build-iso.yml: on tag push (v*.*.*), split ISO into 1.9G parts, GPG-sign
the sha256 with GPG_PRIVATE_KEY secret, and auto-create release with
softprops/action-gh-release@v2 attaching part files + sig + reassembly
instructions. Falls back to legacy release.published path.
- build-iso.yml: optional EFI Secure Boot signing step. If MOK_PRIVATE_KEY
+ MOK_CERT secrets are present, sbsign each .efi inside the ISO and
repack with xorriso; otherwise warn and ship unsigned. Refresh sha256.
- release-checksums.yml: new PR-time gate. Validates source + generated
CI kickstart, shellchecks scripts, parses every workflow YAML, and
asserts the split size stays under GitHub'''s 2 GiB asset cap.
- scripts/gen-mok-key.sh: idempotent MOK keypair generator (RSA-4096,
10y), outputs to gitignored build/keys/. Header documents mokutil
enrollment and gh secret upload. exec bit set in index.
- .gitignore: add build/keys/, *.priv, *.der.
User must add GitHub secrets before the next tagged release:
GPG_PRIVATE_KEY — armored private key for sha256 signing
MOK_PRIVATE_KEY — sbsign EFI signing key (PEM)
MOK_CERT — public cert (DER) for sbsign + mokutil enrollment
Upstream bug in /usr/lib/python3.14/site-packages/imgcreate/live.py:
if self._isDracut:
args["rootlabel"] = "live:LABEL=%(fslabel)s" # WRONG
else:
args["rootlabel"] = "CDLABEL=%(fslabel)s"
For dracut path on EFI grub it writes `root=live:LABEL=...` but
dracut needs `live:CDLABEL=...` to look up ISO9660 by CD volume id.
Result: parse-livenet hook stalls indefinitely.
CI now sed-patches the file in-place before build. Reported upstream
livecd-tools as separate task.
POSTTRANS ldconfig hit ENOSPC/ROFS — KDE install + dnf cache + scriptlet
working set exceeds 16G tmpfs. Move livecd-creator tmpdir to /var/lmc on
runner's host ext4 disk.
Local builds need fix-repo because host has stale libselinux vs newer pcre2.
CI fresh container has matched libs, fix-repo unnecessary and refs invalid
(file:///tmp/veilor-fix-repo not present in CI). sed strips that ks line.
CI builds in fresh Fedora 43 container — matched pcre2/libselinux/selinux-policy
versions, no fix-repo hack needed. Container starts every run from clean
state, no zombie collisions. Fastest path to first green ISO.
