name: Build veilor-os ISO on: push: branches: [main] paths: - 'kickstart/**' - 'overlay/**' - 'scripts/**' - 'assets/**' - 'build/**' - '.github/workflows/build-iso.yml' workflow_dispatch: inputs: releasever: description: 'Fedora release version' required: false default: '43' release: types: [published] jobs: build: name: Build live ISO runs-on: ubuntu-24.04 timeout-minutes: 90 steps: - name: Checkout uses: actions/checkout@v4 - name: Free up disk run: | sudo rm -rf /opt/hostedtoolcache /usr/share/dotnet /usr/local/lib/android /usr/local/share/boost sudo apt-get clean df -h - name: Run build inside Fedora 43 container uses: addnab/docker-run-action@v3 with: image: registry.fedoraproject.org/fedora:43 options: | --privileged -v ${{ github.workspace }}:/work -v /dev:/dev --tmpfs /tmp:rw,nosuid,nodev,exec,size=16G run: | set -euxo pipefail # Update Fedora image to latest packages — guarantees pcre2 + # libselinux + selinux-policy are matched (the local build's # core problem). CI runners always start fresh, no version skew. dnf -y upgrade --refresh # Install build tooling dnf -y install \ lorax \ livecd-tools \ pykickstart \ python3-imgcreate \ anaconda-tui \ squashfs-tools \ xorriso \ createrepo_c \ git \ which \ shadow-utils \ syslinux \ tar \ curl # Vendor gum binary onto the ISO so the TTY1 installer can use # Charm.sh TUI primitives. gum is not packaged in Fedora repos, # so pull the upstream release tarball pinned by sha256. GUM_VERSION="0.17.0" GUM_URL="https://github.com/charmbracelet/gum/releases/download/v${GUM_VERSION}/gum_${GUM_VERSION}_Linux_x86_64.tar.gz" GUM_SHA256="69ee169bd6387331928864e94d47ed01ef649fbfe875baed1bbf27b5377a6fdb" mkdir -p /work/overlay/usr/local/bin curl -fsSL "$GUM_URL" -o /tmp/gum.tgz echo "$GUM_SHA256 /tmp/gum.tgz" | sha256sum -c - tar -xzf /tmp/gum.tgz -C /tmp/ install -m 0755 "/tmp/gum_${GUM_VERSION}_Linux_x86_64/gum" /work/overlay/usr/local/bin/gum /work/overlay/usr/local/bin/gum --version echo "[OK] gum ${GUM_VERSION} vendored into overlay/usr/local/bin/" cd /work # PATCH: livecd-creator bug — __get_efi_image_stanza writes # `root=live:LABEL=...` instead of `live:CDLABEL=...` for dracut. # Result: dracut hangs on parse-livenet looking for non-CD label. # Fix in-place before running build. LIVE_PY=$(python3 -c 'import imgcreate, os; print(os.path.dirname(imgcreate.__file__))')/live.py sed -i 's|"live:LABEL=%(fslabel)s"|"live:CDLABEL=%(fslabel)s"|g' "$LIVE_PY" grep -n 'CDLABEL=%(fslabel)s' "$LIVE_PY" || { echo "[ERR] patch failed"; exit 1; } echo "[OK] livecd-creator patched: LABEL= → CDLABEL= for EFI dracut stanza" # CI uses ks-ci.ks (no local fix-repo line). Generated from main ks. # Also strip flags livecd-creator doesn't recognize. sed -e '/veilor-fix/d' \ -e '/^shutdown$/d' \ kickstart/veilor-os.ks > kickstart/veilor-os-ci.ks ksvalidator kickstart/veilor-os-ci.ks mkdir -p build/out # livecd-creator (livecd-tools) — purpose-built for live ISOs. # Handles EFI/BOOT + isohybrid + grafting that livemedia-creator # --make-iso --no-virt does not. Produces UEFI+BIOS bootable ISO. # --tmpdir /var/lmc to avoid GitHub Actions /tmp tmpfs constraints. # /var on the runner is the host's ext4 (~80GB free post-disk-cleanup). mkdir -p /var/lmc /var/lmc-cache livecd-creator \ --verbose \ --config kickstart/veilor-os-ci.ks \ --fslabel "veilor-os-43" \ --title "veilor-os" \ --product "veilor-os" \ --releasever "${{ github.event.inputs.releasever || '43' }}" \ --tmpdir /var/lmc \ --cache /var/lmc-cache 2>&1 | tee build/out/build.log # Graft veilor source tree onto the ISO so the installer-generated # kickstart's `%post --nochroot` can find SRC at # /run/install/repo/veilor/{overlay,scripts,assets}/ when the user # promotes the live ISO into a real install. ISO_FILE=$(ls /work/*.iso 2>/dev/null | head -1) [ -n "$ISO_FILE" ] || { echo "[ERR] no ISO produced by livecd-creator"; exit 1; } echo "[INFO] grafting /veilor/ onto $ISO_FILE" # Extract original ISO's exact boot stanza so the rebuild matches # livecd-creator's layout byte-for-byte. This is immune to upstream # Fedora layout changes (e.g. images/ vs isolinux/ for efiboot.img, # partition geometry flags, hybrid MBR/GPT options). xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>&1 | tee /tmp/iso-boot.txt || true ORIG_FLAGS=$(xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>/dev/null | \ grep -v '^xorriso :' | grep -E '^-' | tr '\n' ' ') [ -n "$ORIG_FLAGS" ] || { echo "[ERR] could not extract boot stanza from $ISO_FILE"; exit 1; } echo "[INFO] re-pack flags from original ISO: $ORIG_FLAGS" mkdir -p /tmp/iso-mod xorriso -osirrox on -indev "$ISO_FILE" -extract / /tmp/iso-mod chmod -R u+w /tmp/iso-mod mkdir -p /tmp/iso-mod/veilor cp -a /work/overlay /work/scripts /work/assets /tmp/iso-mod/veilor/ # Replay the exact stanza captured above. eval is needed because # ORIG_FLAGS contains multiple flag/value pairs that must word-split. eval xorriso -as mkisofs \ -volid "veilor-os-43" \ $ORIG_FLAGS \ -o "${ISO_FILE}.tmp" /tmp/iso-mod mv "${ISO_FILE}.tmp" "$ISO_FILE" rm -rf /tmp/iso-mod echo "[OK] /veilor/ grafted onto $ISO_FILE" # Move output ISO to expected dir mv ./veilor-os-43.iso build/out/ 2>/dev/null || mv ./*.iso build/out/ 2>/dev/null || true # Rename + checksum ISO_NAME="veilor-os-${{ github.event.inputs.releasever || '43' }}-$(date +%Y%m%d-%H%M%S).iso" cd build/out for f in *.iso; do [[ -f $f && $f != $ISO_NAME ]] && mv "$f" "$ISO_NAME" done sha256sum "$ISO_NAME" > "$ISO_NAME.sha256" ls -lh "$ISO_NAME" - name: Upload ISO artifact if: success() uses: actions/upload-artifact@v4 with: name: veilor-os-iso path: | build/out/*.iso build/out/*.sha256 retention-days: 3 - name: Upload build log on failure if: failure() uses: actions/upload-artifact@v4 with: name: veilor-os-buildlog path: | build/out/build.log build/out/build/anaconda/ - name: Attach to release if: github.event_name == 'release' uses: softprops/action-gh-release@v2 with: files: | build/out/*.iso build/out/*.sha256