# TODO: SHA-pin all uses: tags to commit SHAs (Agent 8 audit recommendation). # Tracked separately so this PR can land without long web lookups. name: Build veilor-os ISO on: push: branches: [main] paths: - 'kickstart/**' - 'overlay/**' - 'scripts/**' - 'assets/**' - 'build/**' - '.github/workflows/build-iso.yml' workflow_dispatch: inputs: releasever: description: 'Fedora release version' required: false default: '43' release: types: [published] permissions: contents: write # needed for action-gh-release to create+update ci-latest id-token: write # cosign keyless OIDC + attest-build-provenance attestations: write # attest-build-provenance writes the attestation jobs: build: name: Build live ISO # nullstone label resolves to a privileged Fedora 43 container per # the runner's RUNNER_LABELS map. Build runs directly in this job # container — no nested docker-run-action, no bind-mount juggling. runs-on: nullstone timeout-minutes: 90 steps: - name: Checkout # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships # node24 which forgejo-runner v6.4.0 (node20) cannot exec. uses: actions/checkout@v4.1.7 - name: Install build tooling (Fedora) run: | set -euxo pipefail dnf -y upgrade --refresh dnf -y install \ lorax \ livecd-tools \ pykickstart \ python3-imgcreate \ anaconda-tui \ squashfs-tools \ xorriso \ createrepo_c \ git \ which \ shadow-utils \ syslinux \ tar \ curl \ sudo - name: Vendor gum binary into overlay run: | set -euxo pipefail GUM_VERSION="0.17.0" GUM_URL="https://github.com/charmbracelet/gum/releases/download/v${GUM_VERSION}/gum_${GUM_VERSION}_Linux_x86_64.tar.gz" GUM_SHA256="69ee169bd6387331928864e94d47ed01ef649fbfe875baed1bbf27b5377a6fdb" mkdir -p overlay/usr/local/bin curl -fsSL "$GUM_URL" -o /tmp/gum.tgz echo "$GUM_SHA256 /tmp/gum.tgz" | sha256sum -c - tar -xzf /tmp/gum.tgz -C /tmp/ install -m 0755 "/tmp/gum_${GUM_VERSION}_Linux_x86_64/gum" overlay/usr/local/bin/gum overlay/usr/local/bin/gum --version echo "[OK] gum ${GUM_VERSION} vendored into overlay/usr/local/bin/" - name: Build ISO with livecd-creator run: | set -euxo pipefail # PATCH: livecd-creator bug — __get_efi_image_stanza writes # `root=live:LABEL=...` instead of `live:CDLABEL=...` for dracut. # Result: dracut hangs on parse-livenet looking for non-CD label. # Fix in-place before running build. LIVE_PY=$(python3 -c 'import imgcreate, os; print(os.path.dirname(imgcreate.__file__))')/live.py sed -i 's|"live:LABEL=%(fslabel)s"|"live:CDLABEL=%(fslabel)s"|g' "$LIVE_PY" grep -n 'CDLABEL=%(fslabel)s' "$LIVE_PY" || { echo "[ERR] patch failed"; exit 1; } echo "[OK] livecd-creator patched: LABEL= → CDLABEL= for EFI dracut stanza" # CI uses ks-ci.ks (no local fix-repo line). Generated from main ks. # Drop `updates` repo: previously 404'd on repodata zchunk during # Fedora mid-push windows. Base 43 ships the selinux-policy fix. sed -e '/veilor-fix/d' \ -e '/^shutdown$/d' \ -e '/repo --name=updates/d' \ kickstart/veilor-os.ks > kickstart/veilor-os-ci.ks ksvalidator kickstart/veilor-os-ci.ks mkdir -p build/out mkdir -p /var/lmc /var/lmc-cache livecd-creator \ --verbose \ --config kickstart/veilor-os-ci.ks \ --fslabel "veilor-os-43" \ --title "veilor-os" \ --product "veilor-os" \ --releasever "${{ github.event.inputs.releasever || '43' }}" \ --tmpdir /var/lmc \ --cache /var/lmc-cache 2>&1 | tee build/out/build.log - name: Graft veilor source tree onto ISO run: | set -euxo pipefail ISO_FILE=$(ls ./*.iso 2>/dev/null | head -1) [ -n "$ISO_FILE" ] || { echo "[ERR] no ISO produced by livecd-creator"; exit 1; } echo "[INFO] grafting /veilor/ onto $ISO_FILE" xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>&1 | tee /tmp/iso-boot.txt || true ORIG_FLAGS=$(xorriso -indev "$ISO_FILE" -report_el_torito as_mkisofs 2>/dev/null | \ grep -v '^xorriso :' | grep -E '^-' | tr '\n' ' ') [ -n "$ORIG_FLAGS" ] || { echo "[ERR] could not extract boot stanza from $ISO_FILE"; exit 1; } mkdir -p /tmp/iso-mod xorriso -osirrox on -indev "$ISO_FILE" -extract / /tmp/iso-mod chmod -R u+w /tmp/iso-mod mkdir -p /tmp/iso-mod/veilor cp -a overlay scripts assets /tmp/iso-mod/veilor/ eval xorriso -as mkisofs \ -volid "veilor-os-43" \ $ORIG_FLAGS \ -o "${ISO_FILE}.tmp" /tmp/iso-mod mv "${ISO_FILE}.tmp" "$ISO_FILE" rm -rf /tmp/iso-mod mv "$ISO_FILE" build/out/ ISO_NAME="veilor-os-${{ github.event.inputs.releasever || '43' }}-$(date +%Y%m%d-%H%M%S).iso" cd build/out for f in *.iso; do [[ -f $f && $f != "$ISO_NAME" ]] && mv "$f" "$ISO_NAME" done sha256sum "$ISO_NAME" > "$ISO_NAME.sha256" ls -lh "$ISO_NAME" # ── ISO publish ──────────────────────────────────────────────────── # GH Release asset size limit = 2 GiB. Our ISO ~2.8 GiB. Split into # chunks before upload. Reassemble client-side via `cat *.part-* > x.iso`. # Squashfs is already near-incompressible (zstd -19 → 96%) so split, # not compress. - name: Split ISO into 2GiB chunks if: success() && github.ref == 'refs/heads/main' run: | cd build/out ISO=$(ls *.iso | head -1) [ -n "$ISO" ] || { echo "[ERR] no ISO"; exit 1; } # Split with 1900M chunks (under 2 GiB safe). Suffix .part-aa, .part-ab, ... split -b 1900M -d --suffix-length=2 "$ISO" "${ISO}.part-" ls -lh # Drop the original ISO so it doesn't try to upload (over limit) rm -f "$ISO" # Generate sha256 of all parts so reassembly is verifiable sha256sum *.part-* > "${ISO}.parts.sha256" echo "[OK] split into:" ls "${ISO}".part-* - name: Install cosign if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' # Pinned to last v3 release confirmed node20. uses: sigstore/cosign-installer@v3.7.0 - name: Sign ISO parts (keyless) if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' run: | cd build/out for f in *.part-*; do cosign sign-blob --yes "$f" \ --output-signature "$f.sig" \ --output-certificate "$f.pem" done - name: Generate SBOM (SPDX) if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' # Pinned to last v0.17 release that ships node20. uses: anchore/sbom-action@v0.17.2 with: path: build/out format: spdx-json output-file: build/out/veilor-os.spdx.json - name: Build provenance attestation if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' # Pinned to last v2.2 release that ships node20. uses: actions/attest-build-provenance@v2.2.3 with: subject-path: 'build/out/*.iso.part-*' # GitHub-only: softprops/action-gh-release uses the GitHub REST API # which Forgejo doesn't expose at the same endpoints. When this # workflow runs on git.s8n.ru the step below (Forgejo) handles # publishing instead. - name: Publish to ci-latest rolling prerelease (GitHub) if: success() && github.ref == 'refs/heads/main' && github.server_url == 'https://github.com' # Pinned to last v2 tag confirmed to ship on node20. uses: softprops/action-gh-release@v2.0.4 with: tag_name: ci-latest name: "ci-latest (auto)" body: | Rolling auto-build from `main`. Latest commit: ${{ github.sha }}. **ISO is split into chunks (GH release 2 GiB asset limit).** Reassemble: ``` cat veilor-os-*.iso.part-* > veilor-os.iso sha256sum -c veilor-os-*.iso.parts.sha256 ``` Or use `test/auto-install.sh` which handles reassembly automatically. Not a stable release — for testing only. prerelease: true make_latest: false files: | build/out/*.iso.part-* build/out/*.sha256 build/out/*.sig build/out/*.pem build/out/*.spdx.json # Forgejo equivalent: drop+recreate ci-latest release via the # Forgejo REST API, then upload chunks. Only runs when not on GitHub. # All ${{ }} interpolations are vetted (repo coords + signed SHA). - name: Publish to ci-latest rolling prerelease (Forgejo) if: success() && github.ref == 'refs/heads/main' && github.server_url != 'https://github.com' env: FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }} FORGEJO_API: ${{ github.server_url }}/api/v1 REPO: ${{ github.repository }} GIT_SHA: ${{ github.sha }} run: | set -euo pipefail TAG="ci-latest" REL_JSON=$(curl -fsSL -H "Authorization: token ${FORGEJO_TOKEN}" \ "${FORGEJO_API}/repos/${REPO}/releases/tags/${TAG}" 2>/dev/null || echo "") if [ -n "$REL_JSON" ]; then REL_ID=$(echo "$REL_JSON" | grep -oE '"id":\s*[0-9]+' | head -1 | grep -oE '[0-9]+') if [ -n "$REL_ID" ]; then echo "[INFO] deleting existing ci-latest release id=$REL_ID" curl -fsSL -X DELETE -H "Authorization: token ${FORGEJO_TOKEN}" \ "${FORGEJO_API}/repos/${REPO}/releases/${REL_ID}" || true curl -fsSL -X DELETE -H "Authorization: token ${FORGEJO_TOKEN}" \ "${FORGEJO_API}/repos/${REPO}/git/refs/tags/${TAG}" || true fi fi BODY="Rolling auto-build from main. Latest commit: ${GIT_SHA}. ISO is split into chunks. Reassemble: cat veilor-os-*.iso.part-* > veilor-os.iso sha256sum -c veilor-os-*.iso.parts.sha256 Or use test/auto-install.sh (handles reassembly automatically). Not a stable release — for testing only." PAYLOAD=$(BODY="$BODY" TAG="$TAG" python3 -c " import json,os print(json.dumps({ 'tag_name': os.environ['TAG'], 'target_commitish': 'main', 'name': 'ci-latest (auto)', 'body': os.environ['BODY'], 'prerelease': True, 'draft': False, }))") REL_ID=$(curl -fsSL -X POST -H "Authorization: token ${FORGEJO_TOKEN}" \ -H "Content-Type: application/json" \ -d "$PAYLOAD" \ "${FORGEJO_API}/repos/${REPO}/releases" | \ grep -oE '"id":\s*[0-9]+' | head -1 | grep -oE '[0-9]+') [ -n "$REL_ID" ] || { echo "[ERR] failed to create Forgejo release"; exit 1; } echo "[OK] Forgejo release id=$REL_ID created" cd build/out for f in *.iso.part-* *.sha256; do [ -f "$f" ] || continue echo "[INFO] uploading $f" curl -fsSL -X POST -H "Authorization: token ${FORGEJO_TOKEN}" \ -F "attachment=@${f}" \ "${FORGEJO_API}/repos/${REPO}/releases/${REL_ID}/assets?name=${f}" done echo "[OK] all assets uploaded to Forgejo ci-latest" # Build log on failure: print inline + skip artifact upload to avoid # quota wall. Job log retains everything anyway. - name: Print build log on failure if: failure() run: | echo "─── build/out/build.log ───" tail -200 build/out/build.log 2>/dev/null || echo "(no build.log)" echo "─── anaconda program.log ───" find build/out/build/anaconda -name 'program.log' -exec tail -100 {} \; 2>/dev/null || echo "(no anaconda log)" # GitHub-only: same restriction as ci-latest publish. - name: Attach to release on tag (GitHub) if: github.event_name == 'release' && github.server_url == 'https://github.com' # Pinned to last v2 tag confirmed to ship on node20. uses: softprops/action-gh-release@v2.0.4 with: files: | build/out/*.iso build/out/*.sha256 # Forgejo equivalent for tag-driven release uploads. The release # is assumed to already exist (Forgejo creates it from the tag); # we only attach assets here. - name: Attach to release on tag (Forgejo) if: github.event_name == 'release' && github.server_url != 'https://github.com' env: FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }} FORGEJO_API: ${{ github.server_url }}/api/v1 REPO: ${{ github.repository }} REF_NAME: ${{ github.ref_name }} run: | set -euo pipefail REL_JSON=$(curl -fsSL -H "Authorization: token ${FORGEJO_TOKEN}" \ "${FORGEJO_API}/repos/${REPO}/releases/tags/${REF_NAME}") REL_ID=$(echo "$REL_JSON" | grep -oE '"id":\s*[0-9]+' | head -1 | grep -oE '[0-9]+') [ -n "$REL_ID" ] || { echo "[ERR] no Forgejo release for tag ${REF_NAME}"; exit 1; } cd build/out for f in *.iso *.sha256; do [ -f "$f" ] || continue curl -fsSL -X POST -H "Authorization: token ${FORGEJO_TOKEN}" \ -F "attachment=@${f}" \ "${FORGEJO_API}/repos/${REPO}/releases/${REL_ID}/assets?name=${f}" done