name: Build veilor-os ISO

on:
  push:
    branches: [main]
    paths:
      - 'kickstart/**'
      - 'overlay/**'
      - 'scripts/**'
      - 'assets/**'
      - 'build/**'
      - '.github/workflows/build-iso.yml'
  workflow_dispatch:
    inputs:
      releasever:
        description: 'Fedora release version'
        required: false
        default: '43'
  release:
    types: [published]

jobs:
  build:
    name: Build live ISO
    runs-on: ubuntu-24.04
    timeout-minutes: 90

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Free up disk
        run: |
          sudo rm -rf /opt/hostedtoolcache /usr/share/dotnet /usr/local/lib/android /usr/local/share/boost
          sudo apt-get clean
          df -h

      - name: Run build inside Fedora 43 container
        uses: addnab/docker-run-action@v3
        with:
          image: registry.fedoraproject.org/fedora:43
          options: |
            --privileged
            -v ${{ github.workspace }}:/work
            -v /dev:/dev
            --tmpfs /tmp:rw,nosuid,nodev,exec,size=8G
          run: |
            set -euxo pipefail

            # Update Fedora image to latest packages — guarantees pcre2 +
            # libselinux + selinux-policy are matched (the local build's
            # core problem). CI runners always start fresh, no version skew.
            dnf -y upgrade --refresh

            # Install build tooling
            dnf -y install \
              lorax \
              livecd-tools \
              pykickstart \
              anaconda-tui \
              squashfs-tools \
              xorriso \
              createrepo_c \
              git \
              which \
              shadow-utils

            cd /work

            # Validate kickstart syntax
            ksvalidator kickstart/veilor-os.ks

            # Run host-native build (CI container has matched lib versions
            # so no need for fix-repo or anaconda patching).
            mkdir -p build/out

            livemedia-creator \
              --make-iso \
              --no-virt \
              --ks kickstart/veilor-os.ks \
              --resultdir build/out/build \
              --project veilor-os \
              --releasever "${{ github.event.inputs.releasever || '43' }}" \
              --volid VEILOR_OS \
              --tmp /tmp/veilor-lmc \
              --logfile build/out/build.log

            # Move output ISO + checksum
            ISO_NAME="veilor-os-${{ github.event.inputs.releasever || '43' }}-$(date +%Y%m%d-%H%M%S).iso"
            mv build/out/build/*.iso "build/out/${ISO_NAME}"
            cd build/out
            sha256sum "${ISO_NAME}" > "${ISO_NAME}.sha256"
            ls -lh "${ISO_NAME}"

      - name: Upload ISO artifact
        if: success()
        uses: actions/upload-artifact@v4
        with:
          name: veilor-os-iso
          path: |
            build/out/*.iso
            build/out/*.sha256
          retention-days: 14

      - name: Upload build log on failure
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: veilor-os-buildlog
          path: |
            build/out/build.log
            build/out/build/anaconda/

      - name: Attach to release
        if: github.event_name == 'release'
        uses: softprops/action-gh-release@v2
        with:
          files: |
            build/out/*.iso
            build/out/*.sha256