2782b72ead
- build-iso.yml: on tag push (v*.*.*), split ISO into 1.9G parts, GPG-sign the sha256 with GPG_PRIVATE_KEY secret, and auto-create release with softprops/action-gh-release@v2 attaching part files + sig + reassembly instructions. Falls back to legacy release.published path. - build-iso.yml: optional EFI Secure Boot signing step. If MOK_PRIVATE_KEY + MOK_CERT secrets are present, sbsign each .efi inside the ISO and repack with xorriso; otherwise warn and ship unsigned. Refresh sha256. - release-checksums.yml: new PR-time gate. Validates source + generated CI kickstart, shellchecks scripts, parses every workflow YAML, and asserts the split size stays under GitHub'''s 2 GiB asset cap. - scripts/gen-mok-key.sh: idempotent MOK keypair generator (RSA-4096, 10y), outputs to gitignored build/keys/. Header documents mokutil enrollment and gh secret upload. exec bit set in index. - .gitignore: add build/keys/, *.priv, *.der. User must add GitHub secrets before the next tagged release: GPG_PRIVATE_KEY — armored private key for sha256 signing MOK_PRIVATE_KEY — sbsign EFI signing key (PEM) MOK_CERT — public cert (DER) for sbsign + mokutil enrollment
18 lines
168 B
Text
18 lines
168 B
Text
build/out/
|
|
build/cache/
|
|
build/keys/
|
|
*.iso
|
|
*.img
|
|
*.log
|
|
*.pp
|
|
*.mod
|
|
.DS_Store
|
|
.idea/
|
|
.vscode/
|
|
secrets/
|
|
*.key
|
|
*.pem
|
|
*.priv
|
|
*.der
|
|
test/veilor-vm.qcow2
|
|
test/veilor-vm.nvram*
|