veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1
veilor-os/.github/workflows/release-checksums.yml
veilor-org 2782b72ead sre: release pipeline w/ ISO split, GPG sig, MOK signing scaffold 
- build-iso.yml: on tag push (v*.*.*), split ISO into 1.9G parts, GPG-sign
  the sha256 with GPG_PRIVATE_KEY secret, and auto-create release with
  softprops/action-gh-release@v2 attaching part files + sig + reassembly
  instructions. Falls back to legacy release.published path.
- build-iso.yml: optional EFI Secure Boot signing step. If MOK_PRIVATE_KEY
  + MOK_CERT secrets are present, sbsign each .efi inside the ISO and
  repack with xorriso; otherwise warn and ship unsigned. Refresh sha256.
- release-checksums.yml: new PR-time gate. Validates source + generated
  CI kickstart, shellchecks scripts, parses every workflow YAML, and
  asserts the split size stays under GitHub'''s 2 GiB asset cap.
- scripts/gen-mok-key.sh: idempotent MOK keypair generator (RSA-4096,
  10y), outputs to gitignored build/keys/. Header documents mokutil
  enrollment and gh secret upload. exec bit set in index.
- .gitignore: add build/keys/, *.priv, *.der.

User must add GitHub secrets before the next tagged release:
  GPG_PRIVATE_KEY  — armored private key for sha256 signing
  MOK_PRIVATE_KEY  — sbsign EFI signing key (PEM)
  MOK_CERT         — public cert (DER) for sbsign + mokutil enrollment
2026-05-01 23:39:19 +01:00

100 lines
3.3 KiB
YAML
Raw Blame History

name: Release Checksums
# PR-time validation gate for release-affecting files. Independent of
# lint.yml — meant to harden the brittle parts (ksvalidator on the
# generated CI kickstart, shellcheck across all maintained scripts,
# YAML sanity on every workflow).
#
# This workflow does NOT replace lint.yml; it runs alongside.
on:
pull_request:
paths:
- 'kickstart/**'
- 'scripts/**'
- '.github/workflows/**'
push:
branches: [main]
paths:
- 'kickstart/**'
- 'scripts/**'
- '.github/workflows/**'
jobs:
ksvalidate:
name: ksvalidator (CI-flavour kickstart)
runs-on: ubuntu-24.04
container:
image: registry.fedoraproject.org/fedora:43
steps:
- uses: actions/checkout@v4
- name: Install pykickstart
run: dnf -y install pykickstart sed
- name: Generate CI kickstart and validate
run: |
set -euxo pipefail
# Mirror what build-iso.yml does so we're validating the file
# the actual builder consumes, not just the source kickstart.
sed -e '/veilor-fix/d' \
-e '/^shutdown$/d' \
kickstart/veilor-os.ks > kickstart/veilor-os-ci.ks
ksvalidator kickstart/veilor-os.ks
ksvalidator kickstart/veilor-os-ci.ks
shellcheck:
name: shellcheck (release scripts)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: shellcheck repo scripts
uses: ludeeus/action-shellcheck@master
with:
severity: warning
# Same exclusions as lint.yml so behaviour is consistent.
ignore_paths: build/cache .github
workflow-yaml:
name: workflow YAML sanity
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Validate every workflow parses as YAML
run: |
set -euo pipefail
python3 - <<'PY'
import sys, pathlib, yaml
ok = True
for p in pathlib.Path(".github/workflows").glob("*.y*ml"):
try:
yaml.safe_load(p.read_text())
print(f"[OK] {p}")
except yaml.YAMLError as e:
print(f"[ERR] {p}: {e}", file=sys.stderr)
ok = False
sys.exit(0 if ok else 1)
PY
release-asset-budget:
name: Release asset size budget
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Confirm split threshold is below GitHub's 2 GiB asset cap
run: |
set -euo pipefail
# GitHub per-asset upload limit is 2 GiB = 2147483648 bytes.
# split is invoked with -b 1900M = 1900 * 2^20 = 1992294400 bytes.
# Hard-fail if anyone bumps the split size beyond the cap.
if grep -E 'split -b [0-9]+M' .github/workflows/build-iso.yml >/dev/null; then
SIZE_M=$(grep -oE 'split -b [0-9]+M' .github/workflows/build-iso.yml | head -1 | grep -oE '[0-9]+')
if [[ "$SIZE_M" -gt 2047 ]]; then
echo "::error::split -b ${SIZE_M}M exceeds GitHub's 2 GiB per-asset cap"
exit 1
fi
echo "[OK] split size ${SIZE_M}M is under the 2 GiB asset limit."
else
echo "::warning::No split -b NM directive found — release pipeline may have changed"
fi
Reference in a new issue View git blame Copy permalink