morgan
/
isogenerator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: morgan:main
Branches Tags
morgan:main
morgan:1.0.9
morgan:1.0.8
morgan:1.0.7
morgan:1.0.6
morgan:1.0.5
morgan:1.0.4
morgan:1.0.3
morgan:1.0.2
morgan:1.0.1
morgan:1.0.0
..
compare: morgan:1.0.1
Branches Tags
morgan:main
morgan:1.0.9
morgan:1.0.8
morgan:1.0.7
morgan:1.0.6
morgan:1.0.5
morgan:1.0.4
morgan:1.0.3
morgan:1.0.2
morgan:1.0.1
morgan:1.0.0

No commits in common. "main" and "1.0.1" have entirely different histories.
main ... 1.0.1

12 changed files with 78 additions and 364 deletions
Show Stats Expand all files Collapse all files

5
.dockerignore
View File

@ -1,5 +0,0 @@
.devcontainer
.git*
*.md
action.yml
LICENSE

2
.github/CODEOWNERS vendored Normal file
View File

@ -0,0 +1,2 @@
# Default owner of code within this repo
* @JasonN3

153
.github/workflows/build-container-image.yml vendored
View File

@ -1,21 +1,13 @@
--- ---
name: Build Container Image name: Build Container Image
on: on:
merge_group:
pull_request: pull_request:
branches: branches:
- main - main
paths-ignore:
- '*.md'
- 'LICENSE'
- 'CODEOWNERS'
push: push:
branches: branches:
- main - main
workflow_dispatch: workflow_dispatch:
env:
IMAGE_NAME: "isogenerator"
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs: jobs:
push-image: push-image:
@ -33,144 +25,17 @@ jobs:
- 40 - 40
include: include:
- version: 39 - version: 39
is_latest_version: true support: latest
is_stable_version: true
steps: steps:
# Checkout push-to-registry action GitHub repository - name: Build image
- name: Checkout Push to Registry action uses: ublue-os/build-action@1.0.1
uses: actions/checkout@v4
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
VARIANT="${{ matrix.version }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")
COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
COMMIT_TAGS+=("pr-${{ github.event.number }}")
COMMIT_TAGS+=("${SHA_SHORT}")
fi
BUILD_TAGS=("${VARIANT}")
# Append matching timestamp tags to keep a version history
for TAG in "${BUILD_TAGS[@]}"; do
BUILD_TAGS+=("${TAG}-${TIMESTAMP}")
done
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
BUILD_TAGS+=("${TIMESTAMP}")
BUILD_TAGS+=("latest")
fi
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
- name: Get current version
id: labels
run: |
ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.IMAGE_NAME }}:${{ matrix.version }} | jq -r '.Labels["org.opencontainers.image.version"]')
echo "VERSION=$ver" >> $GITHUB_OUTPUT
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
with: with:
images: | image_name: isogenerator
${{ env.IMAGE_NAME }} image_variant: main
version: ${{ matrix.version }}
labels: | support: ${{ matrix.support }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md signing_key: ${{ secrets.SIGNING_SECRET }}
org.opencontainers.image.description=Used to generate ISO installers for OCI containers continue-on-error: false
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
# Postfix image name with -custom to make it a little more descriptive
# Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
VERSION=${{ matrix.version }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
# Sign container
- uses: sigstore/cosign-installer@v3.4.0
if: github.event_name != 'pull_request'
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
check: check:
name: Check build successful name: Check build successful

37
.github/workflows/test-iso.yml vendored
View File

@ -10,41 +10,28 @@ on:
- '*.md' - '*.md'
- 'LICENSE' - 'LICENSE'
- 'CODEOWNERS' - 'CODEOWNERS'
workflow_dispatch:
jobs: jobs:
build-and-push-iso: build-and-push-iso:
name: Build ISO name: Build ISO
runs-on: self-hosted runs-on: ubuntu-latest
container: container:
image: fedora:39 image: fedora:39
options: "--privileged" options: "--privileged"
volumes:
- "/:/host"
permissions: permissions:
contents: read contents: read
packages: write packages: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
version: [38, 39] version:
boot: [secureboot, insecure] - 38
include: - 39
- boot: secureboot
SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
ENROLLMENT_PASSWORD: 'ublue-os'
SECURE_BOOT_STRING: '-secure'
- boot: insecure
SECURE_BOOT_KEY_URL: ''
ENROLLMENT_PASSWORD: ''
SECURE_BOOT_STRING: ''
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Build ISO - name: Build ISO
id: build-iso
uses: ./ uses: ./
with: with:
ARCH: 'x86_64' ARCH: 'x86_64'
@ -52,20 +39,8 @@ jobs:
IMAGE_REPO: 'ghcr.io/ublue-os' IMAGE_REPO: 'ghcr.io/ublue-os'
VARIANT: 'Kinoite' VARIANT: 'Kinoite'
VERSION: ${{ matrix.version }} VERSION: ${{ matrix.version }}
SECURE_BOOT_KEY_URL: ${{ matrix.SECURE_BOOT_KEY_URL }} ACTION_REPO: ${{ github.repository }}
ENROLLMENT_PASSWORD: ${{ matrix.ENROLLMENT_PASSWORD }} ACTION_REF: ${{ github.ref }}
- name: Upload ISO as artifact
uses: actions/upload-artifact@v4
with:
name: base-main-${{ matrix.version }}${{ matrix.SECURE_BOOT_STRING }}.iso
path: |
${{ steps.build-iso.outputs.iso-path }}
${{ steps.build-iso.outputs.checksum-path }}
if-no-files-found: error
retention-days: 0
compression-level: 0
overwrite: true
check: check:
name: Check build successful name: Check build successful

12
Containerfile
View File

@ -4,7 +4,7 @@ ARG VERSION=39
FROM fedora:${VERSION} FROM fedora:${VERSION}
# Set version for the environment variables in the container. # Set version for the environment variables in the container.
ARG VERSION=${VERSION} ARG VERSION=39
ENV ARCH="x86_64" ENV ARCH="x86_64"
ENV IMAGE_NAME="base-main" ENV IMAGE_NAME="base-main"
@ -13,16 +13,12 @@ ENV IMAGE_TAG="${VERSION}"
ENV VARIANT="Kinoite" ENV VARIANT="Kinoite"
ENV VERSION="${VERSION}" ENV VERSION="${VERSION}"
ENV WEB_UI="false" ENV WEB_UI="false"
ENV SECURE_BOOT_KEY_URL=""
ENV ENROLLMENT_PASSWORD="ublue-os"
COPY ./ /isogenerator COPY / /isogenerator
WORKDIR /isogenerator WORKDIR /isogenerator
RUN dnf install -y make && \ RUN dnf install -y make && make install-deps
make install-deps && \
dnf clean all
VOLUME /isogenerator/output VOLUME /isogenerator/output
ENTRYPOINT /isogenerator/entrypoint.sh ENTRYPOINT ["sh", "-c", "make output/${IMAGE_NAME}-${IMAGE_TAG}.iso ARCH=${ARCH} VERSION=${VERSION} IMAGE_REPO=${IMAGE_REPO} IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} VARIANT=${VARIANT} WEB_UI=${WEB_UI}"]

42
Makefile
View File

@ -4,19 +4,15 @@ ARCH = x86_64
VERSION = 39 VERSION = 39
IMAGE_REPO = ghcr.io/ublue-os IMAGE_REPO = ghcr.io/ublue-os
IMAGE_NAME = base-main IMAGE_NAME = base-main
IMAGE_TAG = $(VERSION) IMAGE_TAG = $(version)
EXTRA_BOOT_PARAMS =
VARIANT = Kinoite VARIANT = Kinoite
WEB_UI = false WEB_UI = false
ENROLLMENT_PASSWORD = ublue-os
SECURE_BOOT_KEY_URL =
# Generated vars # Generated vars
## Formatting = _UPPERCASE ## Formatting = _UPPERCASE
_BASE_DIR = $(shell pwd) _BASE_DIR = $(shell pwd)
_IMAGE_REPO_ESCAPED = $(subst /,\/,$(IMAGE_REPO)) _IMAGE_REPO_ESCAPED = $(subst /,\/,$(IMAGE_REPO))
_IMAGE_REPO_DOUBLE_ESCAPED = $(subst \,\\\,$(_IMAGE_REPO_ESCAPED)) _IMAGE_REPO_DOUBLE_ESCAPED = $(subst \,\\\,$(_IMAGE_REPO_ESCAPED))
_VOLID = $(firstword $(subst -, ,$(IMAGE_NAME)))-$(ARCH)-$(IMAGE_TAG)
ifeq ($(VARIANT),'Server') ifeq ($(VARIANT),'Server')
_LORAX_ARGS = --macboot --noupgrade _LORAX_ARGS = --macboot --noupgrade
@ -37,7 +33,6 @@ $(IMAGE_NAME)-$(IMAGE_TAG).iso: output/$(IMAGE_NAME)-$(IMAGE_TAG).iso
output/$(IMAGE_NAME)-$(IMAGE_TAG).iso: boot.iso container/$(IMAGE_NAME)-$(IMAGE_TAG) xorriso/input.txt output/$(IMAGE_NAME)-$(IMAGE_TAG).iso: boot.iso container/$(IMAGE_NAME)-$(IMAGE_TAG) xorriso/input.txt
mkdir $(_BASE_DIR)/output || true mkdir $(_BASE_DIR)/output || true
xorriso -dialog on < $(_BASE_DIR)/xorriso/input.txt xorriso -dialog on < $(_BASE_DIR)/xorriso/input.txt
implantisomd5 $(_BASE_DIR)/output/$(IMAGE_NAME)-$(IMAGE_TAG).iso
# Step 1: Generate Lorax Templates # Step 1: Generate Lorax Templates
lorax_templates/%.tmpl: lorax_templates/%.tmpl.in lorax_templates/%.tmpl: lorax_templates/%.tmpl.in
@ -51,43 +46,14 @@ lorax_templates/%.tmpl: lorax_templates/%.tmpl.in
# Step 2: Build boot.iso using Lorax # Step 2: Build boot.iso using Lorax
boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl
rm -Rf $(_BASE_DIR)/results || true rm -Rf $(_BASE_DIR)/results
rm /etc/rpm/macros.image-language-conf || true
# Set the enrollment password
sed 's/@ENROLLMENT_PASSWORD@/$(ENROLLMENT_PASSWORD)/' $(_BASE_DIR)/scripts/enroll-secureboot-key.sh.in > $(_BASE_DIR)/scripts/enroll-secureboot-key.sh
# Download the secure boot key
if [ -n "$(SECURE_BOOT_KEY_URL)" ]; then\
curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL);\
fi
# Set the default menu entry to the first one
sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
# Add Extra Boot Parameters to all menu entries
sed -i 's/linux @KERNELPATH@ @ROOT@ quiet/linux @KERNELPATH@ @ROOT@ quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ quiet/linuxefi @KERNELPATH@ @ROOT@ quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
sed -i 's/linux @KERNELPATH@ @ROOT@ rd.live.check quiet/linux @KERNELPATH@ @ROOT@ rd.live.check quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ rd.live.check quiet/linuxefi @KERNELPATH@ @ROOT@ rd.live.check quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
sed -i 's/linux @KERNELPATH@ @ROOT@ nomodeset quiet/linux @KERNELPATH@ @ROOT@ nomodeset quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ nomodeset quiet/linuxefi @KERNELPATH@ @ROOT@ nomodeset quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
sed -i 's/linux @KERNELPATH@ @ROOT@ inst.rescue quiet/linux @KERNELPATH@ @ROOT@ inst.rescue quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ inst.rescue quiet/linuxefi @KERNELPATH@ @ROOT@ inst.rescue quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
# Build boot.iso
lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \ lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
--isfinal --buildarch=$(ARCH) --volid=$(_VOLID) \ --isfinal --buildarch=$(ARCH) --volid=$(IMAGE_NAME)-$(ARCH)-$(IMAGE_TAG) \
$(_LORAX_ARGS) \ $(_LORAX_ARGS) \
--repo /etc/yum.repos.d/fedora.repo \ --repo /etc/yum.repos.d/fedora.repo \
--repo /etc/yum.repos.d/fedora-updates.repo \ --repo /etc/yum.repos.d/fedora-updates.repo \
--add-template $(_BASE_DIR)/lorax_templates/set_installer.tmpl \ --add-template $(_BASE_DIR)/lorax_templates/set_installer.tmpl \
--add-template $(_BASE_DIR)/lorax_templates/configure_upgrades.tmpl \ --add-template $(_BASE_DIR)/lorax_templates/configure_upgrades.tmpl \
--add-template $(_BASE_DIR)/lorax_templates/secure_boot_key.tmpl \
$(_BASE_DIR)/results/ $(_BASE_DIR)/results/
mv $(_BASE_DIR)/results/images/boot.iso $(_BASE_DIR)/ mv $(_BASE_DIR)/results/images/boot.iso $(_BASE_DIR)/
@ -99,7 +65,7 @@ container/$(IMAGE_NAME)-$(IMAGE_TAG):
podman rmi $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) podman rmi $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)
install-deps: install-deps:
dnf install -y lorax xorriso podman git dnf install -y lorax xorriso podman git rpm-ostree
# Step 4: Generate xorriso script # Step 4: Generate xorriso script
xorriso/%.sh: xorriso/%.sh.in xorriso/%.sh: xorriso/%.sh.in

69
README.md
View File

@ -16,58 +16,41 @@ This will create an ISO with the baked in defaults of the container image.
See [Customizing](#customizing) for information about customizing the image that gets created. The variable can either be defined as environment variables or as command arguments. See [Customizing](#customizing) for information about customizing the image that gets created. The variable can either be defined as environment variables or as command arguments.
Examples: Examples:
Creating Universal Blue Silverblue ISO Creating Bluefin GTS ISO
```bash ```bash
docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=silverblue-main -e IMAGE_TAG=latest -e VARIANT=Silverblue ghcr.io/ublue-os/isogenerator:39 docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=38 -e IMAGE_NAME=bluefin -e IMAGE_TAG=gts -e VARIANT=Silverblue ghcr.io/ublue-os/isogenerator:38
```
```bash
# Requires sudo to run
sudo podman run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=silverblue-main -e IMAGE_TAG=latest -e VARIANT=Silverblue ghcr.io/ublue-os/isogenerator:39
``` ```
Creating Universal Blue Kinoite ISO Creating Bazzite Latest ISO
```bash ```bash
docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=kinoite-main -e IMAGE_TAG=latest -e VARIANT=Kinoite ghcr.io/ublue-os/isogenerator:39 docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=bazzite -e IMAGE_TAG=latest -e VARIANT=Kinoite ghcr.io/ublue-os/isogenerator:39
```
```bash
# Requires sudo to run
sudo podman run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=kinoite-main -e IMAGE_TAG=latest -e VARIANT=Kinoite ghcr.io/ublue-os/isogenerator:39
``` ```
## Customizing ## Customizing
### Inputs
The following variables can be used to customize the create image. The following variables can be used to customize the create image.
| Variable | Description | Default Value | - ARCH
| ----------------- | ------------------------------------------------------------ | ---------------------- | Architecture for image to build
| ARCH | Architecture for image to build | x86_64 | Default Value: x86_64
| VERSION | Fedora version of installer to build | 39 | - VERSION
| IMAGE_REPO | Repository containing the source container image | ghcr.io/ublue-os | Fedora version of installer to build
| IMAGE_NAME | Name of the source container image | base-main | Default Value: 39
| IMAGE_TAG | Tag of the source container image | *VERSION* | - IMAGE_REPO
| EXTRA_BOOT_PARAMS | Extra params used by grub to boot the anaconda installer | \[empty\] | Repository containing the source container image
| VARIANT | Source container variant\* | Kinoite | Default Value: ghcr.io/ublue-os
| WEB_UI | Enable Anaconda WebUI (experimental) | false | - IMAGE_NAME
| ENROLLMENT_PASSWORD | Password used to enroll secure boot key into BIOS\*\* | isogenerator | Name of the source container image
| SECURE_BOOT_KEY_URL | URL used to download your secure boot key for enrollment\*\* | \[empty\] | Default Value: base-main
- IMAGE_TAG
\*Available options for VARIANT can be found by running `dnf provides system-release`. Variant will be the third item in the package name. Example: `fedora-release-kinoite-39-34.noarch` will be kinoite Tag of the source container image
Default Value: *VERSION*
\*\*NOTE: ENROLLMENT_PASSWORD and SECURE_BOOT_KEY_URL are not required. They are only required if you are creating specific kernel modules or if you are using Universal Blue Kernel Modules. - VARIANT
Source container variant
Our public key for our kmods is located here: https://github.com/ublue-os/akmods/raw/main/certs/public_key.der Available options can be found by running `dnf provides system-release`. Variant will be the third item in the package name. Example: `fedora-release-kinoite-39-34.noarch` will be kinonite
Default Value: Silverblue
### Outputs - WEB_UI
Enable Anaconda WebUI
This action outputs some useful values for you to use further on in your workflow. Default Value: false
| Output | Description |
| ------ | ----------- |
| output-directory | The directory containing ISO and checksum files |
| iso-path | The full path to the ISO file |
| checksum-path | The full path to the checksum file |
## VSCode Dev Container ## VSCode Dev Container
There is a dev container configuration provided for development. By default it will use the existing container image available at `ghcr.io/ublue-os/isogenerator`, however, you can have it build a new image by editing `.devcontainer/devcontainer.json` and replacing `image` with `build`. `Ctrl+/` can be used to comment and uncomment blocks of code within VSCode. There is a dev container configuration provided for development. By default it will use the existing container image available at `ghcr.io/ublue-os/isogenerator`, however, you can have it build a new image by editing `.devcontainer/devcontainer.json` and replacing `image` with `build`. `Ctrl+/` can be used to comment and uncomment blocks of code within VSCode.

60
action.yml
View File

@ -25,34 +25,18 @@ inputs:
IMAGE_TAG: IMAGE_TAG:
description: Tag of the source container image description: Tag of the source container image
required: false required: false
EXTRA_BOOT_PARAMS:
description: Extra params used by grub to boot the anaconda installer
required: false
WEB_UI: WEB_UI:
description: Enable Anaconda WebUI description: Enable Anaconda WebUI
required: true required: true
default: "false" default: "false"
ENROLLMENT_PASSWORD:
description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined)
required: false
default: "ublue-os"
SECURE_BOOT_KEY_URL:
description: Secure boot key that is installed from URL location
required: false
ACTION_REPO: ACTION_REPO:
deprecationMessage: This variable is no longer used and will be removed in a future version description: Repository with the build action
required: false required: false
default: ${{ github.repository }}
ACTION_REF: ACTION_REF:
deprecationMessage: This variable is no longer used and will be removed in a future version description: Repository ref for the build action
required: false required: false
default: ${{ github.ref }}
outputs:
output-directory:
value: ${{ steps.final.outputs.OUTPUT_DIR }}
iso-path:
value: ${{ steps.final.outputs.ISO_PATH }}
checksum-path:
value: ${{ steps.final.outputs.CHECKSUM_PATH }}
runs: runs:
using: composite using: composite
@ -76,13 +60,19 @@ runs:
echo "Host must be mounted as /host in order to make more space" echo "Host must be mounted as /host in order to make more space"
fi fi
- name: Install Make - name: Install make and git
shell: bash shell: bash
run: dnf install -y make run: dnf install -y make git
- name: Checkout repository
uses: actions/checkout@v4
with:
repository: ${{ inputs.ACTION_REPO }}
ref: ${{ inputs.ACTION_REF }}
submodules: recursive
- name: Install dependencies - name: Install dependencies
shell: bash shell: bash
working-directory: ${{ github.action_path }}
run: make install-deps run: make install-deps
- name: Lowercase Registry - name: Lowercase Registry
@ -93,7 +83,6 @@ runs:
- name: Download image - name: Download image
shell: bash shell: bash
working-directory: ${{ github.action_path }}
run: | run: |
make container/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }} \ make container/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }} \
ARCH=${{ inputs.ARCH }} \ ARCH=${{ inputs.ARCH }} \
@ -106,7 +95,6 @@ runs:
- name: Create boot.iso - name: Create boot.iso
shell: bash shell: bash
working-directory: ${{ github.action_path }}
run: | run: |
make boot.iso \ make boot.iso \
ARCH=${{ inputs.ARCH }} \ ARCH=${{ inputs.ARCH }} \
@ -115,15 +103,10 @@ runs:
IMAGE_TAG=${{ inputs.IMAGE_TAG || inputs.VERSION }} \ IMAGE_TAG=${{ inputs.IMAGE_TAG || inputs.VERSION }} \
VARIANT=${{ inputs.VARIANT }} \ VARIANT=${{ inputs.VARIANT }} \
VERSION=${{ inputs.VERSION }} \ VERSION=${{ inputs.VERSION }} \
WEB_UI=${{ inputs.WEB_UI }} \ WEB_UI=${{ inputs.WEB_UI }}
EXTRA_BOOT_PARAMS=${{ inputs.EXTRA_BOOT_PARAMS }} \
SECURE_BOOT_KEY_URL=${{ inputs.SECURE_BOOT_KEY_URL }} \
ENROLLMENT_PASSWORD=${{ inputs.ENROLLMENT_PASSWORD }}
- name: Create deploy.iso and generate sha256 checksum - name: Create deploy.iso
shell: bash shell: bash
id: final
working-directory: ${{ github.action_path }}
run: | run: |
make ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso \ make ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso \
ARCH=${{ inputs.ARCH }} \ ARCH=${{ inputs.ARCH }} \
@ -134,9 +117,14 @@ runs:
VERSION=${{ inputs.VERSION }} \ VERSION=${{ inputs.VERSION }} \
WEB_UI=${{ inputs.WEB_UI }} WEB_UI=${{ inputs.WEB_UI }}
mkdir end_iso mkdir end_iso
sha256sum ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso > ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM
mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/ mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/
echo "OUTPUT_DIR=$(realpath ./end_iso)" >> $GITHUB_OUTPUT - name: Upload ISO as artifact
echo "ISO_PATH=$(realpath ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso)" >> $GITHUB_OUTPUT uses: actions/upload-artifact@v4
echo "CHECKSUM_PATH=$(realpath ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM)" >> $GITHUB_OUTPUT with:
name: ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-${{ inputs.VARIANT }}.iso
path: end_iso/*.iso
if-no-files-found: error
retention-days: 0
compression-level: 0
overwrite: true

17
entrypoint.sh
View File

@ -1,17 +0,0 @@
#!/bin/bash
set -eu
# pre-create loop devices manually. In containers we can't use losetup for that.
mknod -m 0660 /dev/loop0 b 7 0 2>/dev/null || true
make output/${IMAGE_NAME}-${IMAGE_TAG}.iso \
ARCH=${ARCH} \
VERSION=${VERSION} \
IMAGE_REPO=${IMAGE_REPO} \
IMAGE_NAME=${IMAGE_NAME} \
IMAGE_TAG=${IMAGE_TAG} \
VARIANT=${VARIANT} \
WEB_UI=${WEB_UI} \
SECURE_BOOT_KEY_URL=${SECURE_BOOT_KEY_URL} \
ENROLLMENT_PASSWORD=${ENROLLMENT_PASSWORD}

9
lorax_templates/secure_boot_key.tmpl
View File

@ -1,9 +0,0 @@
append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
append usr/share/anaconda/interactive-defaults.ks "set -m"
append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh"
append usr/share/anaconda/interactive-defaults.ks "%end"
append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m"
append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh"
append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end"

25
scripts/enroll-secureboot-key.sh.in
View File

@ -1,25 +0,0 @@
#!/bin/sh
set -oue pipefail
readonly ENROLLMENT_PASSWORD=@ENROLLMENT_PASSWORD@
readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
if [[ ! -d "/sys/firmware/efi" ]]; then
echo "EFI mode not detected. Skipping key enrollment."
exit 0
fi
if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
echo "Secure boot key not provided: ${SECUREBOOT_KEY}"
exit 0
fi
SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
echo "Steam Deck hardware detected. Skipping key enrollment."
exit 0
fi
mokutil --timeout -1 || :
echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :

7
xorriso/gen_input.sh.in
View File

@ -5,15 +5,10 @@ echo "-outdev $(pwd)/output/@IMAGE_NAME@-@IMAGE_TAG@.iso"
echo "-boot_image any replay" echo "-boot_image any replay"
echo "-joliet on" echo "-joliet on"
echo "-compliance joliet_long_names" echo "-compliance joliet_long_names"
if [ -f $(pwd)/sb_pubkey.der ]; then
echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der"
echo "-chmod 0444 /sb_pubkey.der"
fi
echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh"
echo "-chmod 0777 enroll-secureboot-key.sh"
cd container cd container
for file in $(find @IMAGE_NAME@-@IMAGE_TAG@); do for file in $(find @IMAGE_NAME@-@IMAGE_TAG@); do
echo "-map $(pwd)/${file} ${file}" echo "-map $(pwd)/${file} ${file}"
echo "-chmod 0444 ${file}" echo "-chmod 0444 ${file}"
done done
echo "-end" echo "-end"