morgan
/
isogenerator
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: morgan:main
Branches Tags
morgan:main
morgan:1.0.9
morgan:1.0.8
morgan:1.0.7
morgan:1.0.6
morgan:1.0.5
morgan:1.0.4
morgan:1.0.3
morgan:1.0.2
morgan:1.0.1
morgan:1.0.0
..
compare: morgan:1.0.5
Branches Tags
morgan:main
morgan:1.0.9
morgan:1.0.8
morgan:1.0.7
morgan:1.0.6
morgan:1.0.5
morgan:1.0.4
morgan:1.0.3
morgan:1.0.2
morgan:1.0.1
morgan:1.0.0

No commits in common. "main" and "1.0.5" have entirely different histories.
main ... 1.0.5

13 changed files with 97 additions and 344 deletions
Show Stats Expand all files Collapse all files

5
.dockerignore
View File

@ -1,5 +0,0 @@
.devcontainer
.git*
*.md
action.yml
LICENSE

2
.github/CODEOWNERS vendored Normal file
View File

@ -0,0 +1,2 @@
# Default owner of code within this repo
* @JasonN3

153
.github/workflows/build-container-image.yml vendored
View File

@ -1,21 +1,13 @@
---
name: Build Container Image
on:
merge_group:
pull_request:
branches:
- main
paths-ignore:
- '*.md'
- 'LICENSE'
- 'CODEOWNERS'
push:
branches:
- main
workflow_dispatch:
env:
IMAGE_NAME: "isogenerator"
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
jobs:
push-image:
@ -33,144 +25,17 @@ jobs:
- 40
include:
- version: 39
is_latest_version: true
is_stable_version: true
support: latest
steps:
# Checkout push-to-registry action GitHub repository
- name: Checkout Push to Registry action
uses: actions/checkout@v4
- name: Generate tags
id: generate-tags
shell: bash
run: |
# Generate a timestamp for creating an image version history
TIMESTAMP="$(date +%Y%m%d)"
VARIANT="${{ matrix.version }}"
COMMIT_TAGS=()
BUILD_TAGS=()
# Have tags for tracking builds during pull request
SHA_SHORT="${GITHUB_SHA::7}"
COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}")
COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}")
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
COMMIT_TAGS+=("pr-${{ github.event.number }}")
COMMIT_TAGS+=("${SHA_SHORT}")
fi
BUILD_TAGS=("${VARIANT}")
# Append matching timestamp tags to keep a version history
for TAG in "${BUILD_TAGS[@]}"; do
BUILD_TAGS+=("${TAG}-${TIMESTAMP}")
done
if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \
[[ "${{ matrix.is_stable_version }}" == "true" ]]; then
BUILD_TAGS+=("${TIMESTAMP}")
BUILD_TAGS+=("latest")
fi
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "Generated the following commit tags: "
for TAG in "${COMMIT_TAGS[@]}"; do
echo "${TAG}"
done
alias_tags=("${COMMIT_TAGS[@]}")
else
alias_tags=("${BUILD_TAGS[@]}")
fi
echo "Generated the following build tags: "
for TAG in "${BUILD_TAGS[@]}"; do
echo "${TAG}"
done
echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
- name: Get current version
id: labels
run: |
ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.IMAGE_NAME }}:${{ matrix.version }} | jq -r '.Labels["org.opencontainers.image.version"]')
echo "VERSION=$ver" >> $GITHUB_OUTPUT
# Build metadata
- name: Image Metadata
uses: docker/metadata-action@v5
id: meta
- name: Build image
uses: ublue-os/build-action@1.0.1
with:
images: |
${{ env.IMAGE_NAME }}
labels: |
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
org.opencontainers.image.description=Used to generate ISO installers for OCI containers
org.opencontainers.image.title=${{ env.IMAGE_NAME }}
org.opencontainers.image.version=${{ steps.labels.outputs.VERSION }}
# Build image using Buildah action
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
with:
containerfiles: |
./Containerfile
# Postfix image name with -custom to make it a little more descriptive
# Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.generate-tags.outputs.alias_tags }}
build-args: |
VERSION=${{ matrix.version }}
labels: ${{ steps.meta.outputs.labels }}
oci: false
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
id: registry_case
uses: ASzc/change-string-case-action@v6
with:
string: ${{ env.IMAGE_REGISTRY }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Push the image to GHCR (Image Registry)
- name: Push To GHCR
uses: redhat-actions/push-to-registry@v2
id: push
env:
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}
with:
image: ${{ steps.build_image.outputs.image }}
tags: ${{ steps.build_image.outputs.tags }}
registry: ${{ steps.registry_case.outputs.lowercase }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--disable-content-trust
# Sign container
- uses: sigstore/cosign-installer@v3.4.0
if: github.event_name != 'pull_request'
- name: Sign container image
if: github.event_name != 'pull_request'
run: |
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
image_name: isogenerator
image_variant: main
version: ${{ matrix.version }}
support: ${{ matrix.support }}
signing_key: ${{ secrets.SIGNING_SECRET }}
continue-on-error: false
check:
name: Check build successful

39
.github/workflows/test-iso.yml vendored
View File

@ -10,41 +10,28 @@ on:
- '*.md'
- 'LICENSE'
- 'CODEOWNERS'
workflow_dispatch:
jobs:
build-and-push-iso:
name: Build ISO
runs-on: self-hosted
runs-on: ubuntu-latest
container:
image: fedora:39
options: "--privileged"
volumes:
- "/:/host"
permissions:
contents: read
packages: write
strategy:
fail-fast: false
matrix:
version: [38, 39]
boot: [secureboot, insecure]
include:
- boot: secureboot
SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
ENROLLMENT_PASSWORD: 'ublue-os'
SECURE_BOOT_STRING: '-secure'
- boot: insecure
SECURE_BOOT_KEY_URL: ''
ENROLLMENT_PASSWORD: ''
SECURE_BOOT_STRING: ''
version:
- 38
- 39
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build ISO
id: build-iso
uses: ./
with:
ARCH: 'x86_64'
@ -52,20 +39,8 @@ jobs:
IMAGE_REPO: 'ghcr.io/ublue-os'
VARIANT: 'Kinoite'
VERSION: ${{ matrix.version }}
SECURE_BOOT_KEY_URL: ${{ matrix.SECURE_BOOT_KEY_URL }}
ENROLLMENT_PASSWORD: ${{ matrix.ENROLLMENT_PASSWORD }}
- name: Upload ISO as artifact
uses: actions/upload-artifact@v4
with:
name: base-main-${{ matrix.version }}${{ matrix.SECURE_BOOT_STRING }}.iso
path: |
${{ steps.build-iso.outputs.iso-path }}
${{ steps.build-iso.outputs.checksum-path }}
if-no-files-found: error
retention-days: 0
compression-level: 0
overwrite: true
ACTION_REPO: ${{ github.repository }}
ACTION_REF: ${{ github.ref }}
check:
name: Check build successful
@ -80,4 +55,4 @@ jobs:
run: exit 1
- name: Exit
shell: bash
run: exit 0
run: exit 0

12
Containerfile
View File

@ -4,7 +4,7 @@ ARG VERSION=39
FROM fedora:${VERSION}
# Set version for the environment variables in the container.
ARG VERSION=${VERSION}
ARG VERSION=39
ENV ARCH="x86_64"
ENV IMAGE_NAME="base-main"
@ -13,16 +13,12 @@ ENV IMAGE_TAG="${VERSION}"
ENV VARIANT="Kinoite"
ENV VERSION="${VERSION}"
ENV WEB_UI="false"
ENV SECURE_BOOT_KEY_URL=""
ENV ENROLLMENT_PASSWORD="ublue-os"
COPY ./ /isogenerator
COPY / /isogenerator
WORKDIR /isogenerator
RUN dnf install -y make && \
make install-deps && \
dnf clean all
RUN dnf install -y make && make install-deps
VOLUME /isogenerator/output
ENTRYPOINT /isogenerator/entrypoint.sh
ENTRYPOINT ["sh", "-c", "make output/${IMAGE_NAME}-${IMAGE_TAG}.iso ARCH=${ARCH} VERSION=${VERSION} IMAGE_REPO=${IMAGE_REPO} IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} VARIANT=${VARIANT} WEB_UI=${WEB_UI}"]

35
Makefile
View File

@ -5,11 +5,8 @@ VERSION = 39
IMAGE_REPO = ghcr.io/ublue-os
IMAGE_NAME = base-main
IMAGE_TAG = $(VERSION)
EXTRA_BOOT_PARAMS =
VARIANT = Kinoite
WEB_UI = false
ENROLLMENT_PASSWORD = ublue-os
SECURE_BOOT_KEY_URL =
# Generated vars
## Formatting = _UPPERCASE
@ -37,7 +34,6 @@ $(IMAGE_NAME)-$(IMAGE_TAG).iso: output/$(IMAGE_NAME)-$(IMAGE_TAG).iso
output/$(IMAGE_NAME)-$(IMAGE_TAG).iso: boot.iso container/$(IMAGE_NAME)-$(IMAGE_TAG) xorriso/input.txt
mkdir $(_BASE_DIR)/output || true
xorriso -dialog on < $(_BASE_DIR)/xorriso/input.txt
implantisomd5 $(_BASE_DIR)/output/$(IMAGE_NAME)-$(IMAGE_TAG).iso
# Step 1: Generate Lorax Templates
lorax_templates/%.tmpl: lorax_templates/%.tmpl.in
@ -51,35 +47,12 @@ lorax_templates/%.tmpl: lorax_templates/%.tmpl.in
# Step 2: Build boot.iso using Lorax
boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl
rm -Rf $(_BASE_DIR)/results || true
rm /etc/rpm/macros.image-language-conf || true
# Set the enrollment password
sed 's/@ENROLLMENT_PASSWORD@/$(ENROLLMENT_PASSWORD)/' $(_BASE_DIR)/scripts/enroll-secureboot-key.sh.in > $(_BASE_DIR)/scripts/enroll-secureboot-key.sh
# Download the secure boot key
if [ -n "$(SECURE_BOOT_KEY_URL)" ]; then\
curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL);\
fi
# Set the default menu entry to the first one
rm -Rf $(_BASE_DIR)/results
sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
# Add Extra Boot Parameters to all menu entries
sed -i 's/linux @KERNELPATH@ @ROOT@ quiet/linux @KERNELPATH@ @ROOT@ quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ quiet/linuxefi @KERNELPATH@ @ROOT@ quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
sed -i 's/linux @KERNELPATH@ @ROOT@ rd.live.check quiet/linux @KERNELPATH@ @ROOT@ rd.live.check quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ rd.live.check quiet/linuxefi @KERNELPATH@ @ROOT@ rd.live.check quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
sed -i 's/linux @KERNELPATH@ @ROOT@ nomodeset quiet/linux @KERNELPATH@ @ROOT@ nomodeset quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ nomodeset quiet/linuxefi @KERNELPATH@ @ROOT@ nomodeset quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
sed -i 's/linux @KERNELPATH@ @ROOT@ inst.rescue quiet/linux @KERNELPATH@ @ROOT@ inst.rescue quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
sed -i 's/linuxefi @KERNELPATH@ @ROOT@ inst.rescue quiet/linuxefi @KERNELPATH@ @ROOT@ inst.rescue quiet $(EXTRA_BOOT_PARAMS)/g' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
# Build boot.iso
lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
--isfinal --buildarch=$(ARCH) --volid=$(_VOLID) \
$(_LORAX_ARGS) \
@ -99,7 +72,7 @@ container/$(IMAGE_NAME)-$(IMAGE_TAG):
podman rmi $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG)
install-deps:
dnf install -y lorax xorriso podman git
dnf install -y lorax xorriso podman git rpm-ostree
# Step 4: Generate xorriso script
xorriso/%.sh: xorriso/%.sh.in

69
README.md
View File

@ -16,58 +16,41 @@ This will create an ISO with the baked in defaults of the container image.
See [Customizing](#customizing) for information about customizing the image that gets created. The variable can either be defined as environment variables or as command arguments.
Examples:
Creating Universal Blue Silverblue ISO
Creating Bluefin GTS ISO
```bash
docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=silverblue-main -e IMAGE_TAG=latest -e VARIANT=Silverblue ghcr.io/ublue-os/isogenerator:39
```
```bash
# Requires sudo to run
sudo podman run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=silverblue-main -e IMAGE_TAG=latest -e VARIANT=Silverblue ghcr.io/ublue-os/isogenerator:39
docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=38 -e IMAGE_NAME=bluefin -e IMAGE_TAG=gts -e VARIANT=Silverblue ghcr.io/ublue-os/isogenerator:38
```
Creating Universal Blue Kinoite ISO
Creating Bazzite Latest ISO
```bash
docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=kinoite-main -e IMAGE_TAG=latest -e VARIANT=Kinoite ghcr.io/ublue-os/isogenerator:39
```
```bash
# Requires sudo to run
sudo podman run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=kinoite-main -e IMAGE_TAG=latest -e VARIANT=Kinoite ghcr.io/ublue-os/isogenerator:39
docker run --rm --privileged --volume .:/isogenerator/output -e VERSION=39 -e IMAGE_NAME=bazzite -e IMAGE_TAG=latest -e VARIANT=Kinoite ghcr.io/ublue-os/isogenerator:39
```
## Customizing
### Inputs
The following variables can be used to customize the create image.
| Variable | Description | Default Value |
| ----------------- | ------------------------------------------------------------ | ---------------------- |
| ARCH | Architecture for image to build | x86_64 |
| VERSION | Fedora version of installer to build | 39 |
| IMAGE_REPO | Repository containing the source container image | ghcr.io/ublue-os |
| IMAGE_NAME | Name of the source container image | base-main |
| IMAGE_TAG | Tag of the source container image | *VERSION* |
| EXTRA_BOOT_PARAMS | Extra params used by grub to boot the anaconda installer | \[empty\] |
| VARIANT | Source container variant\* | Kinoite |
| WEB_UI | Enable Anaconda WebUI (experimental) | false |
| ENROLLMENT_PASSWORD | Password used to enroll secure boot key into BIOS\*\* | isogenerator |
| SECURE_BOOT_KEY_URL | URL used to download your secure boot key for enrollment\*\* | \[empty\] |
\*Available options for VARIANT can be found by running `dnf provides system-release`. Variant will be the third item in the package name. Example: `fedora-release-kinoite-39-34.noarch` will be kinoite
\*\*NOTE: ENROLLMENT_PASSWORD and SECURE_BOOT_KEY_URL are not required. They are only required if you are creating specific kernel modules or if you are using Universal Blue Kernel Modules.
Our public key for our kmods is located here: https://github.com/ublue-os/akmods/raw/main/certs/public_key.der
### Outputs
This action outputs some useful values for you to use further on in your workflow.
| Output | Description |
| ------ | ----------- |
| output-directory | The directory containing ISO and checksum files |
| iso-path | The full path to the ISO file |
| checksum-path | The full path to the checksum file |
- ARCH
Architecture for image to build
Default Value: x86_64
- VERSION
Fedora version of installer to build
Default Value: 39
- IMAGE_REPO
Repository containing the source container image
Default Value: ghcr.io/ublue-os
- IMAGE_NAME
Name of the source container image
Default Value: base-main
- IMAGE_TAG
Tag of the source container image
Default Value: *VERSION*
- VARIANT
Source container variant
Available options can be found by running `dnf provides system-release`. Variant will be the third item in the package name. Example: `fedora-release-kinoite-39-34.noarch` will be kinonite
Default Value: Silverblue
- WEB_UI
Enable Anaconda WebUI
Default Value: false
## VSCode Dev Container
There is a dev container configuration provided for development. By default it will use the existing container image available at `ghcr.io/ublue-os/isogenerator`, however, you can have it build a new image by editing `.devcontainer/devcontainer.json` and replacing `image` with `build`. `Ctrl+/` can be used to comment and uncomment blocks of code within VSCode.

59
action.yml
View File

@ -25,34 +25,18 @@ inputs:
IMAGE_TAG:
description: Tag of the source container image
required: false
EXTRA_BOOT_PARAMS:
description: Extra params used by grub to boot the anaconda installer
required: false
WEB_UI:
description: Enable Anaconda WebUI
required: true
default: "false"
ENROLLMENT_PASSWORD:
description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined)
required: false
default: "ublue-os"
SECURE_BOOT_KEY_URL:
description: Secure boot key that is installed from URL location
required: false
ACTION_REPO:
deprecationMessage: This variable is no longer used and will be removed in a future version
description: Repository with the build action
required: false
default: ${{ github.repository }}
ACTION_REF:
deprecationMessage: This variable is no longer used and will be removed in a future version
description: Repository ref for the build action
required: false
outputs:
output-directory:
value: ${{ steps.final.outputs.OUTPUT_DIR }}
iso-path:
value: ${{ steps.final.outputs.ISO_PATH }}
checksum-path:
value: ${{ steps.final.outputs.CHECKSUM_PATH }}
default: ${{ github.ref }}
runs:
using: composite
@ -76,13 +60,19 @@ runs:
echo "Host must be mounted as /host in order to make more space"
fi
- name: Install Make
- name: Install make and git
shell: bash
run: dnf install -y make
run: dnf install -y make git
- name: Checkout repository
uses: actions/checkout@v4
with:
repository: ${{ inputs.ACTION_REPO }}
ref: ${{ inputs.ACTION_REF }}
submodules: recursive
- name: Install dependencies
shell: bash
working-directory: ${{ github.action_path }}
run: make install-deps
- name: Lowercase Registry
@ -93,7 +83,6 @@ runs:
- name: Download image
shell: bash
working-directory: ${{ github.action_path }}
run: |
make container/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }} \
ARCH=${{ inputs.ARCH }} \
@ -106,7 +95,6 @@ runs:
- name: Create boot.iso
shell: bash
working-directory: ${{ github.action_path }}
run: |
make boot.iso \
ARCH=${{ inputs.ARCH }} \
@ -115,15 +103,10 @@ runs:
IMAGE_TAG=${{ inputs.IMAGE_TAG || inputs.VERSION }} \
VARIANT=${{ inputs.VARIANT }} \
VERSION=${{ inputs.VERSION }} \
WEB_UI=${{ inputs.WEB_UI }} \
EXTRA_BOOT_PARAMS=${{ inputs.EXTRA_BOOT_PARAMS }} \
SECURE_BOOT_KEY_URL=${{ inputs.SECURE_BOOT_KEY_URL }} \
ENROLLMENT_PASSWORD=${{ inputs.ENROLLMENT_PASSWORD }}
WEB_UI=${{ inputs.WEB_UI }}
- name: Create deploy.iso and generate sha256 checksum
shell: bash
id: final
working-directory: ${{ github.action_path }}
run: |
make ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso \
ARCH=${{ inputs.ARCH }} \
@ -136,7 +119,13 @@ runs:
mkdir end_iso
sha256sum ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso > ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM
mv ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso end_iso/
echo "OUTPUT_DIR=$(realpath ./end_iso)" >> $GITHUB_OUTPUT
echo "ISO_PATH=$(realpath ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso)" >> $GITHUB_OUTPUT
echo "CHECKSUM_PATH=$(realpath ./end_iso/${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}-CHECKSUM)" >> $GITHUB_OUTPUT
- name: Upload ISO as artifact
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.IMAGE_NAME }}-${{ inputs.IMAGE_TAG || inputs.VERSION }}.iso
path: end_iso/*
if-no-files-found: error
retention-days: 0
compression-level: 0
overwrite: true

17
entrypoint.sh
View File

@ -1,17 +0,0 @@
#!/bin/bash
set -eu
# pre-create loop devices manually. In containers we can't use losetup for that.
mknod -m 0660 /dev/loop0 b 7 0 2>/dev/null || true
make output/${IMAGE_NAME}-${IMAGE_TAG}.iso \
ARCH=${ARCH} \
VERSION=${VERSION} \
IMAGE_REPO=${IMAGE_REPO} \
IMAGE_NAME=${IMAGE_NAME} \
IMAGE_TAG=${IMAGE_TAG} \
VARIANT=${VARIANT} \
WEB_UI=${WEB_UI} \
SECURE_BOOT_KEY_URL=${SECURE_BOOT_KEY_URL} \
ENROLLMENT_PASSWORD=${ENROLLMENT_PASSWORD}

19
scripts/enroll-secureboot-key.sh Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
set -oue pipefail
readonly SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der"
readonly ENROLLMENT_PASSWORD="ublue-os"
if [[ ! -d "/sys/firmware/efi" ]]; then
echo "EFI mode not detected. Skipping key enrollment."
exit 0
fi
if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
echo "Secure boot key not found: ${SECUREBOOT_KEY}"
exit 1
fi
mokutil --timeout -1 || :
echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :

25
scripts/enroll-secureboot-key.sh.in
View File

@ -1,25 +0,0 @@
#!/bin/sh
set -oue pipefail
readonly ENROLLMENT_PASSWORD=@ENROLLMENT_PASSWORD@
readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
if [[ ! -d "/sys/firmware/efi" ]]; then
echo "EFI mode not detected. Skipping key enrollment."
exit 0
fi
if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
echo "Secure boot key not provided: ${SECUREBOOT_KEY}"
exit 0
fi
SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
echo "Steam Deck hardware detected. Skipping key enrollment."
exit 0
fi
mokutil --timeout -1 || :
echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :

BIN
scripts/ublue-os-akmods-public-key.der Normal file
View File

Binary file not shown.

6
xorriso/gen_input.sh.in
View File

@ -5,10 +5,8 @@ echo "-outdev $(pwd)/output/@IMAGE_NAME@-@IMAGE_TAG@.iso"
echo "-boot_image any replay"
echo "-joliet on"
echo "-compliance joliet_long_names"
if [ -f $(pwd)/sb_pubkey.der ]; then
echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der"
echo "-chmod 0444 /sb_pubkey.der"
fi
echo "-map $(pwd)/scripts/ublue-os-akmods-public-key.der ublue-os-akmods-public-key.der"
echo "-chmod 0444 /ublue-os-akmods-public-key.der"
echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh"
echo "-chmod 0777 enroll-secureboot-key.sh"
cd container