furtka/.forgejo/workflows/build-iso.yml

name: Build ISO

# Full ISO build is ~5-7 min. Only run on push-to-main and manual
# dispatch so feature-branch iteration stays fast. Docs-only changes
# skip the build — the `paths-ignore` list below covers *.md files,
# docs/, and the website (Hugo source). Anything that touches code,
# the ISO overlay, or the workflow itself still triggers a rebuild.
on:
  push:
    branches: [main]
    paths-ignore:
      - '**/*.md'
      - 'docs/**'
      - 'website/**'
      - 'CHANGELOG.md'
      - 'RELEASING.md'
  workflow_dispatch:

concurrency:
  group: build-iso-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build-iso:
    # Run directly on the runner host, not inside a job container.
    # `build.sh` does `docker run -v $REPO_ROOT:/work archlinux:latest`,
    # and host docker interprets the volume source as a host path — so
    # $REPO_ROOT has to be a path on the host, which it only is when
    # we skip the job-container wrapping. The runner VM has git + docker.
    runs-on: self-hosted
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Build ISO
        run: ./iso/build.sh

      - name: Report ISO hash
        run: |
          iso=$(ls iso/out/*.iso | head -1)
          echo "ISO: $iso"
          sha256sum "$iso"

      - name: Upload ISO artifact
        # v4+ isn't supported on Forgejo yet (uses newer @actions/artifact
        # protocol that Forgejo's GHES-compatible API doesn't implement).
        uses: actions/upload-artifact@v3
        with:
          name: furtka-iso
          path: iso/out/*.iso
          retention-days: 14
          if-no-files-found: error

      - name: Smoke-test ISO on Proxmox test host
        # Inlined as a step (rather than a separate job with `needs:`) so
        # we can reuse the ISO that's already in the workspace — Forgejo's
        # actions/download-artifact@v3 hangs on 1.5 GB files.
        # step-level continue-on-error: a VM-side flake doesn't mark the
        # ISO build red, the ISO itself is still valid and uploaded.
        continue-on-error: true
        env:
          PVE_TEST_HOST: ${{ secrets.PVE_TEST_HOST }}
          PVE_TEST_TOKEN: ${{ secrets.PVE_TEST_TOKEN }}
          SMOKE_SHA: ${{ github.sha }}
        run: |
          iso=$(ls iso/out/*.iso | head -1)
          echo "Smoking $iso"
          ./scripts/smoke-vm.sh "$iso"
ci: build the live ISO on push-to-main and publish as artifact Adds `.forgejo/workflows/build-iso.yml` that runs `./iso/build.sh` and uploads the resulting ISO as a `furtka-iso` artifact (retained 14 days). Triggers on `push: branches: [main]` and `workflow_dispatch` only — feature branches don't pay the 15-20 min build cost. `concurrency` cancels older runs of the same ref so only the most recent push produces an artifact. This is what Robert asked for: push change → download ISO from the Forgejo run → test without needing a laptop to build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 18:13:15 +02:00			`name: Build ISO`

docs: sync README roadmap, runner-setup, and ops/ to today's reality A lot moved since the last docs sweep. Catching everything up in one batch so a newcomer (or future us) reading the repo isn't lied to. README.md roadmap: - Walking-skeleton live ISO: upgraded from "screens 1-3 work end-to-end" to "install runs to completion on a VM and the installed system logs in and runs `docker ps` without sudo". - 26.0-alpha release: dropped the "deferred" note — its blocker (archinstall not completing) is gone; just needs a re-tag when we like the installer copy. - Added an explicit "ISO-build in CI" line for the new `.forgejo/workflows/build-iso.yml`. - Split the old "mDNS + local CA" item: mDNS is live (hostname baked in, avahi/nss-mdns in the image), HTTPS via local CA still open. - Noted post-install reboot button, progress bar, archinstall 4.x schema work, console welcome, custom_commands docker group join in the wizard milestone bullet. docs/runner-setup.md: - Full rewrite for the docker-outside-of-docker architecture we actually run now (was still describing the DinD sidecar setup). - Documents the `/data` symlink on the host that makes host-mode `-v /data/…:/work` resolve — the non-obvious piece that took the longest to nail down today. - Describes the two runtime modes (`ubuntu-latest:docker://…` for CI, `self-hosted:host` for build-iso) and why each exists. - Adds the `upload-artifact@v3` pin note — v4+ fails on Forgejo with `GHESNotSupportedError`. ops/forgejo-runner/compose.yml + config.yml: - Compose now matches what's actually running: DooD (no DinD sidecar), runs as root so apk can install nodejs + docker-cli at startup, /var/run/docker.sock bind-mounted. - Config gets the three explicit label mappings and DooD `docker_host` + `valid_volumes`. .forgejo/workflows/build-iso.yml: - Added `paths-ignore` for docs/website/*.md so doc-only commits don't kick off 5-min ISO rebuilds. Code + ISO overlay changes still trigger. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 19:28:33 +02:00			`# Full ISO build is ~5-7 min. Only run on push-to-main and manual`
			`# dispatch so feature-branch iteration stays fast. Docs-only changes`
			# skip the build — the `paths-ignore` list below covers *.md files,
			`# docs/, and the website (Hugo source). Anything that touches code,`
			`# the ISO overlay, or the workflow itself still triggers a rebuild.`
ci: build the live ISO on push-to-main and publish as artifact Adds `.forgejo/workflows/build-iso.yml` that runs `./iso/build.sh` and uploads the resulting ISO as a `furtka-iso` artifact (retained 14 days). Triggers on `push: branches: [main]` and `workflow_dispatch` only — feature branches don't pay the 15-20 min build cost. `concurrency` cancels older runs of the same ref so only the most recent push produces an artifact. This is what Robert asked for: push change → download ISO from the Forgejo run → test without needing a laptop to build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 18:13:15 +02:00			`on:`
			`push:`
			`branches: [main]`
docs: sync README roadmap, runner-setup, and ops/ to today's reality A lot moved since the last docs sweep. Catching everything up in one batch so a newcomer (or future us) reading the repo isn't lied to. README.md roadmap: - Walking-skeleton live ISO: upgraded from "screens 1-3 work end-to-end" to "install runs to completion on a VM and the installed system logs in and runs `docker ps` without sudo". - 26.0-alpha release: dropped the "deferred" note — its blocker (archinstall not completing) is gone; just needs a re-tag when we like the installer copy. - Added an explicit "ISO-build in CI" line for the new `.forgejo/workflows/build-iso.yml`. - Split the old "mDNS + local CA" item: mDNS is live (hostname baked in, avahi/nss-mdns in the image), HTTPS via local CA still open. - Noted post-install reboot button, progress bar, archinstall 4.x schema work, console welcome, custom_commands docker group join in the wizard milestone bullet. docs/runner-setup.md: - Full rewrite for the docker-outside-of-docker architecture we actually run now (was still describing the DinD sidecar setup). - Documents the `/data` symlink on the host that makes host-mode `-v /data/…:/work` resolve — the non-obvious piece that took the longest to nail down today. - Describes the two runtime modes (`ubuntu-latest:docker://…` for CI, `self-hosted:host` for build-iso) and why each exists. - Adds the `upload-artifact@v3` pin note — v4+ fails on Forgejo with `GHESNotSupportedError`. ops/forgejo-runner/compose.yml + config.yml: - Compose now matches what's actually running: DooD (no DinD sidecar), runs as root so apk can install nodejs + docker-cli at startup, /var/run/docker.sock bind-mounted. - Config gets the three explicit label mappings and DooD `docker_host` + `valid_volumes`. .forgejo/workflows/build-iso.yml: - Added `paths-ignore` for docs/website/*.md so doc-only commits don't kick off 5-min ISO rebuilds. Code + ISO overlay changes still trigger. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 19:28:33 +02:00			`paths-ignore:`
			`- '*/.md'`
			`- 'docs/**'`
			`- 'website/**'`
			`- 'CHANGELOG.md'`
			`- 'RELEASING.md'`
ci: build the live ISO on push-to-main and publish as artifact Adds `.forgejo/workflows/build-iso.yml` that runs `./iso/build.sh` and uploads the resulting ISO as a `furtka-iso` artifact (retained 14 days). Triggers on `push: branches: [main]` and `workflow_dispatch` only — feature branches don't pay the 15-20 min build cost. `concurrency` cancels older runs of the same ref so only the most recent push produces an artifact. This is what Robert asked for: push change → download ISO from the Forgejo run → test without needing a laptop to build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 18:13:15 +02:00			`workflow_dispatch:`

			`concurrency:`
			`group: build-iso-${{ github.ref }}`
			`cancel-in-progress: true`

			`jobs:`
			`build-iso:`
ci: run build-iso on the runner host (DooD path fix) Now that the runner uses docker-outside-of-docker, volume mounts in `build.sh` (`docker run -v \$REPO_ROOT:/work ...`) are interpreted by host docker — so `\$REPO_ROOT` must be a real host path. When the job runs inside a job container, `\$REPO_ROOT` is only valid in the job container's filesystem namespace and host docker can't find it, hence `bash: /work/iso/build.sh: No such file or directory`. Fix: switch `runs-on` to `self-hosted`. Forgejo-runner exposes that label out of the box and, with no matching container image mapping, runs steps directly on the runner VM. Checkout writes to a real host path; `docker run -v …` then mounts a path both the outer CLI and host docker agree on. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 18:50:47 +02:00			`# Run directly on the runner host, not inside a job container.`
			# `build.sh` does `docker run -v $REPO_ROOT:/work archlinux:latest`,
			`# and host docker interprets the volume source as a host path — so`
			`# $REPO_ROOT has to be a path on the host, which it only is when`
			`# we skip the job-container wrapping. The runner VM has git + docker.`
			`runs-on: self-hosted`
ci: build the live ISO on push-to-main and publish as artifact Adds `.forgejo/workflows/build-iso.yml` that runs `./iso/build.sh` and uploads the resulting ISO as a `furtka-iso` artifact (retained 14 days). Triggers on `push: branches: [main]` and `workflow_dispatch` only — feature branches don't pay the 15-20 min build cost. `concurrency` cancels older runs of the same ref so only the most recent push produces an artifact. This is what Robert asked for: push change → download ISO from the Forgejo run → test without needing a laptop to build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 18:13:15 +02:00			`timeout-minutes: 30`
			`steps:`
			`- uses: actions/checkout@v4`

			`- name: Build ISO`
			`run: ./iso/build.sh`

			`- name: Report ISO hash`
			`run: \|`
			`iso=$(ls iso/out/*.iso \| head -1)`
			`echo "ISO: $iso"`
			`sha256sum "$iso"`

			`- name: Upload ISO artifact`
ci: pin upload-artifact to v3 — v4+ unsupported on forgejo Forgejo Actions only speaks the GHES-compatible @actions/artifact protocol; upload-artifact@v4+ insists on the newer API and fails with `GHESNotSupportedError`. Pin to v3, which uses the old protocol that Forgejo implements. Good news: the ISO itself built end-to-end in ~5m on the runner (DooD + /data symlink resolved the path-mismatch). Only the upload failed, and this pins it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 19:10:16 +02:00			`# v4+ isn't supported on Forgejo yet (uses newer @actions/artifact`
			`# protocol that Forgejo's GHES-compatible API doesn't implement).`
			`uses: actions/upload-artifact@v3`
ci: build the live ISO on push-to-main and publish as artifact Adds `.forgejo/workflows/build-iso.yml` that runs `./iso/build.sh` and uploads the resulting ISO as a `furtka-iso` artifact (retained 14 days). Triggers on `push: branches: [main]` and `workflow_dispatch` only — feature branches don't pay the 15-20 min build cost. `concurrency` cancels older runs of the same ref so only the most recent push produces an artifact. This is what Robert asked for: push change → download ISO from the Forgejo run → test without needing a laptop to build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-14 18:13:15 +02:00			`with:`
			`name: furtka-iso`
			`path: iso/out/*.iso`
			`retention-days: 14`
			`if-no-files-found: error`
feat(ci): auto-boot every main-ISO in smoke VM on .165 Proxmox After build-iso, a new smoke-vm job uploads the freshly built ISO to the test Proxmox at 192.168.178.165 via PVE API token, boots it in a fresh VM (VMID range 9000-9099, MAC derived from commit SHA so the runner can find the DHCP IP by scanning the LAN), and curls :5000 to confirm the webinstaller answers HTTP 200. Last 5 smoke VMs + their ISOs are kept for post-mortem; older ones are purged. continue-on-error on the smoke job so a VM-side flake doesn't mark the ISO build red. Shortens the feedback loop on ISO regressions from "next manual VM test session" (days) to "next push" (minutes) — the 2026-04-15/16 VM sessions each found real boot-time bugs that unit tests missed. Docs at docs/smoke-vm.md. Requires Forgejo secrets PVE_TEST_HOST and PVE_TEST_TOKEN (dedicated smoke@pve!ci PVE token, privilege-separated). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-18 11:41:44 +02:00
			`- name: Smoke-test ISO on Proxmox test host`
fix(ci): inline smoke-vm as a step instead of a downstream job The separate smoke-vm job with `needs: build-iso` required round-tripping the 1.5 GB ISO through actions/upload-artifact + download-artifact. v3 on Forgejo has a known issue where large artifacts stall at 0.0% in the download step — the smoke run hung today with endless "Total file count: 1 ---- Processed file #0 (0.0%)" output. Since both jobs run on the same self-hosted runner (host mode, same workspace available), there was never a real need for the artifact indirection. Inlining as a step after the artifact upload reuses the ISO already in iso/out/ and skips the download entirely. step-level continue-on-error preserves the original guarantee that a VM-side flake doesn't mark the ISO build red. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-18 12:20:58 +02:00			# Inlined as a step (rather than a separate job with `needs:`) so
			`# we can reuse the ISO that's already in the workspace — Forgejo's`
			`# actions/download-artifact@v3 hangs on 1.5 GB files.`
			`# step-level continue-on-error: a VM-side flake doesn't mark the`
			`# ISO build red, the ISO itself is still valid and uploaded.`
			`continue-on-error: true`
feat(ci): auto-boot every main-ISO in smoke VM on .165 Proxmox After build-iso, a new smoke-vm job uploads the freshly built ISO to the test Proxmox at 192.168.178.165 via PVE API token, boots it in a fresh VM (VMID range 9000-9099, MAC derived from commit SHA so the runner can find the DHCP IP by scanning the LAN), and curls :5000 to confirm the webinstaller answers HTTP 200. Last 5 smoke VMs + their ISOs are kept for post-mortem; older ones are purged. continue-on-error on the smoke job so a VM-side flake doesn't mark the ISO build red. Shortens the feedback loop on ISO regressions from "next manual VM test session" (days) to "next push" (minutes) — the 2026-04-15/16 VM sessions each found real boot-time bugs that unit tests missed. Docs at docs/smoke-vm.md. Requires Forgejo secrets PVE_TEST_HOST and PVE_TEST_TOKEN (dedicated smoke@pve!ci PVE token, privilege-separated). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-18 11:41:44 +02:00			`env:`
			`PVE_TEST_HOST: ${{ secrets.PVE_TEST_HOST }}`
			`PVE_TEST_TOKEN: ${{ secrets.PVE_TEST_TOKEN }}`
			`SMOKE_SHA: ${{ github.sha }}`
			`run: \|`
			`iso=$(ls iso/out/*.iso \| head -1)`
			`echo "Smoking $iso"`
			`./scripts/smoke-vm.sh "$iso"`