ci(windows): pin base-ISO SHA + verify; ISO staged locally on runner

Base eval ISO staged at C:\silvermetal\base.iso on GITEA-RUN-WIN (SHA256 2CEE70BD...CB29 pinned in inputs.manifest.json). Repo var now points at that local path, so the build reads locally - no NAS share auth / no CI creds. Dropped -SkipInputVerify so the build verifies the pinned hash. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 20:58:07 +01:00
parent ee34b8e373
commit 3effd5e338
2 changed files with 2 additions and 3 deletions
--- a/.gitea/workflows/build-iso-windows.yaml
+++ b/.gitea/workflows/build-iso-windows.yaml
@@ -95,8 +95,7 @@ jobs:
        run: |
          .\windows\installer\build.ps1 `
            -SourceIso '${{ steps.iso.outputs.path }}' `
-            -OutputIso "$env:RUNNER_TEMP\out\SilverMetal-Enhanced-Windows.iso" `
-            -SkipInputVerify
+            -OutputIso "$env:RUNNER_TEMP\out\SilverMetal-Enhanced-Windows.iso"

      - name: Validate baked payload (offline assertions)
        shell: pwsh
--- a/windows/installer/inputs.manifest.json
+++ b/windows/installer/inputs.manifest.json
@@ -6,7 +6,7 @@
  "baseImage": {
    "edition": "Windows 11 IoT Enterprise LTSC",
    "arch": "x64",
-    "isoSha256": "TODO-M2-pin-against-licensed-media",
+    "isoSha256": "2CEE70BD183DF42B92A2E0DA08CC2BB7A2A9CE3A3841955A012C0F77AEB3CB29",
    "wimImageName": "Windows 11 IoT Enterprise LTSC",
    "wimImageIndex": null
  },