From 3effd5e33889ad4241fd2d6a01786a890a712caa Mon Sep 17 00:00:00 2001 From: sysadmin Date: Mon, 8 Jun 2026 20:58:07 +0100 Subject: [PATCH] ci(windows): pin base-ISO SHA + verify; ISO staged locally on runner Base eval ISO staged at C:\silvermetal\base.iso on GITEA-RUN-WIN (SHA256 2CEE70BD...CB29 pinned in inputs.manifest.json). Repo var now points at that local path, so the build reads locally - no NAS share auth / no CI creds. Dropped -SkipInputVerify so the build verifies the pinned hash. Co-Authored-By: Claude Opus 4.8 --- .gitea/workflows/build-iso-windows.yaml | 3 +-- windows/installer/inputs.manifest.json | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/build-iso-windows.yaml b/.gitea/workflows/build-iso-windows.yaml index 101a581..07545bf 100644 --- a/.gitea/workflows/build-iso-windows.yaml +++ b/.gitea/workflows/build-iso-windows.yaml @@ -95,8 +95,7 @@ jobs: run: | .\windows\installer\build.ps1 ` -SourceIso '${{ steps.iso.outputs.path }}' ` - -OutputIso "$env:RUNNER_TEMP\out\SilverMetal-Enhanced-Windows.iso" ` - -SkipInputVerify + -OutputIso "$env:RUNNER_TEMP\out\SilverMetal-Enhanced-Windows.iso" - name: Validate baked payload (offline assertions) shell: pwsh diff --git a/windows/installer/inputs.manifest.json b/windows/installer/inputs.manifest.json index 90d8317..4b03910 100644 --- a/windows/installer/inputs.manifest.json +++ b/windows/installer/inputs.manifest.json @@ -6,7 +6,7 @@ "baseImage": { "edition": "Windows 11 IoT Enterprise LTSC", "arch": "x64", - "isoSha256": "TODO-M2-pin-against-licensed-media", + "isoSha256": "2CEE70BD183DF42B92A2E0DA08CC2BB7A2A9CE3A3841955A012C0F77AEB3CB29", "wimImageName": "Windows 11 IoT Enterprise LTSC", "wimImageIndex": null },