SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
9 Commits 4 Branches 0 Tags
eae2b98906d39fd4c14ee890f2c990ca50febbe7
Commit Graph

5 Commits

Author SHA1 Message Date
SysAdmin
eae2b98906 fix(linux/build): re-pin BUILDER_IMAGE to amd64 registry digest
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 11s
Details 
Two corrections to f9e606d:

1. Registry hostname: docker-registry:5000 isn't DNS-resolvable on the
   SLAB docker host (verified). The fleet-wide convention is the canonical
   docker-registry.silverlabs.uk URL, registered as an insecure-registry
   in /etc/docker/daemon.json on every docker host.

2. Architecture: the original push from WSL2-on-aarch64 produced an arm64
   image that won't run on the amd64 runner. Rebuilt natively on the docker
   host. New manifest digest (amd64-only):
     sha256:9e7161f9f180483f434074d7f32c27c907955232bd0c44efe6dc0ee1d9e56ae0

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-26 11:59:52 +01:00
SysAdmin
7b99516232 feat(linux/build): silvermetal-builder Gitea Actions runner deployment 
act_runner-based deployment that handles `runs-on: silvermetal-builder` jobs.
Adapted from the stinky-roger-tv flutter-builder pattern with three changes:

- privileged: true (live-build needs loop devices + chroot)
- 4h job timeout (covers two reproducibility-gated ISO builds + diffoscope)
- silvermetal-builder label maps to catthehacker/ubuntu:act-latest, not the
  silvermetal-builder image — the builder image stays minimal (no docker-cli),
  and build.sh invokes it via `docker run` from the catthehacker job shell

Deployed at /opt/silvermetal-builder-runner/ on the SLAB docker host
(10.0.0.51); registered with git.silverlabs.uk and reporting healthy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-26 11:59:44 +01:00
SysAdmin
f9e606d22d fix(linux/build): pin BUILDER_IMAGE to pushed registry digest (M1.1) 
Image built from Dockerfile.builder@36f7672 was pushed to both
docker-registry:5000 (internal) and docker-registry.silverlabs.uk
(external) under tags m1.1-bootstrap + latest. Both URLs serve the
same registry, so the manifest digest is identical:

  sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85

Default points at the internal hostname for CI; external dev overrides
via BUILDER_IMAGE env var.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-26 11:48:48 +01:00
SysAdmin
36f7672c6f fix(linux/build): make builder image actually build (M1.1) 
- Pin debian:bookworm-slim by real digest (resolved 2026-04-26).
- Two-phase install: seed ca-certificates from the default mirror first
  so HTTPS to snapshot.debian.org works, then swap to the pinned snapshot
  for the toolchain itself. Slim images don't ship the CA bundle, so the
  one-shot pinned-source-only install would deadlock on cert verification.

Validated locally: image builds clean, 302MB, all live-build / debootstrap /
mksquashfs / xorriso / diffoscope-minimal present.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-26 04:49:34 +01:00
SysAdmin
4444dc11f3 feat(linux/build): scaffold reproducible ISO build pipeline (M1.1) 
Vendors Kicksecure derivative-maker as a pinned submodule (18.1.7.4),
adds the wrapper + verify + diagnose scripts, the pinned builder image,
and the reproducibility-gated Gitea Actions workflow. Base flavour only —
no hardening overlay (that's M1.2).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-26 04:25:48 +01:00