SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

ci(windows): M2 ISO build + Gitea Windows-runner workflow #3

Merged
SilverLABS merged 8 commits from ci/build-iso-windows into main 2026-06-08 20:13:11 +00:00
Conversation 0 Commits 8 Files Changed 6 +313 -40
SilverLABS commented 2026-06-08 17:11:15 +00:00
Owner
Copy Link

Custom packed ISO — build pipeline + CI

Implements M2 (the ISO build) and M3 (the Gitea workflow) for SilverMetal Enhanced — Windows, targeting the existing self-hosted silverlabs-runner-win runner (windows-latest / windows-2025).

What's here

  • windows/installer/build.ps1 — full M2 implementation: mount/extract base ISO → offline-service install.wim (inject GPD drivers if staged, debloat appx, bake SetupComplete.cmd + the §A–H hardening modules into \Windows\Setup\Scripts) → inject autounattend.xmloscdimg UEFI repack → SHA-256 + SBOM. Elevation + oscdimg presence guarded.
  • .gitea/workflows/build-iso-windows.yaml — mirrors build-iso-linux.yaml: ensures ADK Deployment Tools, acquires the base ISO (repo var SILVERMETAL_BASE_ISO_URL or pre-staged C:\silvermetal\base.iso), builds, validates, uploads SBOM/SHA (+ISO on dispatch/tag), attaches to a release on win-v* tags.
  • windows/tests/Assert-IsoStructure.ps1 — the no-nested-virt CI gate: mounts the built ISO + install.wim read-only and asserts autounattend.xml, SetupComplete.cmd, and the hardening modules are correctly baked. Full QEMU+OVMF+swtpm boot-and-Verify is a documented follow-on.
  • autounattend now uses Windows' native SetupComplete.cmd auto-run (SYSTEM, end of setup) instead of a duplicate FirstLogonCommands call.
  • .gitignore for build outputs.

Honest status

  • Base ISO for the test loop = Windows 11 IoT Enterprise LTSC eval (no license needed to validate the pipeline). The licensed key/media is only for the shippable build.
  • Untested until first runner execution — the dev box is ARM64, so this couldn't be run locally. All PowerShell parses clean; autounattend XML + workflow YAML validate.
  • Reproducibility is single-build here (pinned inputs + SBOM + SHA), not the Linux double-build bit-identical gate — Windows servicing isn't deterministic (iso-builder.md §5).

To actually run it

The runner needs the eval ISO reachable — either set repo variable SILVERMETAL_BASE_ISO_URL or stage it at C:\silvermetal\base.iso on the runner. Then workflow_dispatch.

🤖 Generated with Claude Code

## Custom packed ISO — build pipeline + CI Implements **M2** (the ISO build) and **M3** (the Gitea workflow) for SilverMetal Enhanced — Windows, targeting the existing self-hosted **`silverlabs-runner-win`** runner (`windows-latest` / `windows-2025`). ### What's here - **`windows/installer/build.ps1`** — full M2 implementation: mount/extract base ISO → offline-service `install.wim` (inject GPD drivers if staged, debloat appx, **bake `SetupComplete.cmd` + the §A–H hardening modules** into `\Windows\Setup\Scripts`) → inject `autounattend.xml` → `oscdimg` UEFI repack → SHA-256 + SBOM. Elevation + `oscdimg` presence guarded. - **`.gitea/workflows/build-iso-windows.yaml`** — mirrors `build-iso-linux.yaml`: ensures ADK Deployment Tools, acquires the base ISO (repo var `SILVERMETAL_BASE_ISO_URL` or pre-staged `C:\silvermetal\base.iso`), builds, validates, uploads SBOM/SHA (+ISO on dispatch/tag), attaches to a release on `win-v*` tags. - **`windows/tests/Assert-IsoStructure.ps1`** — the **no-nested-virt CI gate**: mounts the built ISO + `install.wim` read-only and asserts `autounattend.xml`, `SetupComplete.cmd`, and the hardening modules are correctly baked. Full QEMU+OVMF+swtpm boot-and-`Verify` is a documented follow-on. - **autounattend** now uses Windows' native `SetupComplete.cmd` auto-run (SYSTEM, end of setup) instead of a duplicate `FirstLogonCommands` call. - `.gitignore` for build outputs. ### Honest status - **Base ISO** for the test loop = Windows 11 **IoT Enterprise LTSC eval** (no license needed to validate the pipeline). The licensed key/media is only for the shippable build. - **Untested until first runner execution** — the dev box is ARM64, so this couldn't be run locally. All PowerShell parses clean; `autounattend` XML + workflow YAML validate. - **Reproducibility** is single-build here (pinned inputs + SBOM + SHA), not the Linux double-build bit-identical gate — Windows servicing isn't deterministic (`iso-builder.md` §5). ### To actually run it The runner needs the eval ISO reachable — either set repo variable `SILVERMETAL_BASE_ISO_URL` or stage it at `C:\silvermetal\base.iso` on the runner. Then `workflow_dispatch`. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
SilverLABS added 1 commit 2026-06-08 17:11:15 +00:00
ci(windows): implement M2 ISO build + Gitea Windows-runner workflow
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 34s
Details
1c886deca3 
Implement build.ps1 (M2): mount/extract the base ISO, offline-service
install.wim (inject GPD drivers if staged, debloat appx, bake SetupComplete.cmd
+ hardening modules into \Windows\Setup\Scripts), inject autounattend.xml,
oscdimg UEFI repack, emit SHA-256 + SBOM. Elevation + oscdimg guarded.

Add .gitea/workflows/build-iso-windows.yaml: runs on the self-hosted
silverlabs-runner-win (windows-latest), ensures ADK Deployment Tools, acquires
the base ISO from repo var SILVERMETAL_BASE_ISO_URL or a pre-staged path, builds,
validates the baked payload offline, uploads SBOM/SHA (+ISO on dispatch/tag),
attaches to a Gitea release on win-v* tags. Mirrors build-iso-linux.yaml.

Add tests/Assert-IsoStructure.ps1: the no-nested-virt CI gate - mounts the built
ISO + install.wim read-only and asserts autounattend.xml, SetupComplete.cmd, and
the hardening modules are correctly baked. Full QEMU boot+Verify is a follow-on.

Switch autounattend to Windows' native SetupComplete.cmd auto-run (SYSTEM, end
of setup) instead of a duplicate FirstLogonCommands call.

Untested until first runner execution (dev box is ARM64). All PS parse-clean;
autounattend XML + workflow YAML valid.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS added 1 commit 2026-06-08 18:19:33 +00:00
ci(windows): make base-ISO acquire step path-aware (UNC/local + optional SMB creds)
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 4s
Details
5e42da619e 
SILVERMETAL_BASE_ISO_URL now accepts an HTTP(S) URL or a UNC/local path. For a
UNC share that the SYSTEM-context runner can't read anonymously, optional repo
secrets SILVERMETAL_ISO_SHARE_USER/_PASS map the share root via net use first.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS added 1 commit 2026-06-08 18:33:30 +00:00
ci: add throwaway runner-probe workflow to discover runner topology
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 4s
Details
cc01675056 
Temporary diagnostic to see the silverlabs-runner-win host identity, drives,
share mounts/stored creds, and ISO reachability before wiring the base-ISO
source. Removed once the source is settled.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS added 1 commit 2026-06-08 18:47:50 +00:00
ci: runner-prep workflow (extend C: only); drop in-CI ISO staging
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 4s
Details
78d4d84f88 
Master creds must not live in this public repo's Actions, so ISO staging is
handled out-of-band. runner-prep now only extends C: into the resized virtual
disk. Quoted the step name (trailing-colon YAML fix).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS added 1 commit 2026-06-08 19:54:27 +00:00
ci: probe credential-less net use as SYSTEM (stored cmdkey)
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 4s
Details
ee34b8e373
SilverLABS added 1 commit 2026-06-08 19:58:00 +00:00
ci(windows): pin base-ISO SHA + verify; ISO staged locally on runner
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 1m55s
Details
3effd5e338 
Base eval ISO staged at C:\silvermetal\base.iso on GITEA-RUN-WIN (SHA256
2CEE70BD...CB29 pinned in inputs.manifest.json). Repo var now points at that
local path, so the build reads locally - no NAS share auth / no CI creds.
Dropped -SkipInputVerify so the build verifies the pinned hash.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS added 1 commit 2026-06-08 20:08:27 +00:00
fix(windows/build): drop oscdimg -bootdata inner quotes (PS arg mangling)
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Successful in 3m24s
Details
5dbbaaf22c 
Stages 1-5 pass; oscdimg failed with Error 123 because PowerShell doubled the
embedded quotes in -bootdata. Work paths have no spaces, so omit the inner
quotes around etfsboot.com/efisys.bin entirely.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS added 1 commit 2026-06-08 20:13:00 +00:00
ci: remove throwaway runner-probe/runner-prep diagnostics
Some checks failed
Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 1m51s
Details
6d23a892b9 
Their job is done (runner topology mapped, C: extended, ISO staged). The build
+ offline-validation pipeline is green on the runner.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS merged commit a6afc604c5 into main 2026-06-08 20:13:11 +00:00
SilverLABS deleted branch ci/build-iso-windows 2026-06-08 20:13:11 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
SilverLABS
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SilverLABS/SilverMetal#3
Delete Branch "ci/build-iso-windows"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?