Main goal is to reduce signing logic duplication between the systemd-boot
and UKI generation.
However, this quickly snowballed into wanting to actually verify
by providing a custom secure boot keys to bcvk that things worked.
This depends on https://github.com/bootc-dev/bcvk/pull/170
Now as part of that, I ran into what I think are bugs in pesign;
this cuts things back over to using sbsign. I'll file a tracker for that
separately.
Finally as part of this, just remove the TMT example that builds
a sealed image but doesn't actually verify it works - it's already
drifted from what we do outside here. Ultimately what we need
is to shift some of this into the Fedora examples and we just
fetch it here anyways.
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
Motivation is faster provisioning and easier to debug
when something goes wrong.
Also cleanup the codeql cache.
Signed-off-by: Colin Walters <walters@verbum.org>
- Use bash strict mode more consistently
- Drop the error redirections which can mask problems as
recommended by AI
Signed-off-by: Colin Walters <walters@verbum.org>
Make builds unprivileged by default and start using bcvk in
our own CI, the same way we expect people to do so locally
now.
Signed-off-by: Colin Walters <walters@verbum.org>
Move libvirt installation into a parameterized input in the
bootc-ubuntu-setup action, allowing workflows to opt-in via
`libvirt: true`. This consolidates installation logic and makes
workflows cleaner by removing duplicate package installation steps.
Assisted-by: Claude Code
Signed-off-by: Colin Walters <walters@verbum.org>
- Having separate workflows made sharing build artifacts not
really possible, and it just makes sense to consolidate
- Refactor shared parts into a little internal action
Signed-off-by: Colin Walters <walters@verbum.org>
