Address review feedback:
- Move Secure Boot download to its own conditional block that checks
for the secureboot-x86_64 directory, so existing installs pick up
Secure Boot binaries on the next container restart
- Resolve MENU_VERSION once at the top (from env, menuversion.txt,
or GitHub API) so it's available to both blocks
- Use curl -fsSL for autoexec.ipxe download to fail on HTTP errors
instead of silently saving HTML error pages
- Update README note to reflect that Secure Boot downloads run
independently of menu downloads
Add custom regex manager to monitor ipxe/ipxe GitHub releases against
the IPXE_SB_VERSION pin in init.sh (currently v2.0.0). Renovate will
open a PR when a new iPXE release is available.
Address review feedback:
- Wrap tar extraction in error check so cp loops are skipped on failure
- Add per-file existence checks with warnings if iPXE archive layout changes
- Use nullglob for secureboot-* glob to avoid iterating literal pattern
Pull signed EFI binaries unmodified from the iPXE project release
(ipxeboot.tar.gz) and the autoexec.ipxe boot script from the
netboot.xyz release. This preserves provenance of the Microsoft-signed
and iPXE Secure Boot CA-signed binaries rather than redistributing
them through netboot.xyz.
The iPXE Secure Boot version defaults to v2.0.0 and can be overridden
via the IPXE_SB_VERSION environment variable.
Documents the upstream source and version for both the signed binaries
and the boot script in init.sh comments and README.
Download Secure Boot tarballs (secureboot-x86_64.tar.gz,
secureboot-arm64.tar.gz) from netboot.xyz releases during container
init. These contain Microsoft-signed iPXE shim binaries and a
templated autoexec.ipxe that chains into the netboot.xyz menu system.
Files are extracted into /config/menus/secureboot-{x86_64,arm64}/
and served via TFTP alongside existing boot files. Gracefully skips
download if the release doesn't include Secure Boot assets (e.g.
older pinned MENU_VERSION).
Also adds Secure Boot DHCP configuration examples and boot file
documentation to the README.
- Split single QEMU-based multi-platform build into parallel jobs on
native runners (ubuntu-latest for amd64, ubuntu-24.04-arm for arm64)
to fix Illegal instruction crash during npm install
- Add permissions block with contents:write to fix 403 error when
creating git tags via github-tag-action
- Move version check logic to setup job with outputs so build jobs
can be skipped when there is nothing to do
- Remove docker/metadata-action in favor of inline labels
- Compute BUILD_DATE in setup job and pass as output (not shell eval
in YAML)
* CI: Split into native per-arch build jobs to fix QEMU arm64 crash
The arm64 build was failing with 'Illegal instruction (core dumped)'
during npm install because QEMU user-mode emulation doesn't support
all arm64 instructions used by newer Node.js versions.
Split the single multi-platform build job into:
- setup: determines tags, webapp version (shared via outputs)
- build-amd64: builds on ubuntu-latest natively
- build-arm64: builds on ubuntu-24.04-arm natively (no QEMU)
- manifest: merges per-arch digests into multi-arch manifest
- comment: posts PR test instructions
Both architectures get independent Trivy scans. The amd64 and arm64
builds run in parallel so total build time should be similar or faster.
Also pins Trivy CLI to v0.69.3 to work around deleted release assets
from the Trivy supply chain attack (aquasecurity/trivy#10265).
* Address review feedback: fix BUILD_DATE, add permissions, add event fallback
- Compute BUILD_DATE in setup job and pass as output instead of using
$(date) in build-args YAML which is not evaluated at runtime
- Add explicit permissions block (contents:read, packages:write,
pull-requests:write) to limit GITHUB_TOKEN scope
- Add else fallback in tag strategy for unsupported event types
* Bump Alpine base image from 3.22.2 to 3.23.3 to clear Trivy CVEs
* Fix Trivy CVEs: upgrade systeminformation to 5.31.0 and zlib to >=1.3.2
- systeminformation 5.27.1->5.31.0: fixes CVE-2025-68154, CVE-2026-26280,
CVE-2026-26318 (command injection vulnerabilities)
- zlib 1.3.1-r2->1.3.2: fixes CVE-2026-22184 (buffer overflow in untgz)
The systeminformation fix overrides the version pinned by the webapp
upstream (5.27.10) until that repo is updated.
* Fix zlib upgrade: use apk --upgrade to ensure CVE-2026-22184 is resolved
The previous 'apk add zlib>=1.3.2' wasn't upgrading zlib because it
was already installed as a transitive dependency. Use --upgrade flag
to force apk to pull the latest available version (1.3.2-r0).
* Fix Trivy arm64 scan: set TRIVY_PLATFORM to match image architecture
Trivy defaults to linux/amd64 when resolving remote image digests.
On the arm64 build job, the pushed digest is a single-platform arm64
image, so Trivy fails with 'no child with platform linux/amd64'.
Setting TRIVY_PLATFORM=linux/arm64 resolves this.
Trivy releases v0.27.0-v0.69.1 were deleted as part of a supply chain
attack on 2026-03-01 (aquasecurity/trivy#10265). Pin the CLI version
explicitly so the action does not try to download missing assets.
