fix(B-0823): ISO audit accepts nixpkgs-25.11 kernel/initrd variant paths + diagnostic dump on failure#5235
Merged
AceHack merged 1 commit intoMay 26, 2026
Conversation
…ths via any-of family + diagnostic dump on failure The build-iso job on commit 75eff94 (post-#5226 merge) failed the Audit installer ISO content (cascade #4) step with 2 missing-path assertions on boot/bzImage + boot/initrd. Same class as B-0818 (isoName) — nixpkgs 25.11's image/images refactor changed where kernel + initrd land in the ISO. Two-layer fix: 1. THIS PR (fix-fwd) — convert kernel + initrd checks to REQUIRED_KERNEL_ANY + REQUIRED_INITRD_ANY any-of-family pattern mirroring REQUIRED_BOOTLOADER_ANY that survived the 24.11→25.11 channel bump cleanly. Candidate paths cover legacy (boot/bzImage) + per-arch (boot/x86_64-linux/bzImage) + generic-named (boot/kernel) + vmlinuz conventions. 2. Defense-in-depth — added dumpIsoEntriesForDiagnostic() helper that prints first 80 sorted ISO entries on audit failure. Same fix-pattern as the dep-pin-search-first-authority rule: future regressions self-debug rather than requiring log-archaeology. 3. B-0823 (substrate-layer follow-up) — investigate which 25.11 path actually drives kernel + initrd locations; optionally tighten the any-of families OR keep lenient as defense-in-depth (per B-0818 precedent). Composes with: B-0800 (nixpkgs 25.11 EOL recovery), B-0818 (sibling isoName regression), B-0816 (cross-distro portability). Co-Authored-By: Claude <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
There was a problem hiding this comment.
Pull request overview
Updates the installer ISO content audit to tolerate nixpkgs 25.11 kernel/initrd path layout changes and adds diagnostic output to make future audit failures easier to debug. Adds a new backlog row tracking the follow-up investigation and indexes it in docs/BACKLOG.md.
Changes:
- Replace strict
boot/bzImage+boot/initrdrequirements with kernel/initrd “any-of” path families. - Add an ISO entry diagnostic dump on audit failure (first 80 sorted entries).
- Add backlog row B-0823 and index it in
docs/BACKLOG.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tools/ci/audit-installer-iso-content.ts | Switch kernel/initrd checks to any-of families and emit a diagnostic ISO entry listing on failure. |
| docs/backlog/P2/B-0823-investigate-nixpkgs-25-11-iso-kernel-initrd-path-layout-tighten-audit-after-discovery-aaron-2026-05-26.md | New P2 backlog row documenting the regression, fix-fwd, and follow-up investigation plan. |
| docs/BACKLOG.md | Adds B-0823 to the P2 index. |
Comment on lines
+340
to
+342
| const proc = spawnSync("7z", ["l", "-slt", isoPath], { encoding: "utf8" }); | ||
| if (proc.status !== 0) { | ||
| return ` (could not dump entries: 7z l failed with status ${proc.status})`; |
Comment on lines
+394
to
+398
| // Diagnostic dump (B-0823) — show what's actually in the ISO so the | ||
| // candidate any-of paths can be extended next time nixpkgs shifts. | ||
| process.stderr.write(`ISO entries (first 80 sorted) for diagnostic:\n`); | ||
| process.stderr.write(dumpIsoEntriesForDiagnostic(parsed.isoPath)); | ||
| process.stderr.write("\n\n"); |
|
|
||
| ## Probable root cause | ||
|
|
||
| Same class as [B-0818](B-0818-investigate-isoname-mkforce-not-sticking-on-nixpkgs-25-11-aaron-2026-05-26.md): nixpkgs 25.11's image/images refactor changed where kernel + initrd land in the ISO. Per the [iso-image module source](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/cd-dvd/iso-image.nix) the path includes `cfg.boot.kernelPackages.kernel` + `cfg.system.boot.loader.kernelFile` — historically resolved to `boot/bzImage` at top-level but may now include per-arch / store-hash variations. |
This was referenced May 26, 2026
Closed
Closed
Closed
This was referenced May 26, 2026
Closed
Closed
Closed
Closed
Closed
Closed
AceHack
added a commit
that referenced
this pull request
May 26, 2026
…5251) * fix(postmerge-5235): 3 Copilot findings + workflow path-trigger fix 1. tools/ci/audit-installer-iso-content.ts — dumpIsoEntriesForDiagnostic() now reuses lsIso() instead of open-coding a duplicate spawnSync that was missing sonarjs/no-os-command-from-path suppression + maxBuffer + r.error handling. Single source of truth for the 7z invocation; safe on large ISOs; CI lint clean. 2. tools/ci/audit-installer-iso-content.ts — DIAG_DUMP_LIMIT constant used in both the header text + the function call so they never drift apart. Earlier draft hard-coded "first 80" in the header while the function param could be different. 3. docs/backlog/P2/B-0823-*.md — nixpkgs link pinned to nixos-25.11 branch instead of master (master drifts; nixos-25.11 matches the channel the row investigates). 4. .github/workflows/build-ai-cluster-iso.yml — added tools/ci/audit-installer-iso-content.ts to BOTH pull_request.paths AND push.paths. This workflow was the reason the original #5235 fix-fwd didn't actually trigger an ISO rebuild on merge — only audit-installer-substrate.ts (source-substrate audit) was in the path filter; audit-installer-iso-content.ts (post-build content audit) wasn't. Now it is. This PR's commit will trigger the workflow + the diagnostic dump on failure will surface the actual 25.11 kernel/initrd paths. Co-Authored-By: Claude <noreply@anthropic.com> * fix(postmerge-5235): 2 Copilot threads — path normalization in diagnostic dump + clarify 7z PATH-resolution comment (#5251) 1. Line ~350: normalize leading slashes in diagnostic dump via the same .replace(/^\/+/, "") that auditIsoContent uses (line ~274). Otherwise failure messages report "boot/..." while dump shows "/boot/..." on 7z versions that emit leading slashes — cross-reference broken for operators. 2. Line ~343: comment said "non-PATH-pinned 7z" which contradicted lsIso's deliberate PATH-resolved + sonarjs-suppression approach. Rephrased to explicitly state PATH-resolved. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cascade #4 ISO audit failed on commit 75eff94 (post-#5226 merge) with 2 missing-path assertions on `boot/bzImage` + `boot/initrd`. Same class as B-0818 — nixpkgs 25.11's image/images refactor changed kernel + initrd locations in the ISO.
Two-layer fix
This PR (fix-fwd, immediate unblock):
B-0823 (substrate-layer follow-up):
Test plan
🤖 Generated with Claude Code