build: refuse to bake mother SSH key into release images #113

Merged

clawdie merged 1 commit from build/mother-ssh-key into main

2026-06-22 09:49:18 +02:00

Author	SHA1	Message	Date
Sam & Claude	b489d147d4	build: refuse to bake mother SSH key into release images The trigger copies osa-mother-2026 from the build host into any ISO as long as the key file exists (which it does permanently on OSA). A BUILD_CHANNEL=release build would embed the private key into a publicly hosted image = mother compromise. Add a fail-closed guard: release builds exit with an error before copying the key. Dev builds (including personalized sticks) are unaffected.	2026-06-22 09:42:00 +02:00

Author

SHA1

Message

Date

Sam & Claude

b489d147d4

build: refuse to bake mother SSH key into release images

The trigger copies osa-mother-2026 from the build host into any ISO
as long as the key file exists (which it does permanently on OSA).
A BUILD_CHANNEL=release build would embed the private key into a
publicly hosted image = mother compromise.

Add a fail-closed guard: release builds exit with an error before
copying the key. Dev builds (including personalized sticks) are
unaffected.

2026-06-22 09:42:00 +02:00