Epic 1: Appliance-grade installation artifacts in release pipeline

Add ISO, QCOW2, and OVA build jobs to the release workflow:

- build-iso: Uses ublue-os/isogenerator on standard ubuntu runner to
  produce signed bootable ISO. Required artifact — release fails if
  this job fails.
- build-vm-images: Uses existing build-qcow2.sh + build-ova.sh on
  self-hosted KVM runner. Gated behind vars.HAS_KVM_RUNNER. Optional —
  release succeeds without this when the variable is unset.

Supporting changes:
- build-qcow2.sh: add --ci and --image-ref flags for CI automation
- Release manifest: install_artifacts section with per-artifact hash,
  size, and signature file (conditionally populated)
- verify-release.sh: Step 5 verifies cosign blob signatures on
  ISO/QCOW2/OVA if present, skips gracefully if absent
- sample-release-bundle.md: document new artifact types, note QCOW2/OVA
  may be absent, reference release-artifacts.json as source of truth
- Release files glob: include secai-os-*.{iso,qcow2,ova} + .sig files

Tests: 25 new tests in test_release_artifacts.py covering workflow
structure, artifact consistency, docs coverage, and script flags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SecAI-Hub

.github/workflows/release.yml

@@ -148,10 +148,97 @@ jobs:
           name: python-sboms
           path: dist/
 
+  build-iso:
+    name: Build ISO (isogenerator)
+    needs: [preflight]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Build ISO
+        uses: ublue-os/isogenerator@main
+        id: isogen
+        with:
+          ARCH: x86_64
+          IMAGE_REPO: ghcr.io/secai-hub
+          IMAGE_NAME: secai_os
+          IMAGE_TAG: ${{ github.ref_name }}
+          VERSION: 42
+          VARIANT: Silverblue
+
+      - name: Install cosign
+        run: |
+          COSIGN_VERSION="v2.4.3"
+          curl -sSfL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" \
+            -o /usr/local/bin/cosign
+          chmod +x /usr/local/bin/cosign
+
+      - name: Rename and sign ISO
+        run: |
+          ISO_SRC="${{ steps.isogen.outputs.iso-path }}"
+          ISO_DST="dist/secai-os-${{ github.ref_name }}-x86_64.iso"
+          mkdir -p dist
+          mv "$ISO_SRC" "$ISO_DST"
+          cosign sign-blob --yes \
+            --key env://COSIGN_PRIVATE_KEY \
+            --output-signature "${ISO_DST}.sig" \
+            "$ISO_DST"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      - name: Upload ISO artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: iso-amd64
+          path: dist/secai-os-*.iso*
+
+  build-vm-images:
+    name: Build VM Images (QCOW2 + OVA)
+    needs: [preflight]
+    if: vars.HAS_KVM_RUNNER == 'true'
+    runs-on: [self-hosted, linux, x64, kvm]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Build QCOW2
+        run: |
+          bash scripts/vm/build-qcow2.sh --ci \
+            --image-ref "ghcr.io/secai-hub/secai_os:${{ github.ref_name }}"
+
+      - name: Build OVA from QCOW2
+        run: bash scripts/vm/build-ova.sh
+
+      - name: Install cosign
+        run: |
+          COSIGN_VERSION="v2.4.3"
+          curl -sSfL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" \
+            -o /usr/local/bin/cosign
+          chmod +x /usr/local/bin/cosign
+
+      - name: Sign VM artifacts
+        run: |
+          mkdir -p dist
+          cp output/secai-os.qcow2 "dist/secai-os-${{ github.ref_name }}.qcow2"
+          cp output/secai-os.ova "dist/secai-os-${{ github.ref_name }}.ova"
+          for f in dist/secai-os-${{ github.ref_name }}.qcow2 dist/secai-os-${{ github.ref_name }}.ova; do
+            cosign sign-blob --yes \
+              --key env://COSIGN_PRIVATE_KEY \
+              --output-signature "${f}.sig" \
+              "$f"
+          done
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      - name: Upload VM artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: vm-images
+          path: dist/secai-os-*
+
   provenance:
     name: SLSA Provenance & Attestation
     runs-on: ubuntu-latest
-    needs: [build-go, build-python]
+    needs: [build-go, build-python, build-iso]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -261,6 +348,24 @@ jobs:
               }
             }' > RELEASE_MANIFEST.json
 
+          # Add install artifacts (conditionally present)
+          INSTALL_JSON="{}"
+          for artifact in secai-os-*.iso secai-os-*.qcow2 secai-os-*.ova; do
+            [ -f "$artifact" ] || continue
+            HASH=$(sha256sum "$artifact" | awk '{print $1}')
+            SIZE=$(stat -c%s "$artifact" 2>/dev/null || stat -f%z "$artifact" 2>/dev/null || echo 0)
+            TYPE="${artifact##*.}"
+            INSTALL_JSON=$(echo "$INSTALL_JSON" | jq \
+              --arg type "$TYPE" --arg name "$artifact" \
+              --arg sha256 "$HASH" --arg size "$SIZE" \
+              --arg sig "${artifact}.sig" \
+              '. + {($type): {"name": $name, "sha256": $sha256, "size_bytes": ($size | tonumber), "signature": $sig}}')
+          done
+          # Merge install_artifacts into manifest
+          jq --argjson install "$INSTALL_JSON" \
+            '. + {install_artifacts: $install}' RELEASE_MANIFEST.json > RELEASE_MANIFEST.json.tmp
+          mv RELEASE_MANIFEST.json.tmp RELEASE_MANIFEST.json
+
           echo "--- RELEASE_MANIFEST.json ---"
           cat RELEASE_MANIFEST.json
 
@@ -309,5 +414,11 @@ jobs:
             dist/IMAGE_DIGEST
             dist/IMAGE_REF_PINNED
             dist/RELEASE_MANIFEST.json
+            dist/secai-os-*.iso
+            dist/secai-os-*.iso.sig
+            dist/secai-os-*.qcow2
+            dist/secai-os-*.qcow2.sig
+            dist/secai-os-*.ova
+            dist/secai-os-*.ova.sig
           generate_release_notes: true
           fail_on_unmatched_files: false

docs/sample-release-bundle.md

@@ -50,11 +50,23 @@ v1.0.0/
   # Release manifest (machine-readable)
   RELEASE_MANIFEST.json # structured JSON: image, binaries, SBOMs, provenance, build metadata
 
+  # Install artifacts (bootable images)
+  secai-os-v1.0.0-x86_64.iso        # Bootable ISO (from isogenerator)
+  secai-os-v1.0.0-x86_64.iso.sig    # cosign detached signature
+  secai-os-v1.0.0.qcow2             # QCOW2 disk image (optional — requires KVM build infra)
+  secai-os-v1.0.0.qcow2.sig         # cosign detached signature
+  secai-os-v1.0.0.ova               # OVA appliance (optional — requires KVM build infra)
+  secai-os-v1.0.0.ova.sig           # cosign detached signature
+
   # Checksums and signature
   SHA256SUMS            # sha256sum of every artifact above (includes RELEASE_MANIFEST.json)
   SHA256SUMS.sig        # cosign detached signature over SHA256SUMS
 ```
 
+> **Note:** QCOW2 and OVA artifacts may be absent if the repository does not have
+> a self-hosted KVM runner. The ISO is always produced. See `docs/release-artifacts.json`
+> for the machine-readable artifact specification.
+
 ## Image Digest
 
 The container image is published to `ghcr.io/secai-hub/secai_os` and is identified by its SHA256 digest:

files/scripts/verify-release.sh

@@ -330,6 +330,43 @@ fi
 
 echo ""
 
+# ---------------------------------------------------------------------------
+# Step 5: Verify install artifact signatures (optional)
+# ---------------------------------------------------------------------------
+info "Step 5: Verifying install artifact signatures (if present)..."
+
+install_artifacts_found=0
+for pattern in "secai-os-*.iso" "secai-os-*.qcow2" "secai-os-*.ova"; do
+    for artifact in $pattern; do
+        [ -f "$artifact" ] || continue
+        install_artifacts_found=$((install_artifacts_found + 1))
+        sig_file="${artifact}.sig"
+        if [[ -f "$sig_file" ]]; then
+            if cosign verify-blob \
+                --key "${COSIGN_PUB_KEY}" \
+                --signature "$sig_file" \
+                "$artifact" \
+                >/dev/null 2>&1; then
+                pass "Install artifact signature OK: ${artifact}"
+                record_check 5 "install_sig_${artifact}" "PASS"
+            else
+                fail "Install artifact signature FAILED: ${artifact}"
+                record_check 5 "install_sig_${artifact}" "FAIL"
+            fi
+        else
+            warn "No .sig file for ${artifact} — cannot verify signature"
+            record_check 5 "install_sig_${artifact}" "SKIP" "no .sig file"
+        fi
+    done
+done
+
+if [[ $install_artifacts_found -eq 0 ]]; then
+    info "No install artifacts (ISO/QCOW2/OVA) found — skipping Step 5"
+    record_check 5 "install_artifacts" "SKIP" "no install artifacts present"
+fi
+
+echo ""
+
 # ---------------------------------------------------------------------------
 # Summary
 # ---------------------------------------------------------------------------

scripts/vm/build-qcow2.sh

@@ -14,13 +14,27 @@
 #
 set -euo pipefail
 
-OUTPUT_DIR="${1:-./output}"
+# Parse flags
+CI_MODE=false
+CUSTOM_IMAGE_REF=""
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --ci) CI_MODE=true; shift ;;
+        --image-ref) CUSTOM_IMAGE_REF="$2"; shift 2 ;;
+        --image-ref=*) CUSTOM_IMAGE_REF="${1#*=}"; shift ;;
+        *) POSITIONAL_ARGS+=("$1"); shift ;;
+    esac
+done
+
+OUTPUT_DIR="${POSITIONAL_ARGS[0]:-./output}"
 IMAGE_NAME="secai-os"
 DISK_SIZE="64G"
 VAULT_SIZE="32G"
 
-# SecAI OS container image
-CONTAINER_IMAGE="ghcr.io/secai-hub/secai_os:latest"
+# SecAI OS container image (override with --image-ref for CI)
+CONTAINER_IMAGE="${CUSTOM_IMAGE_REF:-ghcr.io/secai-hub/secai_os:latest}"
 
 # Generate random passwords for VM build (never hardcoded)
 SECAI_VM_PASSWORD="${SECAI_VM_PASSWORD:-$(openssl rand -base64 18)}"

tests/test_release_artifacts.py

@@ -0,0 +1,157 @@
+"""Tests for Epic 1 — Release Artifact Consistency.
+
+Validates that the release workflow, sample-release-bundle docs, and
+release-artifacts.json are all consistent with each other.
+"""
+
+import json
+import re
+from pathlib import Path
+
+import yaml
+
+REPO_ROOT = Path(__file__).parent.parent
+RELEASE_YML = REPO_ROOT / ".github" / "workflows" / "release.yml"
+ARTIFACTS_JSON = REPO_ROOT / "docs" / "release-artifacts.json"
+SAMPLE_BUNDLE = REPO_ROOT / "docs" / "sample-release-bundle.md"
+VERIFY_RELEASE = REPO_ROOT / "files" / "scripts" / "verify-release.sh"
+
+
+def _load_artifacts_json():
+    return json.loads(ARTIFACTS_JSON.read_text(encoding="utf-8"))
+
+
+def _read_release_yml():
+    return RELEASE_YML.read_text(encoding="utf-8")
+
+
+class TestReleaseArtifactsJson:
+    def test_file_exists(self):
+        assert ARTIFACTS_JSON.exists()
+
+    def test_valid_json(self):
+        data = _load_artifacts_json()
+        assert "schema_version" in data
+
+    def test_canonical_image_ref(self):
+        data = _load_artifacts_json()
+        assert data["canonical_image_ref"] == "ghcr.io/secai-hub/secai_os"
+
+    def test_go_services_match_release_matrix(self):
+        """Go services in artifacts.json must match release.yml matrix."""
+        data = _load_artifacts_json()
+        release_content = _read_release_yml()
+
+        # Extract matrix services from release.yml
+        match = re.search(r"service: \[([^\]]+)\]", release_content)
+        assert match, "Cannot find service matrix in release.yml"
+        release_services = sorted(s.strip() for s in match.group(1).split(","))
+        artifact_services = sorted(data["go_services"])
+
+        assert release_services == artifact_services, (
+            f"Mismatch: release.yml has {release_services}, "
+            f"artifacts.json has {artifact_services}"
+        )
+
+    def test_all_nine_go_services(self):
+        data = _load_artifacts_json()
+        assert len(data["go_services"]) == 9
+
+    def test_all_six_python_services(self):
+        data = _load_artifacts_json()
+        assert len(data["python_services"]) == 6
+
+    def test_both_architectures(self):
+        data = _load_artifacts_json()
+        assert "linux-amd64" in data["architectures"]
+        assert "linux-arm64" in data["architectures"]
+
+
+class TestReleaseWorkflowStructure:
+    def test_has_build_iso_job(self):
+        content = _read_release_yml()
+        assert "build-iso:" in content
+
+    def test_has_build_vm_images_job(self):
+        content = _read_release_yml()
+        assert "build-vm-images:" in content
+
+    def test_vm_images_gated_on_kvm_runner(self):
+        content = _read_release_yml()
+        assert "HAS_KVM_RUNNER" in content
+
+    def test_provenance_needs_build_iso(self):
+        content = _read_release_yml()
+        # Provenance job should depend on build-iso
+        assert "build-iso" in content
+
+    def test_release_files_include_iso(self):
+        content = _read_release_yml()
+        assert "secai-os-*.iso" in content
+
+    def test_release_files_include_vm(self):
+        content = _read_release_yml()
+        assert "secai-os-*.qcow2" in content
+        assert "secai-os-*.ova" in content
+
+    def test_release_files_include_signatures(self):
+        content = _read_release_yml()
+        assert "*.iso.sig" in content
+
+    def test_manifest_includes_install_artifacts(self):
+        content = _read_release_yml()
+        assert "install_artifacts" in content
+
+
+class TestSampleReleaseBundle:
+    def test_mentions_iso(self):
+        content = SAMPLE_BUNDLE.read_text(encoding="utf-8")
+        assert ".iso" in content
+
+    def test_mentions_qcow2(self):
+        content = SAMPLE_BUNDLE.read_text(encoding="utf-8")
+        assert ".qcow2" in content
+
+    def test_mentions_ova(self):
+        content = SAMPLE_BUNDLE.read_text(encoding="utf-8")
+        assert ".ova" in content
+
+    def test_mentions_optional_vm_artifacts(self):
+        """Docs must note that QCOW2/OVA may be absent."""
+        content = SAMPLE_BUNDLE.read_text(encoding="utf-8")
+        assert "absent" in content.lower() or "optional" in content.lower()
+
+    def test_references_artifacts_json(self):
+        content = SAMPLE_BUNDLE.read_text(encoding="utf-8")
+        assert "release-artifacts.json" in content
+
+
+class TestVerifyReleaseScript:
+    def test_has_step5_install_artifacts(self):
+        content = VERIFY_RELEASE.read_text(encoding="utf-8")
+        assert "Step 5" in content
+        assert "install artifact" in content.lower()
+
+    def test_handles_missing_artifacts_gracefully(self):
+        content = VERIFY_RELEASE.read_text(encoding="utf-8")
+        # Must skip gracefully when no install artifacts present
+        assert "SKIP" in content or "skipping" in content.lower()
+
+    def test_verifies_cosign_blob(self):
+        content = VERIFY_RELEASE.read_text(encoding="utf-8")
+        # Step 5 should use cosign verify-blob for install artifacts
+        assert "cosign verify-blob" in content
+
+
+class TestBuildQcow2Script:
+    def test_supports_ci_flag(self):
+        content = (REPO_ROOT / "scripts" / "vm" / "build-qcow2.sh").read_text(
+            encoding="utf-8"
+        )
+        assert "--ci" in content
+
+    def test_supports_image_ref_flag(self):
+        content = (REPO_ROOT / "scripts" / "vm" / "build-qcow2.sh").read_text(
+            encoding="utf-8"
+        )
+        assert "--image-ref" in content