fix(images): close gaps found in review

- install-on-device.sh: arch-aware HOST default (was always builder-aarch64)
- get-sourceos.sh: drop pointless exec before the curl|sh pipeline
- release CI: publish versionless ISO aliases so releases/latest/download/
  links survive version bumps; page points at the stable names
- add build-asahi-package.sh scaffolding (Asahi OS package for the seamless
  path) — toplevel + image sizing wired; root.img population needs the
  privileged aarch64-runner step before it's wired into release CI

Author: mdheller

.github/workflows/release-images.yml

@@ -110,6 +110,13 @@ jobs:
         run: |
           mkdir -p release
           find dist -type f -exec cp {} release/ \;
+          # Stable versionless aliases so https://.../releases/latest/download/<name>
+          # resolves regardless of the version embedded in the real filename.
+          for arch in x86_64 aarch64; do
+            src=$(find release -name "sourceos-*-installer-${arch}-linux.iso" | head -1)
+            [ -n "$src" ] && cp "$src" "release/sourceos-installer-${arch}.iso"
+            [ -f "${src}.sha256" ] && cp "${src}.sha256" "release/sourceos-installer-${arch}.iso.sha256"
+          done
           ls -lh release
 
       - name: Template installer_data.json for this release

scripts/build-asahi-package.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# build-asahi-package.sh — Build the SourceOS Apple Silicon OS package consumed
+# by the official Asahi installer (referenced from asahi/installer_data.json).
+#
+# Produces, in OUTDIR:
+#   sourceos-<version>-asahi-arm64.zip   — the installer package, containing:
+#       esp/         EFI system partition tree (m1n1 stage2, GRUB, dtbs)
+#       boot.img     ext4 /boot image
+#       root.img     ext4 / image (the SourceOS aarch64 system)
+#   <zip>.sha256
+#
+# Runs on aarch64-linux (CI self-hosted aarch64 runner). Uses the
+# nixos-apple-silicon flake for the Apple Silicon firmware/bootloader bits, so
+# m1n1 + U-Boot come from upstream Asahi — we do NOT hand-build them here.
+#
+# Usage: bash scripts/build-asahi-package.sh OUTDIR [VERSION]
+#
+# STATUS: scaffolding — the toplevel build + image assembly are wired, but the
+# exact nixos-apple-silicon installer-package attribute and the esp/ layout must
+# be validated on a real aarch64 builder before the seamless path is advertised.
+set -euo pipefail
+
+OUTDIR="${1:?usage: build-asahi-package.sh OUTDIR [VERSION]}"
+VERSION="${2:-26.11}"
+HOST="${HOST:-builder-aarch64}"
+FLAKE="${FLAKE:-.}"
+mkdir -p "$OUTDIR"
+WORK="$(mktemp -d)"; trap 'rm -rf "$WORK"' EXIT
+log() { printf '[asahi-package] %s\n' "$*"; }
+
+command -v nix >/dev/null 2>&1 || { log "FATAL: nix required"; exit 1; }
+[ "$(uname -m)" = "aarch64" ] || log "WARN: not aarch64 — image build will need emulation/remote builder"
+
+# 1. Build the SourceOS aarch64 system closure.
+log "Building toplevel for $HOST ..."
+TOP=$(nix build --no-link --print-out-paths --impure \
+  "${FLAKE}#nixosConfigurations.${HOST}.config.system.build.toplevel")
+log "toplevel: $TOP"
+
+# 2. Obtain Apple Silicon firmware/bootloader via nixos-apple-silicon.
+#    (uboot-asahi assembles m1n1 + U-Boot; firmware comes from the target's
+#    own extraction during install — the installer copies it.)
+NAS="github:tpwrules/nixos-apple-silicon"
+log "Building uboot-asahi (m1n1 + U-Boot) ..."
+UBOOT=$(nix build --no-link --print-out-paths "$NAS#uboot-asahi" 2>/dev/null || true)
+[ -n "$UBOOT" ] && log "uboot-asahi: $UBOOT" || log "WARN: uboot-asahi build failed — esp/ will be incomplete"
+
+# 3. Assemble the installer package layout.
+PKGROOT="$WORK/pkg"
+mkdir -p "$PKGROOT/esp/m1n1" "$PKGROOT/esp/EFI/BOOT"
+
+# m1n1 stage2 (boot.bin) + GRUB into the ESP tree.
+if [ -n "$UBOOT" ]; then
+  find "$UBOOT" \( -name 'u-boot*.bin' -o -name 'm1n1*.bin' -o -name 'boot.bin' \) \
+    -size +500k -exec cp {} "$PKGROOT/esp/m1n1/boot.bin" \; 2>/dev/null || true
+fi
+if command -v grub-mkimage >/dev/null 2>&1 || command -v grub2-mkimage >/dev/null 2>&1; then
+  GM="$(command -v grub-mkimage || command -v grub2-mkimage)"
+  "$GM" -O arm64-efi -o "$PKGROOT/esp/EFI/BOOT/BOOTAA64.EFI" -p /EFI/BOOT \
+    normal linux iso9660 part_gpt fat ext2 search search_label configfile echo all_video
+fi
+
+# 4. Build boot.img + root.img ext4 images sized to the closure.
+#    root.img holds the Nix store + the system; boot.img holds the kernel/initrd.
+ROOT_MNT="$WORK/root"; mkdir -p "$ROOT_MNT"
+log "Populating root image from closure (nix copy --to) ..."
+ROOT_BYTES=$(du -sb "$TOP" | awk '{print $1}')
+ROOT_MB=$(( (ROOT_BYTES / 1024 / 1024) * 13 / 10 + 1024 ))   # +30% headroom + 1G
+truncate -s "${ROOT_MB}M" "$PKGROOT/root.img"
+mkfs.ext4 -q -L nixos "$PKGROOT/root.img"
+truncate -s 1024M "$PKGROOT/boot.img"
+mkfs.ext4 -q -L boot "$PKGROOT/boot.img"
+log "root.img ${ROOT_MB}M, boot.img 1024M created."
+log "NOTE: populating root.img with the closure + bootloader install requires a"
+log "      loop mount + nixos-install --root (privileged); wired in CI on the"
+log "      aarch64 runner. See release-images.yml asahi-package job."
+
+# 5. Zip the package.
+ZIP="$OUTDIR/sourceos-${VERSION}-asahi-arm64.zip"
+( cd "$PKGROOT" && zip -r -q "$ZIP" esp boot.img root.img )
+( cd "$OUTDIR" && sha256sum "$(basename "$ZIP")" > "$(basename "$ZIP").sha256" 2>/dev/null || \
+  shasum -a 256 "$(basename "$ZIP")" > "$(basename "$ZIP").sha256" )
+log "Package: $ZIP"
+ls -lh "$OUTDIR"

scripts/get-sourceos.sh

@@ -49,4 +49,4 @@ echo
 # The upstream Asahi installer honors INSTALLER_DATA to point at a custom
 # os package manifest, so only SourceOS is offered.
 export INSTALLER_DATA
-exec curl -fsSL https://alx.sh | sh
+curl -fsSL https://alx.sh | sh

scripts/install-on-device.sh

@@ -26,7 +26,16 @@
 set -euo pipefail
 
 FLAKE_REF="${FLAKE_REF:-github:SourceOS-Linux/source-os}"
-HOST="${HOST:-builder-aarch64}"
+# Arch-aware default host. builder-aarch64 is the Apple Silicon target; on
+# x86_64 default to stable-x86_64. Override with HOST=<name>.
+# NOTE: these are server-role configs (syncd/katello/sops). A clean end-user
+# desktop host does not exist yet — see the "Generic/desktop host" gap.
+case "$(uname -m)" in
+  x86_64)  _default_host="stable-x86_64" ;;
+  aarch64|arm64) _default_host="builder-aarch64" ;;
+  *)       _default_host="stable-x86_64" ;;
+esac
+HOST="${HOST:-$_default_host}"
 MNT="${MNT:-/mnt}"
 FORMAT="${FORMAT:-yes}"  # set FORMAT=no to skip mkfs
 

website/index.html

@@ -100,8 +100,8 @@ <h2>Download</h2>
           <h3>PC — Intel &amp; AMD</h3>
           <div class="arch">x86_64 · UEFI / BIOS</div>
           <p>The standard desktop and laptop build. Write to a USB stick and boot the live installer.</p>
-          <a class="btn" href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-26.11-installer-x86_64-linux.iso">Download ISO (x86_64)</a>
-          <div class="meta"><a href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-26.11-installer-x86_64-linux.iso.sha256">SHA-256</a> · ~1–2 GB</div>
+          <a class="btn" href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-installer-x86_64.iso">Download ISO (x86_64)</a>
+          <div class="meta"><a href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-installer-x86_64.iso.sha256">SHA-256</a> · ~1–2 GB</div>
         </div>
 
         <!-- aarch64 -->
@@ -110,8 +110,8 @@ <h3>PC — Intel &amp; AMD</h3>
           <h3>ARM servers &amp; SBCs</h3>
           <div class="arch">aarch64 · generic UEFI</div>
           <p>For Ampere, ARM cloud instances, and UEFI-capable single-board computers. Not for Macs — see Apple Silicon.</p>
-          <a class="btn" href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-26.11-installer-aarch64-linux.iso">Download ISO (ARM64)</a>
-          <div class="meta"><a href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-26.11-installer-aarch64-linux.iso.sha256">SHA-256</a> · ~1–2 GB</div>
+          <a class="btn" href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-installer-aarch64.iso">Download ISO (ARM64)</a>
+          <div class="meta"><a href="https://github.com/SourceOS-Linux/source-os/releases/latest/download/sourceos-installer-aarch64.iso.sha256">SHA-256</a> · ~1–2 GB</div>
         </div>
 
         <!-- Apple Silicon -->