Extend pi-gen-action to build 32- and 64-bit RaspAP Insiders images
Closed this issue Β· 8 comments
Is your feature request related to a problem?
This builds on the existing pi-gen action as described in #1688.
Users who join the private RaspAP/raspap-insiders repo are required to authenticate with GitHub using a personal access token with a specific token scope. Despite being clearly documented, many users struggle with this and report problems when attempting to clone the private repo. The installer switches for Insiders take the following form:
curl -sL https://install.raspap.com | bash -s -- --insiders --name [username] --token [my-token]
Describe the solution you'd like
Extending the pi-gen-action to Insiders means that users can simply download the pre-built custom Insiders image from the private RaspAP/raspap-insiders repo, rather than creating a token, verifying it and passing these switches to the installer.
Proposed approach
The private RaspAP/raspap-insiders repo can define a repository secret such as INSIDERS_TOKEN. This can be injected into the build from an environment variable or temp file that only exists at build time. For example:
env:
INSIDERS_TOKEN: ${{ secrets.INSIDERS_TOKEN }}
A script in stage-raspap/prerun.sh could then securely write the token like so:
stage-raspap/package-raspap/00-run-chroot.sh
#!/bin/bash -e
# inject GitHub token as file in chroot environment
echo "${INSIDERS_TOKEN}" > "${ROOTFS_DIR}/etc/insiders_token"
chmod 600 "${ROOTFS_DIR}/etc/insiders_token"
This ensures the token only exists inside the chroot build, not on the host, and isnβt exposed in logs. It can then be used by the installer:
# read injected Insiders token
INSIDERS_TOKEN=$(cat /etc/insiders_token)
INSIDERS_USER="insiders-builder"
curl -sL https://install.raspap.com | bash -s -- \
--yes --insiders --openvpn 1 --restapi 1 --adblock 1 --wireguard 1 --tcp-bbr 1 --check 0 \
--name "$INSIDERS_USER" --token "$INSIDERS_TOKEN"
After the installer executes, the token should be deleted with rm -f /etc/insiders_token.
Describe alternatives you've considered
None.
Additional context
The build must differentiate between an action triggered by an Insiders release, versus a public repo release (as it does currently).
| Build Source | Workflow Behavior |
|---|---|
| Public repo release | Build public image, no auth required |
| Private Insiders repo release | Build private image, use --name and --token, then upload release to the Insiders repo |
This could be achieved by splitting the workflows between each repo, with minor differences.
Bonus
Share logic between workflows. To reduce duplication, common logic could be grouped into a shell script checked into both repos.
edit: fix insiders_token reference
/bounty 300
π $300 bounty β’ RaspAP
Steps to solve:
- Start working: Comment
/attempt #1874with your implementation plan - Submit work: Create a pull request including
/claim #1874in the PR body to claim the bounty - Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts
β Important guidelines:
- To claim a bounty, you need to provide a short demo video of your changes in your pull request
- If anything is unclear, ask for clarification before starting as this will help avoid potential rework
- Low quality AI PRs will not receive review and will be closed
- Do not ask to be assigned unless you've contributed before
Thank you for contributing to RaspAP/raspap-webgui!
| Attempt | Started (UTC) | Solution | Actions |
|---|---|---|---|
| π’ @Dhanus3133 | Jun 06, 2025, 07:42:08 AM | #1875 | Reward |
@NL-TCH @Dhanus3133 possibly of interest
/attempt #1874
@billz Can I please get access to the RaspAP/raspap-insiders repo
@Dhanus3133 certainly, I was just about to ask :)
π The pull request of @Dhanus3133 has been merged. The bounty can be rewarded here
cc @billz
ππ @Dhanus3133 has been awarded $330 by RaspAP! ππ