create-image

SPDX-FileCopyrightText: (C) 2026 Intel Corporation

SPDX-License-Identifier: Apache-2.0

name: create-image description: Build a host OS image using the ICT (Image Composer Tool) from a source template with customizable user credentials.

Trigger Phrases

• create image
• build host image
• generate ubuntu image
• build PTL image
• run ict image build

Required Inputs

• enib_home: absolute path to this repository root (default: current workspace root)
• work_template: output template path to edit (default: <target_template> basename prefixed with work-)
• target_template: source template path (default: infrastructure/host-os/ict/generic-handheld-os-template.yml)
• os_image_composer_repo: clone path for image-composer-tool (default: <enib_home>/tools/image-composer-tool)

Preconditions

Run silently without user prompts:

• Host OS recommendation check: grep -E "^(NAME|VERSION)=" /etc/os-release
• Go toolchain check: go version
• Required tool check: command -v ukify && dpkg -l mmdebstrap | grep '^ii'
• Source template exists: test -f <enib_home>/<target_template>
• Working template path is not source template path.
• Sudo probe (MANDATORY before sudo -E ./image-composer-tool build): run sudo -n true. If exit is non-zero, stop and instruct the user to run sudo -v in their terminal (or add a scoped NOPASSWD entry for image-composer-tool in /etc/sudoers.d/), then re-trigger the skill. If sudo -v was already run but sudo -n true still fails, the user must make sudo timestamps global (tty_tickets issue): echo 'Defaults timestamp_type=global' | sudo tee /etc/sudoers.d/agent-timestamp && sudo chmod 0440 /etc/sudoers.d/agent-timestamp && sudo visudo -c. See AGENTS.md.

Prompt only before destructive operations:

• Prompt for sudo confirmation only before destructive operations: disk wipe, partition table changes, or build commands that overwrite the output directory. Do not prompt for non-destructive sudo commands such as apt install

Steps

Run silently (no prompts):

1. Clone image-composer-tool if missing, or reuse existing checkout:
   • git clone https://github.com/open-edge-platform/image-composer-tool.git <os_image_composer_repo>
2. Build the tool binary:
   • cd <os_image_composer_repo>
   • go build -buildmode=pie -ldflags "-s -w" ./cmd/image-composer-tool
3. Prepare template copy:
   • cp <enib_home>/<target_template> <os_image_composer_repo>/<work_template>
4. Validate template before build:
   • cd <os_image_composer_repo>
   • ./image-composer-tool validate <work_template>
5. Collect generated artifacts from:
   • ./workspace/ubuntu-ubuntu24-x86_64/imagebuild/<config-name>/

Prompt only once for missing required inputs: 6. Apply template edits with minimal prompts.

Prompt only once before destructive action: 7. Ask for explicit confirmation before privileged build. 8. Build the image:

• sudo -E ./image-composer-tool build <work_template>

Validation

• Template validation passes with exit code 0.
• Build command exits with code 0 and reports successful image creation.
• At least one .raw.gz artifact is present under workspace output path.
• SBOM/manifests are present when generated by build profile.

Rollback

• Remove temporary working template: rm -f <os_image_composer_repo>/<work_template>
• Remove failed partial output directory if user approves: rm -rf <os_image_composer_repo>/workspace/ubuntu-ubuntu24-x86_64/imagebuild/<config-name>

Safety Rules

• Ask before privileged or destructive actions.
• Never infer credentials, keys, or secrets.
• Never print full private key contents.
• Stop on precondition or validation failure and provide next-action guidance.

Expected Result Summary

Return:

• whether preconditions passed
• validation status
• build status
• artifact file names and absolute paths
• troubleshooting hints when build fails (for example cert/no_proxy issues)