Extend pi-gen-action to build 32- and 64-bit RaspAP Insiders images

[billz]

Is your feature request related to a problem?

This builds on the existing pi-gen action as described in #1688.

Users who join the private RaspAP/raspap-insiders repo are required to authenticate with GitHub using a personal access token with a specific token scope. Despite being clearly documented, many users struggle with this and report problems when attempting to clone the private repo. The installer switches for Insiders take the following form:

curl -sL https://install.raspap.com | bash -s -- --insiders --name [username] --token [my-token]

Describe the solution you'd like

Extending the pi-gen-action to Insiders means that users can simply download the pre-built custom Insiders image from the private RaspAP/raspap-insiders repo, rather than creating a token, verifying it and passing these switches to the installer.

Proposed approach

The private RaspAP/raspap-insiders repo can define a repository secret such as INSIDERS_TOKEN. This can be injected into the build from an environment variable or temp file that only exists at build time. For example:

env:
  INSIDERS_TOKEN: ${{ secrets.INSIDERS_TOKEN }}

A script in stage-raspap/prerun.sh could then securely write the token like so:

stage-raspap/package-raspap/00-run-chroot.sh

#!/bin/bash -e

# inject GitHub token as file in chroot environment
echo "${INSIDERS_TOKEN}" > "${ROOTFS_DIR}/etc/insiders_token"
chmod 600 "${ROOTFS_DIR}/etc/insiders_token"

This ensures the token only exists inside the chroot build, not on the host, and isn’t exposed in logs. It can then be used by the installer:

# read injected Insiders token
INSIDERS_TOKEN=$(cat /etc/insiders_token)
INSIDERS_USER="insiders-builder"

curl -sL https://install.raspap.com | bash -s -- \
  --yes --insiders --openvpn 1 --restapi 1 --adblock 1 --wireguard 1 --tcp-bbr 1 --check 0 \
  --name "$INSIDERS_USER" --token "$INSIDERS_TOKEN"

After the installer executes, the token should be deleted with rm -f /etc/insiders_token.

Describe alternatives you've considered

None.

Additional context

The build must differentiate between an action triggered by an Insiders release, versus a public repo release (as it does currently).

Build Source	Workflow Behavior
Public repo release	Build public image, no auth required
Private Insiders repo release	Build private image, use --name and --token, then upload release to the Insiders repo

This could be achieved by splitting the workflows between each repo, with minor differences.

Bonus

Share logic between workflows. To reduce duplication, common logic could be grouped into a shell script checked into both repos.

edit: fix insiders_token reference

[billz]

/bounty 300

[algora-pbc]

💎 $300 bounty • RaspAP

Steps to solve:

1. Start working: Comment /attempt #1874 with your implementation plan
2. Submit work: Create a pull request including /claim #1874 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

❗ Important guidelines:

• To claim a bounty, you need to provide a short demo video of your changes in your pull request
• If anything is unclear, ask for clarification before starting as this will help avoid potential rework
• Low quality AI PRs will not receive review and will be closed
• Do not ask to be assigned unless you've contributed before

Thank you for contributing to RaspAP/raspap-webgui!

Attempt	Started (UTC)	Solution	Actions
🟢 @Dhanus3133	Jun 06, 2025, 07:42:08 AM	#1875	Reward

[billz]

@NL-TCH @Dhanus3133 possibly of interest

[Dhanus3133]

/attempt #1874

[Dhanus3133]

@billz Can I please get access to the RaspAP/raspap-insiders repo

[billz]

@Dhanus3133 certainly, I was just about to ask :)

[algora-pbc]

🎉 The pull request of @Dhanus3133 has been merged. The bounty can be rewarded here

cc @billz