live-image: generate initrd explicitly; fail release on missing files

Two bugs chained together to ship a broken bundle:

1. With Bootable=no, mkosi skips update-initramfs, so no
   /boot/initrd.img-<kver> ever gets generated inside the rootfs.
   The postinst now runs update-initramfs via chroot to produce it.

2. The `make release` recipe chained its `cp` calls with `;`, so
   a missing live-image/build/initrd.img silently failed and the
   bundle still got tarred + uploaded. Adding `set -e` at the top
   of the recipe makes any missing component fail the build loudly
   instead of shipping a half-bundle.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

live-image/mkosi.postinst

@@ -1,10 +1,17 @@
 #!/bin/sh
-# mkosi postinst: enable the vetting-agent service. The binary lands in
-# the image via mkosi.extra/ (staged by the live-image Makefile from
-# ../bin/vetting-agent.linux-amd64); the service unit lands via
-# mkosi.skeleton/. All we need here is the multi-user.target symlink.
+# mkosi postinst: enable the vetting-agent service and generate the
+# initrd. The binary lands in the image via mkosi.extra/ (staged by the
+# live-image Makefile from ../bin/vetting-agent.linux-amd64); the
+# service unit lands via mkosi.skeleton/.
 set -eu
 
 mkdir -p "$BUILDROOT/etc/systemd/system/multi-user.target.wants"
 ln -sf /etc/systemd/system/vetting-agent.service \
     "$BUILDROOT/etc/systemd/system/multi-user.target.wants/vetting-agent.service"
+
+# Bootable=no means mkosi won't run update-initramfs for us, and the
+# deferred initramfs-tools trigger inside the chroot doesn't actually
+# generate /boot/initrd.img-<kver>. Do it explicitly so the top-level
+# Makefile's cp of live-image/build/initrd.img has something to copy.
+kver=$(ls "$BUILDROOT/lib/modules/" | head -n1)
+chroot "$BUILDROOT" update-initramfs -c -k "$kver"