msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 34s
Details
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 24s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m35s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-25 10:10:41 +02:00
parent 9c19212c00
commit e8d85a39ae
134 changed files with 13933 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml Normal file
View File

@@ -0,0 +1,92 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
---
name: "Bug Report"
about: "Create a report to help us improve"
title: "[BUG | possible BUG]: "
assignees: "MSW"
body:
# Instructions for the reporter
- type: markdown
attributes:
value: |
_Please provide concise information to reproduce the bug; issues lacking detail may be closed._
# Version information
- type: input
id: version
attributes:
label: "Version"
description: "Which version are you running? Use `./setup.sh -v`."
placeholder: "e.g., Master V8.00.000.2025.06.17"
validations:
required: true
# Known issues check
- type: textarea
id: known_issue
attributes:
label: "Search for known issues"
description: "Is this a known problem? Link to related issues or state 'none found'."
placeholder: "e.g., #1234 or none found"
validations:
required: true
# Reproduction steps
- type: textarea
id: reproduction
attributes:
label: "Command line"
description: |
Which command did you run, and against which target?
If you prefer not to disclose publicly, use `security@coresecret.eu`.
placeholder: "e.g., ./setup.sh --debug"
validations:
required: true
# Expected behavior
- type: textarea
id: expected
attributes:
label: "Expected behavior"
description: "Describe clearly what you expected to happen."
placeholder: "e.g., Build completes without errors"
validations:
required: true
# System information
- type: input
id: os
attributes:
label: "Operating System"
description: "Retrieve via `awk -F\" '/PRETTY_NAME/ { print $2 }' /etc/os-release`."
placeholder: "e.g., Debian GNU/Linux 12 (bookworm)"
validations:
required: true
- type: input
id: platform
attributes:
label: "Platform"
description: "Retrieve via `uname -srm`."
placeholder: "e.g., Linux 6.12.30+bpo-amd64 x86_64"
validations:
required: true
# Additional context
- type: textarea
id: additional_context
attributes:
label: "Additional context"
description: "Any other information about the problem."
placeholder: "e.g., Logs, screenshots, configuration snippets"
validations:
required: false
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

55
.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml Normal file
View File

@@ -0,0 +1,55 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
---
name: "Standard-PR"
about: "Please answer the following questions before submitting the PR."
title: "[PR]: "
assignees: "MSW"
body:
- type: markdown
attributes:
value: |
Thank you for your PR.
# Section for free-form description
- type: textarea
id: description
attributes:
label: "Describe your changes"
description: "Please refer to an issue here or describe the change thoroughly in your PR."
placeholder: "e.g., Fix typo in README"
validations:
required: true
# Section for categorizing the PR
- type: checkboxes
id: pr-type
attributes:
label: "What is your pull request about?"
options:
- label: "Bug fix"
- label: "Improvement"
- label: "New feature (adds functionality)"
- label: "Breaking change (existing functionality may not work)"
- label: "Typo fix"
- label: "Documentation update"
- label: "Update of other files"
# Section for code-quality checklist
- type: checkboxes
id: code-checklist
attributes:
label: "If this is a code change, please check all that apply:"
options:
- label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
- label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
- label: "I have tested this fix or improvement on >=2 VMs without issues"
- label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
- label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
- label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

45
.gitea/properties/json/gitea-issue-config.json Normal file
View File

@@ -0,0 +1,45 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://json.schemastore.org/gitea-issue-config.json",
"$comment": "https://docs.gitea.com/usage/issue-pull-request-templates#syntax-for-issue-config",
"properties": {
"blank_issues_enabled": {
"description": "Specify whether forms have to be used or blank issue are allowed\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
"type": "boolean"
},
"contact_links": {
"title": "contact links",
"description": "Contact links\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": ["name", "url", "about"],
"properties": {
"name": {
"description": "The name of your link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"minLength": 1,
"examples": ["Sample name"]
},
"url": {
"description": "The URL of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"pattern": "^https?://",
"examples": ["https://sample/url"]
},
"about": {
"description": "A short description of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"minLength": 1,
"examples": ["Sample description"]
}
},
"additionalProperties": false
}
}
},
"additionalProperties": false,
"title": "Gitea issue template chooser config file schema",
"type": "object"
}

1715
.gitea/properties/json/github-workflow.json Normal file
View File

File diff suppressed because it is too large Load Diff

8
.gitea/properties/lua/linkfix.lua Normal file
View File

@@ -0,0 +1,8 @@
-- Linkfix.lua
function Link (el)
-- wenn Linkziel auf .md endet, ändere es zu .html
if el.target:match('%.md$') then
el.target = el.target:gsub('%.md$', '.html')
end
return el
end

15
.gitea/trigger/t_generate_dns.yaml Normal file
View File

@@ -0,0 +1,15 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1023
version: V8.00.000.2025.06.17
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

339
.gitea/workflows/linter_char_scripts.yaml Normal file
View File

@@ -0,0 +1,339 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17
# Gitea Workflow: Shell-Script Linting
#
# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
# 1. Windows CRLF line endings
# 2. unauthorized control characters (C0 control characters except \t, \n)
# 3. non-ASCII (ambiguous UTF) characters
#
# Findings are collected and at the end of the run with file, line number,
# and the respective character in the Runner output.
name: 🛡️ Shell Script Linting
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
shell-script-linter:
name: 🛡️ Shell Script Linting
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install dependencies.
shell: bash
run: |
### Install grep with Perl-regex support, falls noch nicht vorhanden
apt-get update
apt-get upgrade -y
apt-get install -y grep
- name: 🔍 Lint shell scripts
shell: bash
run: |
# -------------------------------
# STEP 1: Find target files.
#
# We capture:
# - All files '*.sh', '*.zsh', '*.chroot'
# - All files whose first line begins with "#!" (shebang)
# -------------------------------
mapfile -t files_to_check < <(
find . \
-path './.git' -prune -o \
-type f \( \
-iname '*.sh' -o \
-iname '*.zsh' -o \
-iname '*.chroot' -o \
-exec grep -Iq '^#!' {} \; \
\) -print
)
# -------------------------------
# STEP 2: Regex definitions
#
# - CRLF_REGEX Carriage Return (\r) for Windows CRLF
# - CTRL_REGEX C0 control characters except Tab (\x09) and Newline (\x0A)
# - Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
# - NON_ASCII_REGEX All bytes -> 0x7F, except emoji characters in defined ranges
#
# Emoji ranges that we exclude:
# - \x{1F300}-\x{1F5FF} Misc Symbols & Pictographs
# - \x{1F600}-\x{1F64F} Emoticons
# - \x{1F680}-\x{1F6FF} Transport & Map Symbols
# - \x{1F900}-\x{1F9FF} Supplemental Symbols & Pictographs
# - \x{2600}-\x{26FF} Miscellaneous Symbols
# - \x{2700}-\x{27BF} Dingbats
# -------------------------------
CRLF_REGEX=$'\r'
CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
NON_ASCII_REGEX='(?![\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])[^\x00-\x7F]'
# -------------------------------
# STEP 3: Accumulator for findings
# -------------------------------
findings=""
# -------------------------------
# STEP 4: Perform all checks for each file
# -------------------------------
for file in "${files_to_check[@]}"; do
#
# 4.1: CRLF detection
# grep -nP returns "lineno:<line with CR>"
# -------------------------------
while IFS=: read -r lineno _rest; do
findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
#
# 4.2: Unallowed control characters
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
#
# 4.3: Non-ASCII characters with emoji exception
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
done
# -------------------------------
# STEP 5: Output results
# -------------------------------
if [[ -n "${findings}" ]]; then
echo -e "⚠️ Linting issues detected:\n"
echo -e "${findings}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LINTER_RESULTS.txt"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
⚠️ The last linter check was NOT successful. ⚠️
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
else
echo "✅ No issues found in shell scripts."
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LINTER_RESULTS.txt"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
✅ The last linter check was successful. ✅
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
fi
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
PRIVATE_FILE="LINTER_RESULTS.txt"
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

218
.gitea/workflows/render-dnssec-status.yaml Normal file
View File

@@ -0,0 +1,218 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/trigger/t_generate_dns.yaml'
jobs:
build-dnssec-diagram:
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install DNSViz.
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y dnsviz
- name: ⚙️ Ensure docs/SECURITY/ directory exists.
shell: bash
run: |
mkdir -p docs/SECURITY/
rm -f docs/SECURITY/coresecret.dev.png
- name: 🛠️ Prepare DNS Cache.
shell: bash
run: |
sudo apt-get install -y dnsutils
dig +dnssec +multi coresecret.dev @8.8.8.8
- name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
shell: bash
run: |
dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

211
.gitea/workflows/render-dot-to-png.yaml Normal file
View File

@@ -0,0 +1,211 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17
name: 🔁 Render Graphviz Diagrams.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- "**/*.gv"
- "**/*.dot"
jobs:
build-graphiz-diagrams:
name: 🔁 Render Graphviz Diagrams.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install Graphviz.
shell: bash
run: |
set -euo pipefail
sudo apt-get update
sudo apt-get install -y graphviz
- name: 🛠️ Render all .dot / .gv to PNG.
shell: bash
run: |
set -euo pipefail
find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
out="${file%.*}.png"
dot -Tpng "${file}" -o "${out}"
done
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add *.png || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🔁 Auto-Generate PNG from *.dot. [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml