V8.13.392.2025.11.07
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
441
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
Normal file
441
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
Normal file
@@ -0,0 +1,441 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
# Version Master V8.13.392.2025.11.07
|
||||
|
||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
paths:
|
||||
- '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
|
||||
|
||||
jobs:
|
||||
generate-private-cdlb-trixie:
|
||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||
runs-on: cdlb.trixie
|
||||
|
||||
container:
|
||||
image: debian:trixie
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
working-directory: ${{ github.workspace }}
|
||||
|
||||
steps:
|
||||
- name: 🕑 Waiting random time to desynchronize parallel workflows.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
var_wait=$(( RANDOM % 33 ))
|
||||
printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
|
||||
sleep "${var_wait}"
|
||||
|
||||
- name: 🔧 Basic Image Setup.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
umask 0022
|
||||
|
||||
echo "APT_LISTCHANGES_FRONTEND=none" >> "${GITHUB_ENV}"
|
||||
echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
|
||||
echo "LC_ALL=C.UTF-8" >> "${GITHUB_ENV}"
|
||||
echo "TZ=UTC" >> "${GITHUB_ENV}"
|
||||
echo "VAR_CDLB_INSIDE_RUNNER=true" >> "${GITHUB_ENV}"
|
||||
|
||||
export APT_LISTCHANGES_FRONTEND=none
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
apt-get update -qq
|
||||
apt-get upgrade -y
|
||||
apt-get install -y --no-install-recommends \
|
||||
apt-utils \
|
||||
bash \
|
||||
bat \
|
||||
ca-certificates \
|
||||
curl \
|
||||
debootstrap \
|
||||
git \
|
||||
gnupg-utils \
|
||||
gnupg \
|
||||
gpg-agent \
|
||||
gpgv \
|
||||
live-build \
|
||||
lsb-release \
|
||||
openssh-client \
|
||||
openssl \
|
||||
perl \
|
||||
pinentry-curses \
|
||||
pinentry-tty \
|
||||
sudo \
|
||||
util-linux \
|
||||
whois
|
||||
|
||||
- name: ⚙️ Check GnuPG Version.
|
||||
run: |
|
||||
gpg --version
|
||||
|
||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
|
||||
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
||||
|
||||
### Private Key
|
||||
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
|
||||
chmod 0600 ~/.ssh/id_ed25519
|
||||
|
||||
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
|
||||
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
|
||||
chmod 0600 ~/.ssh/known_hosts
|
||||
|
||||
### Generate SSH Config for git.coresecret.dev Custom-Port
|
||||
cat <<EOF >| ~/.ssh/config
|
||||
Host git.coresecret.dev
|
||||
HostName git.coresecret.dev
|
||||
Port 42842
|
||||
IdentityFile ~/.ssh/id_ed25519
|
||||
StrictHostKeyChecking yes
|
||||
UserKnownHostsFile ~/.ssh/known_hosts
|
||||
EOF
|
||||
chmod 0600 ~/.ssh/config
|
||||
|
||||
### https://github.com/actions/checkout/issues/1843
|
||||
- name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
env:
|
||||
### GITHUB_REF_NAME contains the branch name from the push event.
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
|
||||
|
||||
- name: ⚙️ Init GNUPGHOME.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
|
||||
# shellcheck disable=SC2174
|
||||
mkdir -p -m 0700 "${GNUPGHOME}"
|
||||
echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
|
||||
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
|
||||
echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
|
||||
echo "trust-model always" >> "${GNUPGHOME}/gpg.conf"
|
||||
gpgconf --reload gpg-agent || true
|
||||
|
||||
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
|
||||
env:
|
||||
PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
|
||||
unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
|
||||
|
||||
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
git config user.name "Marc S. Weidner BOT"
|
||||
git config user.email "msw+bot@coresecret.dev"
|
||||
git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
|
||||
git config commit.gpgsign true
|
||||
git config gpg.program gpg
|
||||
git config gpg.format openpgp
|
||||
git config --get user.signingkey
|
||||
|
||||
- name: ⚙️ Preparing the build environment.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
mkdir -p /dev/shm/cdlb_secrets
|
||||
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
|
||||
|
||||
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /dev/shm/cdlb_secrets/password.txt
|
||||
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /dev/shm/cdlb_secrets/authorized_keys
|
||||
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
|
||||
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
|
||||
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
|
||||
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
|
||||
echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
|
||||
echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
|
||||
echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt
|
||||
echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt
|
||||
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc
|
||||
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt
|
||||
|
||||
- name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
|
||||
run: |
|
||||
set -euo pipefail
|
||||
chmod 0700 ciss_live_builder.sh
|
||||
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
|
||||
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
|
||||
./ciss_live_builder.sh \
|
||||
--architecture amd64 \
|
||||
--autobuild=6.16.3+deb13-amd64 \
|
||||
--build-directory /opt/cdlb \
|
||||
--cdi \
|
||||
--control "${timestamp}" \
|
||||
--debug \
|
||||
--dhcp-centurion \
|
||||
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
|
||||
--key_age=keys.txt \
|
||||
--key_luks=luks.txt \
|
||||
--provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
|
||||
--root-password-file /dev/shm/cdlb_secrets/password.txt \
|
||||
--signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
|
||||
--signing_key_pass=signing_key_pass.txt \
|
||||
--signing_key=signing_key.asc \
|
||||
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
|
||||
--ssh-pubkey /dev/shm/cdlb_secrets \
|
||||
--sshfp \
|
||||
--trixie
|
||||
|
||||
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
|
||||
env:
|
||||
NC_BASE: "https://cloud.e2ee.li"
|
||||
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
|
||||
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
SHARE_SUBDIR=""
|
||||
|
||||
echo "📥 Get directory listing via PROPFIND ..."
|
||||
|
||||
curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
|
||||
-o propfind_public.xml
|
||||
|
||||
echo "📥 Filter .iso files from the PROPFIND response ..."
|
||||
|
||||
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
|
||||
|
||||
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
|
||||
|
||||
echo "💡 Old ISO files found and deleted :"
|
||||
|
||||
while IFS= read -r href; do
|
||||
|
||||
FILE_URL="${NC_BASE}${href}"
|
||||
echo " Delete: ${FILE_URL}"
|
||||
|
||||
if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
|
||||
|
||||
echo " ✅ Successfully deleted: $(basename "${href}")"
|
||||
|
||||
else
|
||||
|
||||
echo " ❌ Error: $(basename "${href}") could not be deleted"
|
||||
|
||||
fi
|
||||
|
||||
done < public_iso_list.txt
|
||||
|
||||
else
|
||||
|
||||
echo "💡 No old ISO files found to delete."
|
||||
|
||||
fi
|
||||
|
||||
- name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
|
||||
env:
|
||||
NC_BASE: "https://cloud.e2ee.li"
|
||||
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
|
||||
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
|
||||
|
||||
echo "❌ There must be exactly one .iso file in the directory!"
|
||||
exit 1
|
||||
|
||||
else
|
||||
|
||||
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
|
||||
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
|
||||
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
|
||||
|
||||
fi
|
||||
|
||||
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
|
||||
|
||||
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
|
||||
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
|
||||
|
||||
echo "✅ New ISO successfully uploaded."
|
||||
|
||||
else
|
||||
|
||||
echo "❌ Uploading the new ISO failed."
|
||||
exit 1
|
||||
|
||||
fi
|
||||
|
||||
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
|
||||
run: |
|
||||
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
|
||||
|
||||
echo "❌ There must be exactly one .iso file in the directory!"
|
||||
exit 1
|
||||
|
||||
else
|
||||
|
||||
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
|
||||
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
|
||||
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
|
||||
|
||||
fi
|
||||
|
||||
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
|
||||
touch "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
|
||||
touch "${SIGNATURE_FILE}"
|
||||
|
||||
gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
VAR_DATE="$(date +%F)"
|
||||
PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
|
||||
touch "${PRIVATE_FILE}"
|
||||
|
||||
cat << EOF >| "${PRIVATE_FILE}"
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
|
||||
|
||||
CISS.debian.live.builder ISO :
|
||||
"${VAR_ISO_FILE_NAME}"
|
||||
CISS.debian.live.builder ISO sha512 :
|
||||
$(< "${VAR_ISO_FILE_SHA512}")
|
||||
CISS.debian.live.builder ISO sha512 sign :
|
||||
$(< "${SIGNATURE_FILE}")
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
|
||||
EOF
|
||||
|
||||
- name: 🚧 Stash local changes (including untracked).
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### Temporarily store any local modifications or untracked files.
|
||||
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
|
||||
|
||||
- name: 🔄 Sync with remote before commit using merge strategy.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
echo "🔄 Fetching origin/master ..."
|
||||
git fetch origin master
|
||||
|
||||
echo "🔁 Merging origin/master into current branch ..."
|
||||
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
|
||||
|
||||
echo "📋 Post-merge status :"
|
||||
git status
|
||||
git log --oneline -n 5
|
||||
|
||||
- name: 🔧 Restore stashed changes.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### Apply previously stashed changes.
|
||||
git stash pop || echo "✔️ Nothing to pop."
|
||||
|
||||
- name: 📦 Stage generated files.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
|
||||
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
|
||||
|
||||
- name: 🔑 Commit and sign changes with CI metadata.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if git diff --cached --quiet; then
|
||||
|
||||
echo "✔️ No staged changes to commit."
|
||||
|
||||
else
|
||||
|
||||
echo "📝 Committing changes with GPG signature ..."
|
||||
|
||||
### CI Metadata
|
||||
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
|
||||
HOSTNAME="$(hostname -f || hostname)"
|
||||
GIT_SHA="$(git rev-parse --short HEAD)"
|
||||
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
|
||||
WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
|
||||
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
|
||||
|
||||
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
|
||||
|
||||
${CI_HEADER}
|
||||
|
||||
Generated at : ${TIMESTAMP_UTC}
|
||||
Runner Host : ${HOSTNAME}
|
||||
Workflow ID : ${WORKFLOW_ID}
|
||||
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
|
||||
"
|
||||
|
||||
echo "🔏 Commit message :"
|
||||
echo "${COMMIT_MSG}"
|
||||
git commit -S -m "${COMMIT_MSG}"
|
||||
|
||||
fi
|
||||
|
||||
- name: 🔁 Push back to repository.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
|
||||
git push origin HEAD:${GITHUB_REF_NAME}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||
411
.gitea/workflows/generate_PUBLIC_iso.yaml
Normal file
411
.gitea/workflows/generate_PUBLIC_iso.yaml
Normal file
@@ -0,0 +1,411 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
# Version Master V8.13.392.2025.11.07
|
||||
|
||||
name: 💙 Generating a PUBLIC Live ISO.
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
paths:
|
||||
- '.gitea/trigger/t_generate_PUBLIC.yaml'
|
||||
|
||||
jobs:
|
||||
generate-public-cdlb-trixie:
|
||||
name: 💙 Generating a PUBLIC Live ISO.
|
||||
runs-on: cdlb.trixie
|
||||
|
||||
container:
|
||||
image: debian:trixie
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
working-directory: ${{ github.workspace }}
|
||||
|
||||
steps:
|
||||
- name: 🕑 Waiting random time to desynchronize parallel workflows.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
var_wait=$(( RANDOM % 33 ))
|
||||
printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
|
||||
sleep "${var_wait}"
|
||||
|
||||
- name: 🔧 Basic Image Setup.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
umask 0022
|
||||
|
||||
echo "APT_LISTCHANGES_FRONTEND=none" >> "${GITHUB_ENV}"
|
||||
echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
|
||||
echo "LC_ALL=C.UTF-8" >> "${GITHUB_ENV}"
|
||||
echo "TZ=UTC" >> "${GITHUB_ENV}"
|
||||
echo "VAR_CDLB_INSIDE_RUNNER=true" >> "${GITHUB_ENV}"
|
||||
|
||||
export APT_LISTCHANGES_FRONTEND=none
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
apt-get update -qq
|
||||
apt-get upgrade -y
|
||||
apt-get install -y --no-install-recommends \
|
||||
apt-utils \
|
||||
bash \
|
||||
bat \
|
||||
ca-certificates \
|
||||
curl \
|
||||
debootstrap \
|
||||
git \
|
||||
gnupg-utils \
|
||||
gnupg \
|
||||
gpg-agent \
|
||||
gpgv \
|
||||
live-build \
|
||||
lsb-release \
|
||||
openssh-client \
|
||||
openssl \
|
||||
perl \
|
||||
pinentry-curses \
|
||||
pinentry-tty \
|
||||
sudo \
|
||||
util-linux \
|
||||
whois
|
||||
|
||||
- name: ⚙️ Check GnuPG Version.
|
||||
run: |
|
||||
gpg --version
|
||||
|
||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
|
||||
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
||||
|
||||
### Private Key
|
||||
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
|
||||
chmod 0600 ~/.ssh/id_ed25519
|
||||
|
||||
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
|
||||
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
|
||||
chmod 0600 ~/.ssh/known_hosts
|
||||
|
||||
### Generate SSH Config for git.coresecret.dev Custom-Port
|
||||
cat <<EOF >| ~/.ssh/config
|
||||
Host git.coresecret.dev
|
||||
HostName git.coresecret.dev
|
||||
Port 42842
|
||||
IdentityFile ~/.ssh/id_ed25519
|
||||
StrictHostKeyChecking yes
|
||||
UserKnownHostsFile ~/.ssh/known_hosts
|
||||
EOF
|
||||
chmod 0600 ~/.ssh/config
|
||||
|
||||
### https://github.com/actions/checkout/issues/1843
|
||||
- name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
env:
|
||||
### GITHUB_REF_NAME contains the branch name from the push event.
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
|
||||
|
||||
- name: ⚙️ Init GNUPGHOME.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
|
||||
# shellcheck disable=SC2174
|
||||
mkdir -p -m 0700 "${GNUPGHOME}"
|
||||
echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
|
||||
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
|
||||
echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
|
||||
echo "trust-model always" >> "${GNUPGHOME}/gpg.conf"
|
||||
gpgconf --reload gpg-agent || true
|
||||
|
||||
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
|
||||
env:
|
||||
PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
|
||||
unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
|
||||
|
||||
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
git config user.name "Marc S. Weidner BOT"
|
||||
git config user.email "msw+bot@coresecret.dev"
|
||||
git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
|
||||
git config commit.gpgsign true
|
||||
git config gpg.program gpg
|
||||
git config gpg.format openpgp
|
||||
git config --get user.signingkey
|
||||
|
||||
- name: ⚙️ Preparing the build environment.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
mkdir -p /dev/shm/cdlb_secrets
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
|
||||
install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
|
||||
echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /dev/shm/cdlb_secrets/password.txt
|
||||
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /dev/shm/cdlb_secrets/authorized_keys
|
||||
|
||||
|
||||
- name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
|
||||
run: |
|
||||
set -euo pipefail
|
||||
chmod 0700 ciss_live_builder.sh
|
||||
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
|
||||
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
|
||||
./ciss_live_builder.sh \
|
||||
--architecture amd64 \
|
||||
--autobuild=6.16.3+deb13-amd64 \
|
||||
--build-directory /opt/cdlb \
|
||||
--cdi \
|
||||
--control "${timestamp}" \
|
||||
--debug \
|
||||
--root-password-file /dev/shm/cdlb_secrets/password.txt \
|
||||
--ssh-port 42137 \
|
||||
--ssh-pubkey /dev/shm/cdlb_secrets \
|
||||
--trixie
|
||||
|
||||
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
|
||||
env:
|
||||
NC_BASE: "https://cloud.e2ee.li"
|
||||
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
|
||||
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
SHARE_SUBDIR=""
|
||||
|
||||
echo "📥 Get directory listing via PROPFIND ..."
|
||||
|
||||
curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
|
||||
-o propfind_public.xml
|
||||
|
||||
echo "📥 Filter .iso files from the PROPFIND response ..."
|
||||
|
||||
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
|
||||
|
||||
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
|
||||
|
||||
echo "💡 Old ISO files found and deleted :"
|
||||
|
||||
while IFS= read -r href; do
|
||||
|
||||
FILE_URL="${NC_BASE}${href}"
|
||||
echo " Delete: ${FILE_URL}"
|
||||
|
||||
if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
|
||||
|
||||
echo " ✅ Successfully deleted: $(basename "${href}")"
|
||||
|
||||
else
|
||||
|
||||
echo " ❌ Error: $(basename "${href}") could not be deleted"
|
||||
|
||||
fi
|
||||
|
||||
done < public_iso_list.txt
|
||||
|
||||
else
|
||||
|
||||
echo "💡 No old ISO files found to delete."
|
||||
|
||||
fi
|
||||
|
||||
- name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
|
||||
env:
|
||||
NC_BASE: "https://cloud.e2ee.li"
|
||||
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
|
||||
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
|
||||
|
||||
echo "❌ There must be exactly one .iso file in the directory!"
|
||||
exit 1
|
||||
|
||||
else
|
||||
|
||||
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
|
||||
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
|
||||
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
|
||||
|
||||
fi
|
||||
|
||||
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
|
||||
|
||||
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
|
||||
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
|
||||
|
||||
echo "✅ New ISO successfully uploaded."
|
||||
|
||||
else
|
||||
|
||||
echo "❌ Uploading the new ISO failed."
|
||||
exit 1
|
||||
|
||||
fi
|
||||
|
||||
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
|
||||
run: |
|
||||
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
|
||||
|
||||
echo "❌ There must be exactly one .iso file in the directory!"
|
||||
exit 1
|
||||
|
||||
else
|
||||
|
||||
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
|
||||
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
|
||||
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
|
||||
|
||||
fi
|
||||
|
||||
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
|
||||
touch "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
|
||||
touch "${SIGNATURE_FILE}"
|
||||
|
||||
gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
VAR_DATE="$(date +%F)"
|
||||
PRIVATE_FILE="LIVE_ISO.public"
|
||||
touch "${PRIVATE_FILE}"
|
||||
|
||||
cat << EOF >| "${PRIVATE_FILE}"
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
|
||||
|
||||
CISS.debian.live.builder ISO :
|
||||
"${VAR_ISO_FILE_NAME}"
|
||||
CISS.debian.live.builder ISO sha512 :
|
||||
$(< "${VAR_ISO_FILE_SHA512}")
|
||||
CISS.debian.live.builder ISO sha512 sign :
|
||||
$(< "${SIGNATURE_FILE}")
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
|
||||
EOF
|
||||
|
||||
- name: 🚧 Stash local changes (including untracked).
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### Temporarily store any local modifications or untracked files.
|
||||
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
|
||||
|
||||
- name: 🔄 Sync with remote before commit using merge strategy.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
echo "🔄 Fetching origin/master ..."
|
||||
git fetch origin master
|
||||
|
||||
echo "🔁 Merging origin/master into current branch ..."
|
||||
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
|
||||
|
||||
echo "📋 Post-merge status :"
|
||||
git status
|
||||
git log --oneline -n 5
|
||||
|
||||
- name: 🔧 Restore stashed changes.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### Apply previously stashed changes.
|
||||
git stash pop || echo "✔️ Nothing to pop."
|
||||
|
||||
- name: 📦 Stage generated files.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
PRIVATE_FILE="LIVE_ISO.public"
|
||||
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
|
||||
|
||||
- name: 🔑 Commit and sign changes with CI metadata.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if git diff --cached --quiet; then
|
||||
|
||||
echo "✔️ No staged changes to commit."
|
||||
|
||||
else
|
||||
|
||||
echo "📝 Committing changes with GPG signature ..."
|
||||
|
||||
### CI Metadata
|
||||
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
|
||||
HOSTNAME="$(hostname -f || hostname)"
|
||||
GIT_SHA="$(git rev-parse --short HEAD)"
|
||||
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
|
||||
WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
|
||||
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
|
||||
|
||||
COMMIT_MSG="DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
|
||||
|
||||
${CI_HEADER}
|
||||
|
||||
Generated at : ${TIMESTAMP_UTC}
|
||||
Runner Host : ${HOSTNAME}
|
||||
Workflow ID : ${WORKFLOW_ID}
|
||||
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
|
||||
"
|
||||
|
||||
echo "🔏 Commit message :"
|
||||
echo "${COMMIT_MSG}"
|
||||
git commit -S -m "${COMMIT_MSG}"
|
||||
|
||||
fi
|
||||
|
||||
- name: 🔁 Push back to repository.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
|
||||
git push origin HEAD:${GITHUB_REF_NAME}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||
@@ -88,7 +88,7 @@ jobs:
|
||||
set -euo pipefail
|
||||
### GPG-Home relative to the Runner Workspace to avoid changing global files.
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
mkdir -m 700 "${GNUPGHOME}"
|
||||
mkdir -m 0700 "${GNUPGHOME}"
|
||||
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
|
||||
gpg --batch --import ci-bot.sec.asc
|
||||
### Trust the key automatically
|
||||
|
||||
@@ -28,15 +28,23 @@ jobs:
|
||||
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
working-directory: ${{ github.workspace }}
|
||||
|
||||
steps:
|
||||
- name: 🕑 Waiting random time to desynchronize parallel workflows.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
var_wait=$(( RANDOM % 33 ))
|
||||
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
|
||||
printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
|
||||
sleep "${var_wait}"
|
||||
|
||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
||||
|
||||
### Private Key
|
||||
@@ -59,30 +67,20 @@ jobs:
|
||||
chmod 0600 ~/.ssh/config
|
||||
|
||||
### https://github.com/actions/checkout/issues/1843
|
||||
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
shell: bash
|
||||
- name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
env:
|
||||
### GITHUB_REF_NAME contains the branch name from the push event.
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
|
||||
git fetch --unshallow || echo "Nothing to fetch - already full clone."
|
||||
|
||||
- name: 🛠️ Cleaning the workspace.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git reset --hard
|
||||
git clean -fd
|
||||
|
||||
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### GPG-Home relative to the Runner Workspace to avoid changing global files.
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
mkdir -m 700 "${GNUPGHOME}"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
mkdir -m 0700 "${GNUPGHOME}"
|
||||
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
|
||||
gpg --batch --import ci-bot.sec.asc
|
||||
### Trust the key automatically
|
||||
@@ -90,10 +88,9 @@ jobs:
|
||||
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
|
||||
|
||||
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
git config user.name "Marc S. Weidner BOT"
|
||||
git config user.email "msw+bot@coresecret.dev"
|
||||
git config commit.gpgsign true
|
||||
@@ -101,38 +98,32 @@ jobs:
|
||||
git config gpg.format openpgp
|
||||
|
||||
- name: ⚙️ Convert APT sources to HTTPS.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
|
||||
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
|
||||
|
||||
- name: 🛠️ Install DNSViz.
|
||||
shell: bash
|
||||
- name: 🔧 Install DNSViz.
|
||||
run: |
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y dnsviz
|
||||
|
||||
- name: ⚙️ Ensure docs/SECURITY/ directory exists.
|
||||
shell: bash
|
||||
run: |
|
||||
mkdir -p docs/SECURITY/
|
||||
rm -f docs/SECURITY/coresecret.dev.png
|
||||
|
||||
- name: 🛠️ Prepare DNS Cache.
|
||||
shell: bash
|
||||
- name: 🔧 Prepare DNS Cache.
|
||||
run: |
|
||||
sudo apt-get install -y dnsutils
|
||||
dig +dnssec +multi coresecret.dev @8.8.8.8
|
||||
|
||||
- name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
|
||||
shell: bash
|
||||
- name: 🔧 Retrieve Zone Dump and generate .png Visualization.
|
||||
run: |
|
||||
dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
|
||||
dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
|
||||
|
||||
- name: 🚧 Stash local changes (including untracked).
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
@@ -141,12 +132,11 @@ jobs:
|
||||
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
|
||||
|
||||
- name: 🔄 Sync with remote before commit using merge strategy.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
|
||||
echo "🔄 Fetching origin/master ..."
|
||||
git fetch origin master
|
||||
@@ -158,8 +148,7 @@ jobs:
|
||||
git status
|
||||
git log --oneline -n 5
|
||||
|
||||
- name: 🛠️ Restore stashed changes.
|
||||
shell: bash
|
||||
- name: 🔧 Restore stashed changes.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
@@ -168,7 +157,6 @@ jobs:
|
||||
git stash pop || echo "✔️ Nothing to pop."
|
||||
|
||||
- name: 📦 Stage generated files.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
@@ -176,12 +164,11 @@ jobs:
|
||||
git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
|
||||
|
||||
- name: 🔑 Commit and sign changes with CI metadata.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
|
||||
if git diff --cached --quiet; then
|
||||
echo "✔️ No staged changes to commit."
|
||||
|
||||
@@ -29,15 +29,23 @@ jobs:
|
||||
name: 🔁 Render Graphviz Diagrams.
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
working-directory: ${{ github.workspace }}
|
||||
|
||||
steps:
|
||||
- name: 🕑 Waiting random time to desynchronize parallel workflows.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
var_wait=$(( RANDOM % 33 ))
|
||||
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
|
||||
printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
|
||||
sleep "${var_wait}"
|
||||
|
||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
run: |
|
||||
set +x
|
||||
set -euo pipefail
|
||||
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
||||
|
||||
### Private Key
|
||||
@@ -60,30 +68,20 @@ jobs:
|
||||
chmod 0600 ~/.ssh/config
|
||||
|
||||
### https://github.com/actions/checkout/issues/1843
|
||||
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
shell: bash
|
||||
- name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
env:
|
||||
### GITHUB_REF_NAME contains the branch name from the push event.
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
|
||||
git fetch --unshallow || echo "Nothing to fetch - already full clone."
|
||||
|
||||
- name: 🛠️ Cleaning the workspace.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
git reset --hard
|
||||
git clean -fd
|
||||
|
||||
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### GPG-Home relative to the Runner Workspace to avoid changing global files.
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
mkdir -m 700 "${GNUPGHOME}"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
mkdir -m 0700 "${GNUPGHOME}"
|
||||
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
|
||||
gpg --batch --import ci-bot.sec.asc
|
||||
### Trust the key automatically
|
||||
@@ -91,10 +89,9 @@ jobs:
|
||||
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
|
||||
|
||||
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
git config user.name "Marc S. Weidner BOT"
|
||||
git config user.email "msw+bot@coresecret.dev"
|
||||
git config commit.gpgsign true
|
||||
@@ -102,21 +99,18 @@ jobs:
|
||||
git config gpg.format openpgp
|
||||
|
||||
- name: ⚙️ Convert APT sources to HTTPS.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
|
||||
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
|
||||
|
||||
- name: 🛠️ Install Graphviz.
|
||||
shell: bash
|
||||
- name: 🔧 Install Graphviz.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y graphviz
|
||||
|
||||
- name: 🛠️ Render all .dot / .gv to PNG.
|
||||
shell: bash
|
||||
- name: 🔧 Render all .dot / .gv to PNG.
|
||||
run: |
|
||||
set -euo pipefail
|
||||
find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
|
||||
@@ -125,7 +119,6 @@ jobs:
|
||||
done
|
||||
|
||||
- name: 🚧 Stash local changes (including untracked).
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
@@ -134,12 +127,11 @@ jobs:
|
||||
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
|
||||
|
||||
- name: 🔄 Sync with remote before commit using merge strategy.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
|
||||
echo "🔄 Fetching origin/master ..."
|
||||
git fetch origin master
|
||||
@@ -151,8 +143,7 @@ jobs:
|
||||
git status
|
||||
git log --oneline -n 5
|
||||
|
||||
- name: 🛠️ Restore stashed changes.
|
||||
shell: bash
|
||||
- name: 🔧 Restore stashed changes.
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
@@ -161,7 +152,6 @@ jobs:
|
||||
git stash pop || echo "✔️ Nothing to pop."
|
||||
|
||||
- name: 📦 Stage generated files.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
@@ -169,12 +159,11 @@ jobs:
|
||||
git add *.png || echo "✔️ Nothing to add."
|
||||
|
||||
- name: 🔑 Commit and sign changes with CI metadata.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
export GNUPGHOME="$(PWD)/.gnupg"
|
||||
|
||||
if git diff --cached --quiet; then
|
||||
echo "✔️ No staged changes to commit."
|
||||
@@ -205,7 +194,6 @@ jobs:
|
||||
fi
|
||||
|
||||
- name: 🔁 Push back to repository.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
|
||||
@@ -46,7 +46,7 @@ init_primordial() {
|
||||
|
||||
fi
|
||||
|
||||
### Check for SSH CISS and PhysNet primordial-workflow™ integration ----------------------------------------------------------
|
||||
### Check for SSH CISS and PhysNet primordial-workflow(tm) integration -------------------------------------------------------
|
||||
if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then
|
||||
|
||||
if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then
|
||||
|
||||
Reference in New Issue
Block a user