From 0f9b02111026c53b1bb93c69534681b1cbfa8aef13618460d39a78971f9b7b46 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 7 Nov 2025 23:21:30 +0100 Subject: [PATCH] V8.13.392.2025.11.07 Signed-off-by: Marc S. Weidner --- .../workflows/generate_PRIVATE_trixie_0.yaml | 441 ++++++++++++++++++ .gitea/workflows/generate_PUBLIC_iso.yaml | 411 ++++++++++++++++ .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 55 +-- .gitea/workflows/render-dot-to-png.yaml | 52 +-- lib/lib_primordial.sh | 2 +- 6 files changed, 895 insertions(+), 68 deletions(-) create mode 100644 .gitea/workflows/generate_PRIVATE_trixie_0.yaml create mode 100644 .gitea/workflows/generate_PUBLIC_iso.yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml new file mode 100644 index 0000000..a89bf5e --- /dev/null +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -0,0 +1,441 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Version Master V8.13.392.2025.11.07 + +name: πŸ” Generating a Private Live ISO TRIXIE. + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml' + +jobs: + generate-private-cdlb-trixie: + name: πŸ” Generating a Private Live ISO TRIXIE. + runs-on: cdlb.trixie + + container: + image: debian:trixie + + defaults: + run: + shell: bash + working-directory: ${{ github.workspace }} + + steps: + - name: πŸ•‘ Waiting random time to desynchronize parallel workflows. + run: | + set -euo pipefail + var_wait=$(( RANDOM % 33 )) + printf "πŸ•‘ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + sleep "${var_wait}" + + - name: πŸ”§ Basic Image Setup. + run: | + set -euo pipefail + umask 0022 + + echo "APT_LISTCHANGES_FRONTEND=none" >> "${GITHUB_ENV}" + echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}" + echo "LC_ALL=C.UTF-8" >> "${GITHUB_ENV}" + echo "TZ=UTC" >> "${GITHUB_ENV}" + echo "VAR_CDLB_INSIDE_RUNNER=true" >> "${GITHUB_ENV}" + + export APT_LISTCHANGES_FRONTEND=none + export DEBIAN_FRONTEND=noninteractive + + apt-get update -qq + apt-get upgrade -y + apt-get install -y --no-install-recommends \ + apt-utils \ + bash \ + bat \ + ca-certificates \ + curl \ + debootstrap \ + git \ + gnupg-utils \ + gnupg \ + gpg-agent \ + gpgv \ + live-build \ + lsb-release \ + openssh-client \ + openssl \ + perl \ + pinentry-curses \ + pinentry-tty \ + sudo \ + util-linux \ + whois + + - name: βš™οΈ Check GnuPG Version. + run: | + gpg --version + + - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + run: | + set +x + set -euo pipefail + umask 0077 + + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 0600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: πŸ”§ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + run: | + set -euo pipefail + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + + - name: βš™οΈ Init GNUPGHOME. + run: | + set +x + set -euo pipefail + umask 0077 + GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}" + # shellcheck disable=SC2174 + mkdir -p -m 0700 "${GNUPGHOME}" + echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}" + echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf" + echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf" + echo "trust-model always" >> "${GNUPGHOME}/gpg.conf" + gpgconf --reload gpg-agent || true + + - name: βš™οΈ Importing the 'CI PGP DEPLOY ONLY' key. + env: + PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }} + run: | + set +x + set -euo pipefail + umask 0077 + printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import + unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV + + - name: βš™οΈ Configuring Git for signed CI/DEPLOY commits. + run: | + set +x + set -euo pipefail + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + git config --get user.signingkey + + - name: βš™οΈ Preparing the build environment. + run: | + set +x + set -euo pipefail + umask 0077 + mkdir -p /dev/shm/cdlb_secrets + + install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub + install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial + install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub + install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc + install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt + + echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /dev/shm/cdlb_secrets/password.txt + echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /dev/shm/cdlb_secrets/authorized_keys + echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key + echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub + echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key + echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub + echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial + echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub + echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt + echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt + echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc + echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt + + - name: πŸ”§ Starting CISS.debian.live.builder. This may take about an hour ... + run: | + set -euo pipefail + chmod 0700 ciss_live_builder.sh + timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") + ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. + ./ciss_live_builder.sh \ + --architecture amd64 \ + --autobuild=6.16.3+deb13-amd64 \ + --build-directory /opt/cdlb \ + --cdi \ + --control "${timestamp}" \ + --debug \ + --dhcp-centurion \ + --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \ + --key_age=keys.txt \ + --key_luks=luks.txt \ + --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \ + --root-password-file /dev/shm/cdlb_secrets/password.txt \ + --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \ + --signing_key_pass=signing_key_pass.txt \ + --signing_key=signing_key.asc \ + --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \ + --ssh-pubkey /dev/shm/cdlb_secrets \ + --sshfp \ + --trixie + + - name: πŸ“₯ Checking Centurion Cloud for existing LIVE ISOs. + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" + run: | + set -euo pipefail + SHARE_SUBDIR="" + + echo "πŸ“₯ Get directory listing via PROPFIND ..." + + curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + -o propfind_public.xml + + echo "πŸ“₯ Filter .iso files from the PROPFIND response ..." + + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true + + if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then + + echo "πŸ’‘ Old ISO files found and deleted :" + + while IFS= read -r href; do + + FILE_URL="${NC_BASE}${href}" + echo " Delete: ${FILE_URL}" + + if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then + + echo " βœ… Successfully deleted: $(basename "${href}")" + + else + + echo " ❌ Error: $(basename "${href}") could not be deleted" + + fi + + done < public_iso_list.txt + + else + + echo "πŸ’‘ No old ISO files found to delete." + + fi + + - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" + run: | + set -euo pipefail + + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + + else + + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "βœ… ISO file found: ${VAR_ISO_FILE_NAME}" + + fi + + AUTH="${SHARE_TOKEN}:${SHARE_PASS}" + + if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" + --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then + + echo "βœ… New ISO successfully uploaded." + + else + + echo "❌ Uploading the new ISO failed." + exit 1 + + fi + + - name: πŸ”‘ Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. + run: | + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + + else + + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "βœ… ISO file found: ${VAR_ISO_FILE_NAME}" + + fi + + VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" + touch "${VAR_ISO_FILE_SHA512}" + + sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" + + SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" + touch "${SIGNATURE_FILE}" + + gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" + + timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + VAR_DATE="$(date +%F)" + PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private" + touch "${PRIVATE_FILE}" + + cat << EOF >| "${PRIVATE_FILE}" + # SPDX-Version: 3.0 + # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; + # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git + # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency + # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; + # SPDX-FileType: SOURCE + # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 + # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. + # SPDX-PackageName: CISS.debian.live.builder + # SPDX-Security-Contact: security@coresecret.eu + + This file was automatically generated by the DEPLOY BOT on: "${timestamp}" + + CISS.debian.live.builder ISO : + "${VAR_ISO_FILE_NAME}" + CISS.debian.live.builder ISO sha512 : + $(< "${VAR_ISO_FILE_SHA512}") + CISS.debian.live.builder ISO sha512 sign : + $(< "${SIGNATURE_FILE}") + + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text + EOF + + - name: 🚧 Stash local changes (including untracked). + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files. + git stash push --include-untracked -m "ci-temp" || echo "βœ”οΈ Nothing to stash." + + - name: πŸ”„ Sync with remote before commit using merge strategy. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + + echo "πŸ”„ Fetching origin/master ..." + git fetch origin master + + echo "πŸ” Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "βœ”οΈ Already up to date or fast-forward." + + echo "πŸ“‹ Post-merge status :" + git status + git log --oneline -n 5 + + - name: πŸ”§ Restore stashed changes. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes. + git stash pop || echo "βœ”οΈ Nothing to pop." + + - name: πŸ“¦ Stage generated files. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private" + git add "${PRIVATE_FILE}" || echo "βœ”οΈ Nothing to add." + + - name: πŸ”‘ Commit and sign changes with CI metadata. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + + if git diff --cached --quiet; then + + echo "βœ”οΈ No staged changes to commit." + + else + + echo "πŸ“ Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT : πŸ” Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci] + + ${CI_HEADER} + + Generated at : ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} + " + + echo "πŸ” Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + + fi + + - name: πŸ” Push back to repository. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + echo "πŸ“€ Pushing changes to ${GITHUB_REF_NAME} ..." + git push origin HEAD:${GITHUB_REF_NAME} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml new file mode 100644 index 0000000..e594cc9 --- /dev/null +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -0,0 +1,411 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Version Master V8.13.392.2025.11.07 + +name: πŸ’™ Generating a PUBLIC Live ISO. + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - '.gitea/trigger/t_generate_PUBLIC.yaml' + +jobs: + generate-public-cdlb-trixie: + name: πŸ’™ Generating a PUBLIC Live ISO. + runs-on: cdlb.trixie + + container: + image: debian:trixie + + defaults: + run: + shell: bash + working-directory: ${{ github.workspace }} + + steps: + - name: πŸ•‘ Waiting random time to desynchronize parallel workflows. + run: | + set -euo pipefail + var_wait=$(( RANDOM % 33 )) + printf "πŸ•‘ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + sleep "${var_wait}" + + - name: πŸ”§ Basic Image Setup. + run: | + set -euo pipefail + umask 0022 + + echo "APT_LISTCHANGES_FRONTEND=none" >> "${GITHUB_ENV}" + echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}" + echo "LC_ALL=C.UTF-8" >> "${GITHUB_ENV}" + echo "TZ=UTC" >> "${GITHUB_ENV}" + echo "VAR_CDLB_INSIDE_RUNNER=true" >> "${GITHUB_ENV}" + + export APT_LISTCHANGES_FRONTEND=none + export DEBIAN_FRONTEND=noninteractive + + apt-get update -qq + apt-get upgrade -y + apt-get install -y --no-install-recommends \ + apt-utils \ + bash \ + bat \ + ca-certificates \ + curl \ + debootstrap \ + git \ + gnupg-utils \ + gnupg \ + gpg-agent \ + gpgv \ + live-build \ + lsb-release \ + openssh-client \ + openssl \ + perl \ + pinentry-curses \ + pinentry-tty \ + sudo \ + util-linux \ + whois + + - name: βš™οΈ Check GnuPG Version. + run: | + gpg --version + + - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + run: | + set +x + set -euo pipefail + umask 0077 + + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 0600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: πŸ”§ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + run: | + set -euo pipefail + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + + - name: βš™οΈ Init GNUPGHOME. + run: | + set +x + set -euo pipefail + umask 0077 + GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}" + # shellcheck disable=SC2174 + mkdir -p -m 0700 "${GNUPGHOME}" + echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}" + echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf" + echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf" + echo "trust-model always" >> "${GNUPGHOME}/gpg.conf" + gpgconf --reload gpg-agent || true + + - name: βš™οΈ Importing the 'CI PGP DEPLOY ONLY' key. + env: + PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }} + run: | + set +x + set -euo pipefail + umask 0077 + printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import + unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV + + - name: βš™οΈ Configuring Git for signed CI/DEPLOY commits. + run: | + set +x + set -euo pipefail + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + git config --get user.signingkey + + - name: βš™οΈ Preparing the build environment. + run: | + set +x + set -euo pipefail + umask 0077 + mkdir -p /dev/shm/cdlb_secrets + install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys + echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /dev/shm/cdlb_secrets/password.txt + echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /dev/shm/cdlb_secrets/authorized_keys + + + - name: πŸ”§ Starting CISS.debian.live.builder. This may take about an hour ... + run: | + set -euo pipefail + chmod 0700 ciss_live_builder.sh + timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") + ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. + ./ciss_live_builder.sh \ + --architecture amd64 \ + --autobuild=6.16.3+deb13-amd64 \ + --build-directory /opt/cdlb \ + --cdi \ + --control "${timestamp}" \ + --debug \ + --root-password-file /dev/shm/cdlb_secrets/password.txt \ + --ssh-port 42137 \ + --ssh-pubkey /dev/shm/cdlb_secrets \ + --trixie + + - name: πŸ“₯ Checking Centurion Cloud for existing LIVE ISOs. + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}" + run: | + set -euo pipefail + SHARE_SUBDIR="" + + echo "πŸ“₯ Get directory listing via PROPFIND ..." + + curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + -o propfind_public.xml + + echo "πŸ“₯ Filter .iso files from the PROPFIND response ..." + + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true + + if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then + + echo "πŸ’‘ Old ISO files found and deleted :" + + while IFS= read -r href; do + + FILE_URL="${NC_BASE}${href}" + echo " Delete: ${FILE_URL}" + + if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then + + echo " βœ… Successfully deleted: $(basename "${href}")" + + else + + echo " ❌ Error: $(basename "${href}") could not be deleted" + + fi + + done < public_iso_list.txt + + else + + echo "πŸ’‘ No old ISO files found to delete." + + fi + + - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}" + run: | + set -euo pipefail + + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + + else + + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "βœ… ISO file found: ${VAR_ISO_FILE_NAME}" + + fi + + AUTH="${SHARE_TOKEN}:${SHARE_PASS}" + + if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" + --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then + + echo "βœ… New ISO successfully uploaded." + + else + + echo "❌ Uploading the new ISO failed." + exit 1 + + fi + + - name: πŸ”‘ Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. + run: | + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + + else + + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "βœ… ISO file found: ${VAR_ISO_FILE_NAME}" + + fi + + VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" + touch "${VAR_ISO_FILE_SHA512}" + + sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" + + SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" + touch "${SIGNATURE_FILE}" + + gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" + + timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + VAR_DATE="$(date +%F)" + PRIVATE_FILE="LIVE_ISO.public" + touch "${PRIVATE_FILE}" + + cat << EOF >| "${PRIVATE_FILE}" + # SPDX-Version: 3.0 + # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; + # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git + # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency + # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; + # SPDX-FileType: SOURCE + # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 + # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. + # SPDX-PackageName: CISS.debian.live.builder + # SPDX-Security-Contact: security@coresecret.eu + + This file was automatically generated by the DEPLOY BOT on: "${timestamp}" + + CISS.debian.live.builder ISO : + "${VAR_ISO_FILE_NAME}" + CISS.debian.live.builder ISO sha512 : + $(< "${VAR_ISO_FILE_SHA512}") + CISS.debian.live.builder ISO sha512 sign : + $(< "${SIGNATURE_FILE}") + + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text + EOF + + - name: 🚧 Stash local changes (including untracked). + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files. + git stash push --include-untracked -m "ci-temp" || echo "βœ”οΈ Nothing to stash." + + - name: πŸ”„ Sync with remote before commit using merge strategy. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + + echo "πŸ”„ Fetching origin/master ..." + git fetch origin master + + echo "πŸ” Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "βœ”οΈ Already up to date or fast-forward." + + echo "πŸ“‹ Post-merge status :" + git status + git log --oneline -n 5 + + - name: πŸ”§ Restore stashed changes. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes. + git stash pop || echo "βœ”οΈ Nothing to pop." + + - name: πŸ“¦ Stage generated files. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + PRIVATE_FILE="LIVE_ISO.public" + git add "${PRIVATE_FILE}" || echo "βœ”οΈ Nothing to add." + + - name: πŸ”‘ Commit and sign changes with CI metadata. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + + if git diff --cached --quiet; then + + echo "βœ”οΈ No staged changes to commit." + + else + + echo "πŸ“ Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT : πŸ’™ Auto-Generate PUBLIC LIVE ISO [skip ci] + + ${CI_HEADER} + + Generated at : ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} + " + + echo "πŸ” Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + + fi + + - name: πŸ” Push back to repository. + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + echo "πŸ“€ Pushing changes to ${GITHUB_REF_NAME} ..." + git push origin HEAD:${GITHUB_REF_NAME} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 52a695c..ba279c1 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -88,7 +88,7 @@ jobs: set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(PWD)/.gnupg" - mkdir -m 700 "${GNUPGHOME}" + mkdir -m 0700 "${GNUPGHOME}" echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc gpg --batch --import ci-bot.sec.asc ### Trust the key automatically diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index fab6f6e..5dcac36 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -28,15 +28,23 @@ jobs: name: πŸ›‘οΈ Retrieve DNSSEC status of coresecret.dev. runs-on: ubuntu-latest - steps: - - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + defaults: + run: shell: bash + working-directory: ${{ github.workspace }} + + steps: + - name: πŸ•‘ Waiting random time to desynchronize parallel workflows. run: | set -euo pipefail var_wait=$(( RANDOM % 33 )) - printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + printf "πŸ•‘ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" sleep "${var_wait}" + - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + run: | + set +x + set -euo pipefail rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key @@ -59,30 +67,20 @@ jobs: chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - - name: πŸ› οΈ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - shell: bash + - name: πŸ”§ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | set -euo pipefail git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - git fetch --unshallow || echo "Nothing to fetch - already full clone." - - - name: πŸ› οΈ Cleaning the workspace. - shell: bash - run: | - set -euo pipefail - git reset --hard - git clean -fd - name: βš™οΈ Importing the 'CI PGP DEPLOY ONLY' key. - shell: bash run: | set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. - export GNUPGHOME="$(pwd)/.gnupg" - mkdir -m 700 "${GNUPGHOME}" + export GNUPGHOME="$(PWD)/.gnupg" + mkdir -m 0700 "${GNUPGHOME}" echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc gpg --batch --import ci-bot.sec.asc ### Trust the key automatically @@ -90,10 +88,9 @@ jobs: echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - name: βš™οΈ Configuring Git for signed CI/DEPLOY commits. - shell: bash run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" + export GNUPGHOME="$(PWD)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config commit.gpgsign true @@ -101,38 +98,32 @@ jobs: git config gpg.format openpgp - name: βš™οΈ Convert APT sources to HTTPS. - shell: bash run: | set -euo pipefail sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true - - name: πŸ› οΈ Install DNSViz. - shell: bash + - name: πŸ”§ Install DNSViz. run: | sudo apt-get update sudo apt-get install -y dnsviz - name: βš™οΈ Ensure docs/SECURITY/ directory exists. - shell: bash run: | mkdir -p docs/SECURITY/ rm -f docs/SECURITY/coresecret.dev.png - - name: πŸ› οΈ Prepare DNS Cache. - shell: bash + - name: πŸ”§ Prepare DNS Cache. run: | sudo apt-get install -y dnsutils dig +dnssec +multi coresecret.dev @8.8.8.8 - - name: πŸ› οΈ Retrieve Zone Dump and generate .png Visualization. - shell: bash + - name: πŸ”§ Retrieve Zone Dump and generate .png Visualization. run: | dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png - name: 🚧 Stash local changes (including untracked). - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -141,12 +132,11 @@ jobs: git stash push --include-untracked -m "ci-temp" || echo "βœ”οΈ Nothing to stash." - name: πŸ”„ Sync with remote before commit using merge strategy. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" + export GNUPGHOME="$(PWD)/.gnupg" echo "πŸ”„ Fetching origin/master ..." git fetch origin master @@ -158,8 +148,7 @@ jobs: git status git log --oneline -n 5 - - name: πŸ› οΈ Restore stashed changes. - shell: bash + - name: πŸ”§ Restore stashed changes. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -168,7 +157,6 @@ jobs: git stash pop || echo "βœ”οΈ Nothing to pop." - name: πŸ“¦ Stage generated files. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -176,12 +164,11 @@ jobs: git add docs/SECURITY/*.png || echo "βœ”οΈ Nothing to add." - name: πŸ”‘ Commit and sign changes with CI metadata. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" + export GNUPGHOME="$(PWD)/.gnupg" if git diff --cached --quiet; then echo "βœ”οΈ No staged changes to commit." diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index f7ee61b..ac0fff9 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -29,15 +29,23 @@ jobs: name: πŸ” Render Graphviz Diagrams. runs-on: ubuntu-latest - steps: - - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + defaults: + run: shell: bash + working-directory: ${{ github.workspace }} + + steps: + - name: πŸ•‘ Waiting random time to desynchronize parallel workflows. run: | set -euo pipefail var_wait=$(( RANDOM % 33 )) - printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + printf "πŸ•‘ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" sleep "${var_wait}" + - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + run: | + set +x + set -euo pipefail rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key @@ -60,30 +68,20 @@ jobs: chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - - name: πŸ› οΈ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - shell: bash + - name: πŸ”§ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | set -euo pipefail git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - git fetch --unshallow || echo "Nothing to fetch - already full clone." - - - name: πŸ› οΈ Cleaning the workspace. - shell: bash - run: | - set -euo pipefail - git reset --hard - git clean -fd - name: βš™οΈ Importing the 'CI PGP DEPLOY ONLY' key. - shell: bash run: | set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. - export GNUPGHOME="$(pwd)/.gnupg" - mkdir -m 700 "${GNUPGHOME}" + export GNUPGHOME="$(PWD)/.gnupg" + mkdir -m 0700 "${GNUPGHOME}" echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc gpg --batch --import ci-bot.sec.asc ### Trust the key automatically @@ -91,10 +89,9 @@ jobs: echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - name: βš™οΈ Configuring Git for signed CI/DEPLOY commits. - shell: bash run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" + export GNUPGHOME="$(PWD)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config commit.gpgsign true @@ -102,21 +99,18 @@ jobs: git config gpg.format openpgp - name: βš™οΈ Convert APT sources to HTTPS. - shell: bash run: | set -euo pipefail sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true - - name: πŸ› οΈ Install Graphviz. - shell: bash + - name: πŸ”§ Install Graphviz. run: | set -euo pipefail sudo apt-get update sudo apt-get install -y graphviz - - name: πŸ› οΈ Render all .dot / .gv to PNG. - shell: bash + - name: πŸ”§ Render all .dot / .gv to PNG. run: | set -euo pipefail find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do @@ -125,7 +119,6 @@ jobs: done - name: 🚧 Stash local changes (including untracked). - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -134,12 +127,11 @@ jobs: git stash push --include-untracked -m "ci-temp" || echo "βœ”οΈ Nothing to stash." - name: πŸ”„ Sync with remote before commit using merge strategy. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" + export GNUPGHOME="$(PWD)/.gnupg" echo "πŸ”„ Fetching origin/master ..." git fetch origin master @@ -151,8 +143,7 @@ jobs: git status git log --oneline -n 5 - - name: πŸ› οΈ Restore stashed changes. - shell: bash + - name: πŸ”§ Restore stashed changes. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -161,7 +152,6 @@ jobs: git stash pop || echo "βœ”οΈ Nothing to pop." - name: πŸ“¦ Stage generated files. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -169,12 +159,11 @@ jobs: git add *.png || echo "βœ”οΈ Nothing to add." - name: πŸ”‘ Commit and sign changes with CI metadata. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" + export GNUPGHOME="$(PWD)/.gnupg" if git diff --cached --quiet; then echo "βœ”οΈ No staged changes to commit." @@ -205,7 +194,6 @@ jobs: fi - name: πŸ” Push back to repository. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index b50eef6..611a70b 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -46,7 +46,7 @@ init_primordial() { fi - ### Check for SSH CISS and PhysNet primordial-workflowβ„’ integration ---------------------------------------------------------- + ### Check for SSH CISS and PhysNet primordial-workflow(tm) integration ------------------------------------------------------- if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then