V8.13.392.2025.11.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-07 23:21:30 +01:00
parent 33f2337bed
commit 0f9b021110
6 changed files with 895 additions and 68 deletions
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -28,15 +28,23 @@ jobs:
    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
    runs-on: ubuntu-latest

-    steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+    defaults:
+      run:
        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"

+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
@@ -59,30 +67,20 @@ jobs:
          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd

      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -90,10 +88,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"

      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -101,38 +98,32 @@ jobs:
          git config gpg.format openpgp

      - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true

-      - name: 🛠️ Install DNSViz.
-        shell: bash
+      - name: 🔧 Install DNSViz.
        run: |
          sudo apt-get update
          sudo apt-get install -y dnsviz

      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
-        shell: bash
        run: |
          mkdir -p docs/SECURITY/
          rm -f docs/SECURITY/coresecret.dev.png

-      - name: 🛠️ Prepare DNS Cache.
-        shell: bash
+      - name: 🔧 Prepare DNS Cache.
        run: |
          sudo apt-get install -y dnsutils
          dig +dnssec +multi coresecret.dev @8.8.8.8

-      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
-        shell: bash
+      - name: 🔧 Retrieve Zone Dump and generate .png Visualization.
        run: |
          dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
          dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png

      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -141,12 +132,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."

      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -158,8 +148,7 @@ jobs:
          git status
          git log --oneline -n 5

-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -168,7 +157,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."

      - name: 📦 Stage generated files.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -176,12 +164,11 @@ jobs:
          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."