diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index 2f4a4b1..dbfc567 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1023 + counter: 1024 version: V8.13.392.2025.11.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index ec3f06e..9630761 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -16,6 +16,7 @@ name: 🔐 Generating a Private Live ISO TRIXIE. defaults: run: shell: bash + working-directory: ${{ github.workspace }} permissions: contents: write @@ -35,11 +36,6 @@ jobs: container: image: debian:trixie - defaults: - run: - shell: bash - working-directory: ${{ github.workspace }} - steps: - name: 🕑 Waiting random time to desynchronize parallel workflows. run: | @@ -138,6 +134,7 @@ jobs: echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}" echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf" echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf" + echo "trust-model always" >> "${GNUPGHOME}/gpg.conf" gpgconf --reload gpg-agent || true - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index f7441f3..ae6692c 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -23,6 +23,11 @@ name: 🛡️ Shell Script Linting +defaults: + run: + shell: bash + working-directory: ${{ github.workspace }} + on: push: branches: @@ -37,14 +42,17 @@ jobs: runs-on: ubuntu-latest steps: - - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - shell: bash + - name: 🕑 Waiting random time to desynchronize parallel workflows. run: | set -euo pipefail var_wait=$(( RANDOM % 33 )) - printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" sleep "${var_wait}" + - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + run: | + set +x + set -euo pipefail rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key @@ -67,25 +75,15 @@ jobs: chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - shell: bash + - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues. env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | set -euo pipefail git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - git fetch --unshallow || echo "Nothing to fetch - already full clone." - - - name: 🛠️ Cleaning the workspace. - shell: bash - run: | - set -euo pipefail - git reset --hard - git clean -fd - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. - shell: bash run: | set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. @@ -98,7 +96,6 @@ jobs: echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - name: ⚙️ Configuring Git for signed CI/DEPLOY commits. - shell: bash run: | set -euo pipefail export GNUPGHOME="$(PWD)/.gnupg" @@ -109,22 +106,19 @@ jobs: git config gpg.format openpgp - name: ⚙️ Convert APT sources to HTTPS. - shell: bash run: | set -euo pipefail sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true - - name: 🛠️ Install dependencies. - shell: bash + - name: 🔧 Install dependencies. run: | ### Install grep with Perl-regex support, falls noch nicht vorhanden - apt-get update + apt-get update -qq apt-get upgrade -y apt-get install -y grep - name: 🔍 Lint shell scripts - shell: bash run: | # ------------------------------- # STEP 1: Find target files. @@ -254,7 +248,6 @@ jobs: fi - name: 🚧 Stash local changes (including untracked). - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -263,7 +256,6 @@ jobs: git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash." - name: 🔄 Sync with remote before commit using merge strategy. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -280,8 +272,7 @@ jobs: git status git log --oneline -n 5 - - name: 🛠️ Restore stashed changes. - shell: bash + - name: 🔧 Restore stashed changes. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -290,7 +281,6 @@ jobs: git stash pop || echo "✔️ Nothing to pop." - name: 📦 Stage generated files. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -299,7 +289,6 @@ jobs: git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -335,7 +324,6 @@ jobs: fi - name: 🔁 Push back to repository. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | diff --git a/lib/lib_gnupg.sh b/lib/lib_gnupg.sh index 21ada61..22f4f09 100644 --- a/lib/lib_gnupg.sh +++ b/lib/lib_gnupg.sh @@ -54,6 +54,7 @@ init_gnupg() { cat << EOF >| "${GNUPGHOME}/gpg-agent.conf" allow-loopback-pinentry pinentry-program /usr/bin/pinentry-tty +trust-model always EOF if ! gpgconf --launch gpg-agent 2>&1; then