diff --git a/.gitea/workflows/generate-iso.yaml b/.gitea/workflows/generate-iso.yaml index 389c132..1cb9034 100644 --- a/.gitea/workflows/generate-iso.yaml +++ b/.gitea/workflows/generate-iso.yaml @@ -62,12 +62,12 @@ jobs: wget \ whois - - name: Check GnuPG Version. + - name: βš™οΈ Check GnuPG Version. shell: bash run: | gpg --version - - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. shell: bash run: | rm -rf ~/.ssh && mkdir -m700 ~/.ssh @@ -92,7 +92,7 @@ jobs: chmod 600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + - name: πŸ› οΈ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. shell: bash env: ### GITHUB_REF_NAME contains the branch name from the push event. @@ -101,15 +101,16 @@ jobs: git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." - - name: Cleaning the workspace. + - name: πŸ› οΈ Cleaning the workspace. shell: bash run: | git reset --hard git clean -fd - - name: Importing the 'CI PGP DEPLOY ONLY' key. + - name: βš™οΈ Importing the 'CI PGP DEPLOY ONLY' key. shell: bash run: | + set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" mkdir -m 700 "${GNUPGHOME}" @@ -119,9 +120,10 @@ jobs: KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - - name: Configuring Git for signed CI/DEPLOY commits. + - name: βš™οΈ Configuring Git for signed CI/DEPLOY commits. shell: bash run: | + set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" @@ -129,9 +131,10 @@ jobs: git config gpg.program gpg git config gpg.format openpgp - - name: Preparing the build environment. + - name: βš™οΈ Preparing the build environment. shell: bash run: | + set -euo pipefail mkdir -p /opt/config mkdir -p /opt/livebuild touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt @@ -139,9 +142,10 @@ jobs: echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys - - name: Starting CISS.debian.live.builder. This may take a while ... + - name: πŸ› οΈ Starting CISS.debian.live.builder. This may take a while ... shell: bash run: | + set -euo pipefail chmod 0755 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. @@ -158,7 +162,7 @@ jobs: --ssh-port 42842 \ --ssh-pubkey /opt/config - - name: Checking Centurion Cloud for existing LIVE ISOs. + - name: πŸ“₯ Checking Centurion Cloud for existing LIVE ISOs. shell: bash env: NC_BASE: "https://cloud.e2ee.li" @@ -168,7 +172,7 @@ jobs: set -euo pipefail SHARE_SUBDIR="" - echo "Get directory listing via PROPFIND ..." + echo "πŸ“₯ Get directory listing via PROPFIND ..." curl -s \ --user "${SHARE_TOKEN}:${SHARE_PASS}" \ -X PROPFIND \ @@ -176,11 +180,11 @@ jobs: "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ -o propfind_public.xml - echo "Filter .iso files from the PROPFIND response ..." + echo "πŸ“₯ Filter .iso files from the PROPFIND response ..." grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then - echo "Old ISO files found and deleted :" + echo "ℹ️ Old ISO files found and deleted :" while IFS= read -r href; do FILE_URL="${NC_BASE}${href}" echo " Delete: ${FILE_URL}" @@ -193,16 +197,17 @@ jobs: fi done < public_iso_list.txt else - echo "No old ISO files found to delete." + echo "ℹ️ No old ISO files found to delete." fi - - name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + - name: πŸ› οΈ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. shell: bash env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" run: | + set -euo pipefail if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "❌ There must be exactly one .iso file in the directory!" exit 1 @@ -221,7 +226,7 @@ jobs: exit 1 fi - - name: Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. + - name: πŸ”‘ Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. shell: bash run: | if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then @@ -268,37 +273,75 @@ jobs: # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF - - name: Sync with remote before commit to avoid Job Race Conditions. + - name: πŸ”„ Sync with remote before commit using merge strategy. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | + set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" + + echo "πŸ”„ Fetching origin/master ..." git fetch origin master - git rebase origin/master + + echo "πŸ” Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "βœ”οΈ Already up to date or fast-forward." + + echo "πŸ“‹ Post-merge status :" git status git log --oneline -n 5 - - name: Stage generated files. + - name: πŸ“¦ Stage generated files. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | + set -euo pipefail PRIVATE_FILE="LIVE_ISO.private" - git add "${PRIVATE_FILE}" + git add "${PRIVATE_FILE}" || echo "ℹ️ Nothing to add." - - name: Commit and Sign changes. + - name: πŸ”‘ Commit and sign changes with CI metadata. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | + set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" - git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit." - - name: Push back to Repository. + if git diff --cached --quiet; then + echo "ℹ️ No staged changes to commit." + else + echo "πŸ“ Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO [skip ci] + + ${CI_HEADER} + + Generated at: ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD β†’ ${GIT_REF} + " + + echo "πŸ” Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + fi + + - name: πŸ” Push back to repository. shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | + set -euo pipefail + echo "πŸ“€ Pushing changes to ${GITHUB_REF_NAME} ..." git push origin HEAD:${GITHUB_REF_NAME} # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/render-md-to-html.yaml b/.gitea/workflows/render-md-to-html.yaml index 097149d..6a6ef11 100644 --- a/.gitea/workflows/render-md-to-html.yaml +++ b/.gitea/workflows/render-md-to-html.yaml @@ -30,9 +30,10 @@ jobs: runs-on: ubuntu-latest steps: - - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + - name: βš™οΈ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. shell: bash run: | + set -euo pipefail rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key @@ -61,18 +62,21 @@ jobs: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | + set -euo pipefail git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." - name: πŸ› οΈ Cleaning the workspace. shell: bash run: | + set -euo pipefail git reset --hard git clean -fd - name: βš™οΈ Importing the 'CI PGP DEPLOY ONLY' key. shell: bash run: | + set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" mkdir -m 700 "${GNUPGHOME}" @@ -85,6 +89,7 @@ jobs: - name: βš™οΈ Configuring Git for signed CI/DEPLOY commits. shell: bash run: | + set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" @@ -95,12 +100,14 @@ jobs: - name: βš™οΈ Convert APT sources to HTTPS. shell: bash run: | + set -euo pipefail sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true - - name: πŸ› οΈInstall Pandoc & Dependencies. + - name: πŸ› οΈ Install Pandoc & Dependencies. shell: bash run: | + set -euo pipefail sudo apt-get update sudo apt-get install -y pandoc @@ -112,6 +119,7 @@ jobs: #- name: Render *.md to full standalone HTML. # shell: bash # run: | + # set -euo pipefail # find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print | while read file; do # out=$(basename "${file%.md}.html") # pandoc -s "${file}" \ @@ -129,6 +137,7 @@ jobs: - name: πŸ“₯ Extract HTML fragment for Gitea for *.md. shell: bash run: | + set -euo pipefail find . \( -path "*/.*" -prune \) -o -type f -name "README.md" -print | while read file; do out="${file%.md}.html" pandoc "${file}" \