V8.02.768.2025.06.01
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -36,12 +36,13 @@ jobs:
|
||||
- name: Basic Image Setup and enable Bookworm Backports.
|
||||
run: |
|
||||
apt-get update
|
||||
apt-get install -y apt-transport-https apt-utils ca-certificates openssl sudo
|
||||
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
|
||||
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
|
||||
>| /etc/apt/sources.list.d/bookworm-backports.list
|
||||
apt-get update
|
||||
|
||||
- name: Installing Build Tools.
|
||||
shell: bash
|
||||
run: |
|
||||
apt-get update
|
||||
apt-get install -y \
|
||||
@@ -63,9 +64,11 @@ jobs:
|
||||
|
||||
- name: Check GnuPG Version.
|
||||
run: |
|
||||
shell: bash
|
||||
gpg --version
|
||||
|
||||
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
shell: bash
|
||||
run: |
|
||||
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
||||
|
||||
@@ -90,6 +93,7 @@ jobs:
|
||||
|
||||
### https://github.com/actions/checkout/issues/1843
|
||||
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
shell: bash
|
||||
run: |
|
||||
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
|
||||
git fetch --unshallow || echo "Nothing to fetch - already full clone."
|
||||
@@ -98,11 +102,13 @@ jobs:
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
|
||||
- name: Cleaning the workspace.
|
||||
shell: bash
|
||||
run: |
|
||||
git reset --hard
|
||||
git clean -fd
|
||||
|
||||
- name: Importing the 'CI PGP DEPLOY ONLY' key.
|
||||
shell: bash
|
||||
run: |
|
||||
### GPG-Home relative to the Runner Workspace to avoid changing global files.
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
@@ -112,9 +118,9 @@ jobs:
|
||||
### Trust the key automatically
|
||||
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
|
||||
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
|
||||
shell: bash
|
||||
|
||||
- name: Configuring Git for signed CI/DEPLOY commits.
|
||||
shell: bash
|
||||
run: |
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
git config user.name "Marc S. Weidner BOT"
|
||||
@@ -124,82 +130,55 @@ jobs:
|
||||
git config gpg.format openpgp
|
||||
|
||||
- name: Preparing the build environment.
|
||||
shell: bash
|
||||
run: |
|
||||
mkdir -p opt/config
|
||||
mkdir -p opt/livebuild
|
||||
|
||||
touch opt/config/password.txt && chmod 0600 opt/config/password.txt
|
||||
touch opt/config/authorized_keys && chmod 0600 opt/config/authorized_keys
|
||||
|
||||
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt
|
||||
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys
|
||||
|
||||
#mkdir -p opt/livebuild/chroot/dev
|
||||
#mknod opt/livebuild/chroot/dev/null c 1 3
|
||||
#chmod 666 opt/livebuild/chroot/dev/null
|
||||
- name: Preparing Centurion Cloud for LIVE ISO Upload.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
NC_BASE="https://cloud.e2ee.li"
|
||||
SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
|
||||
SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
|
||||
SHARE_SUBDIR=""
|
||||
|
||||
mkdir -p config/hooks/normal
|
||||
touch config/hooks/normal/0000-fix-dev.chroot
|
||||
chmod 0775 config/hooks/normal/0000-fix-dev.chroot
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n"
|
||||
cat << 'EOF' >| config/hooks/normal/0000-fix-dev.chroot
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
set -C -e -u -o pipefail
|
||||
if [ ! -e /dev/null ]; then
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] Creating /dev/null manually. \e[0m\n"
|
||||
mknod -m 666 /dev/null c 1 3
|
||||
echo "Get directory listing via PROPFIND ..."
|
||||
curl -s \
|
||||
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
|
||||
-X PROPFIND \
|
||||
-H "Depth: 1" \
|
||||
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
|
||||
-o propfind_public.xml
|
||||
|
||||
echo "Filter .iso files from the PROPFIND response ..."
|
||||
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
|
||||
|
||||
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
|
||||
echo "Old ISO files found and deleted :"
|
||||
while IFS= read -r href; do
|
||||
FILE_URL="${NC_BASE}${href}"
|
||||
echo " Delete: ${FILE_URL}"
|
||||
if curl -s \
|
||||
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
|
||||
-X DELETE "${FILE_URL}"; then
|
||||
echo " ✅ Successfully deleted: $(basename "${href}")"
|
||||
else
|
||||
echo " ❌ Error: $(basename "${href}") could not be deleted"
|
||||
fi
|
||||
done < public_iso_list.txt
|
||||
else
|
||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] /dev/null inside chroot present. \e[0m\n"
|
||||
echo "No old ISO files found to delete."
|
||||
fi
|
||||
chmod 666 /dev/null
|
||||
EOF
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n"
|
||||
ls -l config/hooks/normal/0000-fix-dev.chroot
|
||||
|
||||
###
|
||||
|
||||
mkdir -p config/hooks/early
|
||||
touch config/hooks/early/0000-fix-dev
|
||||
chmod 0775 config/hooks/early/0000-fix-dev
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 'Creating config/hooks/early/0000-fix-dev'. \e[0m\n"
|
||||
cat << 'EOF' >| config/hooks/early/0000-fix-dev
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
set -C -e -u -o pipefail
|
||||
CHROOT="${LB_CHROOT:-chroot}"
|
||||
if [[ ! -e "${CHROOT}/dev/null" ]]; then
|
||||
printf "\e[95m[0000-fix-dev] Creating /dev/null inside chroot manually.\e[0m\n"
|
||||
mkdir -p "${CHROOT}/dev"
|
||||
mknod -m 666 "${CHROOT}/dev/null" c 1 3
|
||||
else
|
||||
printf "\e[92m[0000-fix-dev] /dev/null inside chroot already exists.\e[0m\n"
|
||||
fi
|
||||
chmod 666 "${CHROOT}/dev/null"
|
||||
EOF
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/early/0000-fix-dev'. \e[0m\n"
|
||||
ls -l config/hooks/early/0000-fix-dev
|
||||
###
|
||||
rm -f propfind_public.xml public_iso_list.txt
|
||||
|
||||
- name: Starting CISS.debian.live.builder. This may take a while ...
|
||||
shell: bash
|
||||
run: |
|
||||
chmod 0755 ciss_live_builder.sh
|
||||
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
|
||||
@@ -225,42 +204,8 @@ jobs:
|
||||
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
|
||||
fi
|
||||
|
||||
- name: Preparing Centurion Cloud for LIVE ISO Upload.
|
||||
run: |
|
||||
NC_BASE="https://cloud.e2ee.li"
|
||||
SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
|
||||
SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
|
||||
SHARE_SUBDIR=""
|
||||
echo "Get directory listing via PROPFIND ..."
|
||||
curl -s \
|
||||
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
|
||||
-X PROPFIND \
|
||||
-H "Depth: 1" \
|
||||
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
|
||||
-o propfind_public.xml
|
||||
echo "Filter .iso files from the PROPFIND response ..."
|
||||
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt
|
||||
if [[ -s public_iso_list.txt ]]; then
|
||||
echo "Old ISO files found and deleted :"
|
||||
while IFS= read -r href; do
|
||||
FILE_URL="${NC_BASE}${href}"
|
||||
echo " Delete: ${FILE_URL}"
|
||||
curl -s \
|
||||
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
|
||||
-X DELETE \
|
||||
"${FILE_URL}"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo " ✅ Successfully deleted: $(basename "${href}")"
|
||||
else
|
||||
echo " ❌ Error: $(basename "${href}") could not be deleted"
|
||||
fi
|
||||
done < public_iso_list.txt
|
||||
else
|
||||
echo "No old ISO files found to delete."
|
||||
fi
|
||||
rm -f propfind_public.xml public_iso_list.txt
|
||||
|
||||
- name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
|
||||
shell: bash
|
||||
run: |
|
||||
curl --progress-bar \
|
||||
--retry 2 \
|
||||
@@ -275,6 +220,7 @@ jobs:
|
||||
fi
|
||||
|
||||
- name: Generating a hash of ISO and signing with the 'CI PGP DEPLOY ONLY' key.
|
||||
shell: bash
|
||||
run: |
|
||||
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_PATH}.sha512"
|
||||
sha512sum "${VAR_ISO_FILE}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
|
||||
@@ -284,6 +230,7 @@ jobs:
|
||||
rm -f "${VAR_ISO_FILE_PATH}"
|
||||
|
||||
- name: Generate a success message file to push back into the repository.
|
||||
shell: bash
|
||||
run: |
|
||||
PRIVATE_FILE="LIVE_ISO.private"
|
||||
touch "${PRIVATE_FILE}"
|
||||
@@ -310,12 +257,14 @@ jobs:
|
||||
EOF
|
||||
|
||||
- name: Stage generated files.
|
||||
shell: bash
|
||||
run: |
|
||||
git add "${PRIVATE_FILE}"
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
|
||||
- name: Commit and Sign changes.
|
||||
shell: bash
|
||||
run: |
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
|
||||
@@ -323,6 +272,7 @@ jobs:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
|
||||
- name: Push back to Repository.
|
||||
shell: bash
|
||||
run: |
|
||||
git push origin HEAD:${GITHUB_REF_NAME}
|
||||
env:
|
||||
|
||||
@@ -144,6 +144,11 @@ arg_parser() {
|
||||
|
||||
--build-directory)
|
||||
declare -gx VAR_HANDLER_BUILD_DIR="${2}"
|
||||
if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
|
||||
if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
|
||||
printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
|
||||
exit "${ERR_NOTABSPATH}"
|
||||
fi
|
||||
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
|
||||
shift 2
|
||||
;;
|
||||
|
||||
@@ -70,6 +70,7 @@ declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between
|
||||
declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
|
||||
declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
|
||||
declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
|
||||
declare -gir ERR_NOTABSPATH=252 # Not an absolute path
|
||||
declare -gir ERR_INVLD_CHAR=253 # Invalid Character
|
||||
declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
|
||||
declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash
|
||||
|
||||
Reference in New Issue
Block a user