From 6e1cf484eec475a53a1a51e1f0801a4634cc56e60bf6aec41b12034e41b86af2 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Sun, 1 Jun 2025 20:20:53 +0200 Subject: [PATCH] V8.02.768.2025.06.01 Signed-off-by: Marc S. Weidner --- .gitea/workflows/generate-iso.yaml | 150 ++++++++++------------------- lib/lib_arg_parser.sh | 5 + var/global.var.sh | 1 + 3 files changed, 56 insertions(+), 100 deletions(-) diff --git a/.gitea/workflows/generate-iso.yaml b/.gitea/workflows/generate-iso.yaml index b2c12d8..2978927 100644 --- a/.gitea/workflows/generate-iso.yaml +++ b/.gitea/workflows/generate-iso.yaml @@ -36,12 +36,13 @@ jobs: - name: Basic Image Setup and enable Bookworm Backports. run: | apt-get update - apt-get install -y apt-transport-https apt-utils ca-certificates openssl sudo + apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo echo 'deb https://deb.debian.org/debian bookworm-backports main' \ >| /etc/apt/sources.list.d/bookworm-backports.list apt-get update - name: Installing Build Tools. + shell: bash run: | apt-get update apt-get install -y \ @@ -63,9 +64,11 @@ jobs: - name: Check GnuPG Version. run: | + shell: bash gpg --version - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + shell: bash run: | rm -rf ~/.ssh && mkdir -m700 ~/.ssh @@ -90,6 +93,7 @@ jobs: ### https://github.com/actions/checkout/issues/1843 - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + shell: bash run: | git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." @@ -98,11 +102,13 @@ jobs: GITHUB_REF_NAME: ${{ github.ref_name }} - name: Cleaning the workspace. + shell: bash run: | git reset --hard git clean -fd - name: Importing the 'CI PGP DEPLOY ONLY' key. + shell: bash run: | ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" @@ -112,9 +118,9 @@ jobs: ### Trust the key automatically KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - shell: bash - name: Configuring Git for signed CI/DEPLOY commits. + shell: bash run: | export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" @@ -124,82 +130,55 @@ jobs: git config gpg.format openpgp - name: Preparing the build environment. + shell: bash run: | mkdir -p opt/config mkdir -p opt/livebuild - touch opt/config/password.txt && chmod 0600 opt/config/password.txt touch opt/config/authorized_keys && chmod 0600 opt/config/authorized_keys - echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys - #mkdir -p opt/livebuild/chroot/dev - #mknod opt/livebuild/chroot/dev/null c 1 3 - #chmod 666 opt/livebuild/chroot/dev/null + - name: Preparing Centurion Cloud for LIVE ISO Upload. + shell: bash + run: | + set -euo pipefail + NC_BASE="https://cloud.e2ee.li" + SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}" + SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" + SHARE_SUBDIR="" - mkdir -p config/hooks/normal - touch config/hooks/normal/0000-fix-dev.chroot - chmod 0775 config/hooks/normal/0000-fix-dev.chroot - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n" - cat << 'EOF' >| config/hooks/normal/0000-fix-dev.chroot - #!/bin/bash - # SPDX-Version: 3.0 - # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; - # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git - # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency - # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; - # SPDX-FileType: SOURCE - # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 - # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. - # SPDX-PackageName: CISS.debian.live.builder - # SPDX-Security-Contact: security@coresecret.eu - set -C -e -u -o pipefail - if [ ! -e /dev/null ]; then - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] Creating /dev/null manually. \e[0m\n" - mknod -m 666 /dev/null c 1 3 + echo "Get directory listing via PROPFIND ..." + curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X PROPFIND \ + -H "Depth: 1" \ + "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + -o propfind_public.xml + + echo "Filter .iso files from the PROPFIND response ..." + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true + + if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then + echo "Old ISO files found and deleted :" + while IFS= read -r href; do + FILE_URL="${NC_BASE}${href}" + echo " Delete: ${FILE_URL}" + if curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X DELETE "${FILE_URL}"; then + echo " ✅ Successfully deleted: $(basename "${href}")" + else + echo " ❌ Error: $(basename "${href}") could not be deleted" + fi + done < public_iso_list.txt else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] /dev/null inside chroot present. \e[0m\n" + echo "No old ISO files found to delete." fi - chmod 666 /dev/null - EOF - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n" - ls -l config/hooks/normal/0000-fix-dev.chroot - - ### - - mkdir -p config/hooks/early - touch config/hooks/early/0000-fix-dev - chmod 0775 config/hooks/early/0000-fix-dev - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 'Creating config/hooks/early/0000-fix-dev'. \e[0m\n" - cat << 'EOF' >| config/hooks/early/0000-fix-dev - #!/bin/bash - # SPDX-Version: 3.0 - # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; - # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git - # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency - # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; - # SPDX-FileType: SOURCE - # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 - # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. - # SPDX-PackageName: CISS.debian.live.builder - # SPDX-Security-Contact: security@coresecret.eu - set -C -e -u -o pipefail - CHROOT="${LB_CHROOT:-chroot}" - if [[ ! -e "${CHROOT}/dev/null" ]]; then - printf "\e[95m[0000-fix-dev] Creating /dev/null inside chroot manually.\e[0m\n" - mkdir -p "${CHROOT}/dev" - mknod -m 666 "${CHROOT}/dev/null" c 1 3 - else - printf "\e[92m[0000-fix-dev] /dev/null inside chroot already exists.\e[0m\n" - fi - chmod 666 "${CHROOT}/dev/null" - EOF - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/early/0000-fix-dev'. \e[0m\n" - ls -l config/hooks/early/0000-fix-dev - ### + rm -f propfind_public.xml public_iso_list.txt - name: Starting CISS.debian.live.builder. This may take a while ... + shell: bash run: | chmod 0755 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z") @@ -225,42 +204,8 @@ jobs: echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" fi - - name: Preparing Centurion Cloud for LIVE ISO Upload. - run: | - NC_BASE="https://cloud.e2ee.li" - SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}" - SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" - SHARE_SUBDIR="" - echo "Get directory listing via PROPFIND ..." - curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X PROPFIND \ - -H "Depth: 1" \ - "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ - -o propfind_public.xml - echo "Filter .iso files from the PROPFIND response ..." - grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt - if [[ -s public_iso_list.txt ]]; then - echo "Old ISO files found and deleted :" - while IFS= read -r href; do - FILE_URL="${NC_BASE}${href}" - echo " Delete: ${FILE_URL}" - curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X DELETE \ - "${FILE_URL}" - if [[ $? -eq 0 ]]; then - echo " ✅ Successfully deleted: $(basename "${href}")" - else - echo " ❌ Error: $(basename "${href}") could not be deleted" - fi - done < public_iso_list.txt - else - echo "No old ISO files found to delete." - fi - rm -f propfind_public.xml public_iso_list.txt - - name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + shell: bash run: | curl --progress-bar \ --retry 2 \ @@ -275,6 +220,7 @@ jobs: fi - name: Generating a hash of ISO and signing with the 'CI PGP DEPLOY ONLY' key. + shell: bash run: | VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_PATH}.sha512" sha512sum "${VAR_ISO_FILE}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" @@ -284,6 +230,7 @@ jobs: rm -f "${VAR_ISO_FILE_PATH}" - name: Generate a success message file to push back into the repository. + shell: bash run: | PRIVATE_FILE="LIVE_ISO.private" touch "${PRIVATE_FILE}" @@ -310,12 +257,14 @@ jobs: EOF - name: Stage generated files. + shell: bash run: | git add "${PRIVATE_FILE}" env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Commit and Sign changes. + shell: bash run: | export GNUPGHOME="$(pwd)/.gnupg" git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit." @@ -323,6 +272,7 @@ jobs: GIT_SSH_COMMAND: "ssh -p 42842" - name: Push back to Repository. + shell: bash run: | git push origin HEAD:${GITHUB_REF_NAME} env: diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh index 988ba16..9e0e096 100644 --- a/lib/lib_arg_parser.sh +++ b/lib/lib_arg_parser.sh @@ -144,6 +144,11 @@ arg_parser() { --build-directory) declare -gx VAR_HANDLER_BUILD_DIR="${2}" + if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then + if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi + printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2 + exit "${ERR_NOTABSPATH}" + fi declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log" shift 2 ;; diff --git a/var/global.var.sh b/var/global.var.sh index 82efd43..53cd60b 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -70,6 +70,7 @@ declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535' declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided +declare -gir ERR_NOTABSPATH=252 # Not an absolute path declare -gir ERR_INVLD_CHAR=253 # Invalid Character declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash