V8.13.008.2025.08.22
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -10,6 +10,6 @@
|
|||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
build:
|
build:
|
||||||
counter: 1023
|
counter: 1024
|
||||||
version: V8.13.008.2025.08.22
|
version: V8.13.008.2025.08.22
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||||
|
|||||||
@@ -13,6 +13,10 @@
|
|||||||
|
|
||||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||||
|
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
shell: bash
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: write
|
||||||
|
|
||||||
@@ -31,12 +35,9 @@ jobs:
|
|||||||
### Run all steps inside Debian Trixie
|
### Run all steps inside Debian Trixie
|
||||||
container:
|
container:
|
||||||
image: debian:trixie
|
image: debian:trixie
|
||||||
options: >-
|
|
||||||
--mount type=bind,src=/mnt/secure,dst=/work
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: 🛠️ Basic Image Setup.
|
- name: 🛠️ Basic Image Setup.
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
apt-get update -y
|
apt-get update -y
|
||||||
@@ -53,7 +54,6 @@ jobs:
|
|||||||
util-linux
|
util-linux
|
||||||
|
|
||||||
- name: 🔎 Verify /work mount & space
|
- name: 🔎 Verify /work mount & space
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
set -euxo pipefail
|
set -euxo pipefail
|
||||||
df -h /work
|
df -h /work
|
||||||
@@ -61,7 +61,6 @@ jobs:
|
|||||||
touch /work/.bind-ok && ls -l /work/.bind-ok
|
touch /work/.bind-ok && ls -l /work/.bind-ok
|
||||||
|
|
||||||
- name: 🔎 Show workspace & mounts
|
- name: 🔎 Show workspace & mounts
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
|
echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
|
||||||
@@ -73,7 +72,6 @@ jobs:
|
|||||||
df -h .
|
df -h .
|
||||||
|
|
||||||
- name: ⚙️ Space guards (workspace + LB_PARENTDIR)
|
- name: ⚙️ Space guards (workspace + LB_PARENTDIR)
|
||||||
shell: bash
|
|
||||||
env:
|
env:
|
||||||
LB_PARENTDIR: /work
|
LB_PARENTDIR: /work
|
||||||
run: |
|
run: |
|
||||||
@@ -90,7 +88,6 @@ jobs:
|
|||||||
done
|
done
|
||||||
|
|
||||||
- name: ⚙️ Is there sufficient space available?
|
- name: ⚙️ Is there sufficient space available?
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
need_mb=8192
|
need_mb=8192
|
||||||
@@ -103,12 +100,10 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
- name: ⚙️ Check GnuPG Version.
|
- name: ⚙️ Check GnuPG Version.
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
gpg --version
|
gpg --version
|
||||||
|
|
||||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
||||||
|
|
||||||
@@ -133,7 +128,6 @@ jobs:
|
|||||||
|
|
||||||
### https://github.com/actions/checkout/issues/1843
|
### https://github.com/actions/checkout/issues/1843
|
||||||
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||||
shell: bash
|
|
||||||
env:
|
env:
|
||||||
### GITHUB_REF_NAME contains the branch name from the push event.
|
### GITHUB_REF_NAME contains the branch name from the push event.
|
||||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||||
@@ -142,13 +136,11 @@ jobs:
|
|||||||
git fetch --unshallow || echo "Nothing to fetch - already full clone."
|
git fetch --unshallow || echo "Nothing to fetch - already full clone."
|
||||||
|
|
||||||
- name: 🛠️ Cleaning the workspace.
|
- name: 🛠️ Cleaning the workspace.
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
git reset --hard
|
git reset --hard
|
||||||
git clean -fd
|
git clean -fd
|
||||||
|
|
||||||
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
|
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
### GPG-Home relative to the Runner Workspace to avoid changing global files.
|
### GPG-Home relative to the Runner Workspace to avoid changing global files.
|
||||||
@@ -163,7 +155,6 @@ jobs:
|
|||||||
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
|
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
|
||||||
|
|
||||||
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
|
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
|
||||||
shell: bash
|
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
export GNUPGHOME="$(pwd)/.gnupg"
|
export GNUPGHOME="$(pwd)/.gnupg"
|
||||||
@@ -188,6 +179,8 @@ jobs:
|
|||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
export LB_PARENTDIR=/work
|
||||||
|
export LB_CACHE_DIR=/work/.cache
|
||||||
chmod 0755 ciss_live_builder.sh
|
chmod 0755 ciss_live_builder.sh
|
||||||
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
|
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
|
||||||
### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
|
### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
|
||||||
|
|||||||
Reference in New Issue
Block a user