msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.03.400.2025.06.05

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-05 22:14:09 +02:00
parent ac0c4a113f
commit 88df9116cf
85 changed files with 345 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
.gitea/workflows/char_linter.yaml Normal file
View File

@@ -0,0 +1,206 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.400.2025.06.05
# Gitea Workflow: Shell-Script Linting
#
# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
# 1. Windows CRLF line endings
# 2. unauthorized control characters (C0 control characters except \t, \n)
# 3. non-ASCII (ambiguous UTF) characters
#
# Findings are collected and at the end of the run with file, line number,
# and the respective character in the Runner output.
name: 🛡️ Shell Script Linting
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
shell-script-linter:
name: 🛡️ Shell Script Linting
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/PRIVATE_TESTING_CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install dependencies.
shell: bash
run: |
### Install grep with Perl-regex support, falls noch nicht vorhanden
apt-get update
apt-get upgrade -y
apt-get install -y grep
- name: 🔍 Lint shell scripts
shell: bash
run: |
# -------------------------------
# STEP 1: Find target files.
#
# We capture:
# - All files '*.sh', '*.zsh', '*.chroot'
# - All files whose first line begins with “#!” (shebang)
# -------------------------------
mapfile -t files_to_check < <(
find . -type f \( \
-iname '*.sh' -o \
-iname '*.zsh' -o \
-iname '*.chroot' -o \
-exec grep -Iq '^#!' {} \; \
\) -print
)
# -------------------------------
# STEP 2: Regex definitions
#
# - CRLF_REGEX → Carriage Return (\r) for Windows CRLF
# - CTRL_REGEX → C0 control characters except Tab (\x09) and Newline (\x0A)
# Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
# - NON_ASCII_REGEX → All bytes > 0x7F, except emoji characters in defined ranges
#
# Emoji ranges that we exclude:
# - \x{1F300}-\x{1F5FF} (Misc Symbols & Pictographs)
# - \x{1F600}-\x{1F64F} (Emoticons)
# - \x{1F680}-\x{1F6FF} (Transport & Map Symbols)
# - \x{1F900}-\x{1F9FF} (Supplemental Symbols & Pictographs)
# - \x{2600}-\x{26FF} (Miscellaneous Symbols)
# - \x{2700}-\x{27BF} (Dingbats)
# -------------------------------
CRLF_REGEX=$'\r'
CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
NON_ASCII_REGEX='(?![\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])[^\x00-\x7F]'
# -------------------------------
# STEP 3: Accumulator for findings
# -------------------------------
findings=""
# -------------------------------
# STEP 4: Perform all checks for each file
# -------------------------------
for file in "${files_to_check[@]}"; do
#
# 4.1: CRLF detection
# grep -nP returns “lineno:<line with CR>”
# -------------------------------
while IFS=: read -r lineno _rest; do
findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
#
# 4.2: Unallowed control characters
# grep -nP -o returns “lineno:<matched-char>”
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
#
# 4.3: Non-ASCII characters with emoji exception
# grep -nP -o returns “lineno:<matched-char>”
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
done
# -------------------------------
# STEP 5: Output results
# -------------------------------
if [[ -n "${findings}" ]]; then
echo -e "⚠️ Linting issues detected:\n"
echo -e "${findings}"
exit 1
else
echo "✅ No issues found in shell scripts."
fi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

14
.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
View File

@@ -2,7 +2,7 @@
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -40,13 +40,14 @@ jobs:
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update
apt-get upgrade
- name: 🛠️ Installing Build Tools.
shell: bash
run: |
apt-get update
apt-get install -y \
autoconf \
autoconf \
automake \
build-essential \
cryptsetup \
@@ -58,6 +59,9 @@ jobs:
git \
gnupg \
haveged \
libbz2-dev \
zlib1g-dev \
liblzma-dev \
libtool \
live-build \
parted \
@@ -223,6 +227,8 @@ jobs:
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
@@ -328,7 +334,7 @@ jobs:
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}"; then
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
echo "✅ New ISO successfully uploaded."
else
echo "❌ Uploading the new ISO failed."
@@ -363,7 +369,7 @@ jobs:
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

14
.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
View File

@@ -2,7 +2,7 @@
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -21,7 +21,7 @@ on:
branches:
- master
paths:
- '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
- '.gitea/trigger/.t_generate_PRIVATE_iso_flavour_1.yaml'
jobs:
generate-private-ciss-debian-live-iso:
@@ -40,6 +40,7 @@ jobs:
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update
apt-get upgrade
- name: 🛠️ Installing Build Tools.
shell: bash
@@ -58,6 +59,9 @@ jobs:
git \
gnupg \
haveged \
libbz2-dev \
zlib1g-dev \
liblzma-dev \
libtool \
live-build \
parted \
@@ -223,6 +227,8 @@ jobs:
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
@@ -325,7 +331,7 @@ jobs:
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}"; then
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
echo "✅ New ISO successfully uploaded."
else
echo "❌ Uploading the new ISO failed."
@@ -360,7 +366,7 @@ jobs:
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

16
.gitea/workflows/generate_PUBLIC_iso.yaml
View File

@@ -2,7 +2,7 @@
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -21,7 +21,7 @@ on:
branches:
- master
paths:
- '.gitea/trigger/t_generate_PUBLIC.yaml'
- '.gitea/trigger/.t_generate_PUBLIC.yaml'
jobs:
generate-private-ciss-debian-live-iso:
@@ -40,13 +40,14 @@ jobs:
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update
apt-get upgrade
- name: 🛠️ Installing Build Tools.
shell: bash
run: |
apt-get update
apt-get install -y \
autoconf \
autoconf \
automake \
build-essential \
cryptsetup \
@@ -58,6 +59,9 @@ jobs:
git \
gnupg \
haveged \
libbz2-dev \
zlib1g-dev \
liblzma-dev \
libtool \
live-build \
parted \
@@ -223,6 +227,8 @@ jobs:
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
@@ -325,7 +331,7 @@ jobs:
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}"; then
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
echo "✅ New ISO successfully uploaded."
else
echo "❌ Uploading the new ISO failed."
@@ -360,7 +366,7 @@ jobs:
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

2
.gitea/workflows/render-dnssec-status.yaml
View File

@@ -2,7 +2,7 @@
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

4
.gitea/workflows/render-dot-to-png.yaml
View File

@@ -2,7 +2,7 @@
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -190,4 +190,4 @@ jobs:
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml