From ea76e9d5cbdc1c04bea4cd239cf8b3a030f932378ec2204f63f06e9c802db02d Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Sun, 1 Jun 2025 20:23:19 +0200 Subject: [PATCH] V8.02.768.2025.06.01 Signed-off-by: Marc S. Weidner --- .gitea/workflows/render-dnssec-status.yaml | 14 +++++++++++++- var/global.var.sh | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 0dadb72..f48b3df 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -29,6 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config. + shell: bash run: | rm -rf ~/.ssh mkdir -p ~/.ssh @@ -54,6 +55,7 @@ jobs: ### https://github.com/actions/checkout/issues/1843 - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues. + shell: bash run: | git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." @@ -62,21 +64,25 @@ jobs: GITHUB_REF_NAME: ${{ github.ref_name }} - name: Clean workspace. + shell: bash run: | git reset --hard git clean -fd - name: Convert APT sources to HTTPS. + shell: bash run: | sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true - name: Install DNSViz. + shell: bash run: | sudo apt-get update sudo apt-get install -y dnsviz - name: Import CI PGP DEPLOY ONLY Key. + shell: bash run: | ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" @@ -86,9 +92,9 @@ jobs: ### Trust the key automatically KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - shell: bash - name: Configure Git for signed CI DEPLOY commits. + shell: bash run: | export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" @@ -98,27 +104,32 @@ jobs: git config gpg.format openpgp - name: Ensure docs/SECURITY/ directory exists. + shell: bash run: | mkdir -p docs/SECURITY/ rm -f docs/SECURITY/coresecret.dev.png - name: Prepare DNS Cache. + shell: bash run: | sudo apt-get install -y dnsutils dig +dnssec +multi coresecret.dev @8.8.8.8 - name: Retrieve Zone Dump and generate .png Visualization. + shell: bash run: | dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png - name: Stage generated files. + shell: bash run: | git add docs/SECURITY/*.png env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Commit and Sign changes. + shell: bash run: | export GNUPGHOME="$(pwd)/.gnupg" git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit." @@ -126,6 +137,7 @@ jobs: GIT_SSH_COMMAND: "ssh -p 42842" - name: Push back to Repository. + shell: bash run: | git push origin HEAD:${GITHUB_REF_NAME} env: diff --git a/var/global.var.sh b/var/global.var.sh index 53cd60b..9505bbd 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -55,7 +55,7 @@ declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=() declare -gir ERR_UNCRITICAL=127 declare -gir ERR_NOT_USER_0=128 # Not running as root declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing -declare -gir ERR_FLOCK_COLL=130 # Script is already running +declare -gir ERR_FLOCK_COLL=130 # The Script is already running declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon' declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535' declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'