diff --git a/.gitea/workflows/generate-iso.yaml b/.gitea/workflows/generate-iso.yaml index 1cb9034..bc0c9cd 100644 --- a/.gitea/workflows/generate-iso.yaml +++ b/.gitea/workflows/generate-iso.yaml @@ -298,7 +298,7 @@ jobs: run: | set -euo pipefail PRIVATE_FILE="LIVE_ISO.private" - git add "${PRIVATE_FILE}" || echo "ℹī¸ Nothing to add." + git add "${PRIVATE_FILE}" || echo "✔ī¸ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. shell: bash @@ -309,7 +309,7 @@ jobs: export GNUPGHOME="$(pwd)/.gnupg" if git diff --cached --quiet; then - echo "ℹī¸ No staged changes to commit." + echo "✔ī¸ No staged changes to commit." else echo "📝 Committing changes with GPG signature ..." diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 14b12de..7934bae 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -27,12 +27,13 @@ jobs: build-dnssec-diagram: name: Retrieve the DNSSEC status at the time of updating the repository. runs-on: ubuntu-latest + steps: - - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config. + - name: ⚙ī¸ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. shell: bash run: | - rm -rf ~/.ssh - mkdir -p ~/.ssh + set -euo pipefail + rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 @@ -54,36 +55,27 @@ jobs: chmod 600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues. + - name: 🛠ī¸ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. shell: bash - run: | - git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - git fetch --unshallow || echo "Nothing to fetch - already full clone." env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} + run: | + set -euo pipefail + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + git fetch --unshallow || echo "Nothing to fetch - already full clone." - - name: Clean workspace. + - name: 🛠ī¸ Cleaning the workspace. shell: bash run: | + set -euo pipefail git reset --hard git clean -fd - - name: Convert APT sources to HTTPS. - shell: bash - run: | - sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list - sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true - - - name: Install DNSViz. - shell: bash - run: | - sudo apt-get update - sudo apt-get install -y dnsviz - - - name: Import CI PGP DEPLOY ONLY Key. + - name: ⚙ī¸ Importing the 'CI PGP DEPLOY ONLY' key. shell: bash run: | + set -euo pipefail ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" mkdir -m 700 "${GNUPGHOME}" @@ -93,9 +85,10 @@ jobs: KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - - name: Configure Git for signed CI DEPLOY commits. + - name: ⚙ī¸ Configuring Git for signed CI/DEPLOY commits. shell: bash run: | + set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" @@ -103,43 +96,105 @@ jobs: git config gpg.program gpg git config gpg.format openpgp - - name: Ensure docs/SECURITY/ directory exists. + - name: ⚙ī¸ Convert APT sources to HTTPS. + shell: bash + run: | + set -euo pipefail + sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list + sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true + + - name: 🛠ī¸ Install DNSViz. + shell: bash + run: | + sudo apt-get update + sudo apt-get install -y dnsviz + + - name: ⚙ī¸ Ensure docs/SECURITY/ directory exists. shell: bash run: | mkdir -p docs/SECURITY/ rm -f docs/SECURITY/coresecret.dev.png - - name: Prepare DNS Cache. + - name: 🛠ī¸ Prepare DNS Cache. shell: bash run: | sudo apt-get install -y dnsutils dig +dnssec +multi coresecret.dev @8.8.8.8 - - name: Retrieve Zone Dump and generate .png Visualization. + - name: 🛠ī¸ Retrieve Zone Dump and generate .png Visualization. shell: bash run: | dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png - - name: Stage generated files. + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash - run: | - git add docs/SECURITY/*.png env: GIT_SSH_COMMAND: "ssh -p 42842" - - - name: Commit and Sign changes. - shell: bash run: | + set -euo pipefail export GNUPGHOME="$(pwd)/.gnupg" - git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit." - env: - GIT_SSH_COMMAND: "ssh -p 42842" - - name: Push back to Repository. + echo "🔄 Fetching origin/master ..." + git fetch origin master + + echo "🔁 Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "✔ī¸ Already up to date or fast-forward." + + echo "📋 Post-merge status :" + git status + git log --oneline -n 5 + + - name: đŸ“Ļ Stage generated files. shell: bash - run: | - git push origin HEAD:${GITHUB_REF_NAME} env: GIT_SSH_COMMAND: "ssh -p 42842" -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml + run: | + set -euo pipefail + git add docs/SECURITY/*.png || echo "✔ī¸ Nothing to add." + + - name: 🔑 Commit and sign changes with CI metadata. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + if git diff --cached --quiet; then + echo "✔ī¸ No staged changes to commit." + else + echo "📝 Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci] + + ${CI_HEADER} + + Generated at: ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD → ${GIT_REF} + " + + echo "🔏 Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + fi + + - name: 🔁 Push back to repository. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." + git push origin HEAD:${GITHUB_REF_NAME} + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/render-md-to-html.yaml b/.gitea/workflows/render-md-to-html.yaml index 6a6ef11..9d445f9 100644 --- a/.gitea/workflows/render-md-to-html.yaml +++ b/.gitea/workflows/render-md-to-html.yaml @@ -111,12 +111,12 @@ jobs: sudo apt-get update sudo apt-get install -y pandoc - #- name: Ensure .html/ directory exists. + #- name: ⚙ī¸ Ensure .html/ directory exists. # shell: bash # run: # mkdir -p .html - #- name: Render *.md to full standalone HTML. + #- name: 🛠ī¸ Render *.md to full standalone HTML. # shell: bash # run: | # set -euo pipefail @@ -134,7 +134,7 @@ jobs: # -o .html/"${out}" # done - - name: đŸ“Ĩ Extract HTML fragment for Gitea for *.md. + - name: 🛠ī¸ Extract HTML fragment for Gitea for *.md. shell: bash run: | set -euo pipefail @@ -174,7 +174,7 @@ jobs: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - git add *.html || echo "ℹī¸ Nothing to add." + git add *.html || echo "✔ī¸ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. shell: bash @@ -185,7 +185,7 @@ jobs: export GNUPGHOME="$(pwd)/.gnupg" if git diff --cached --quiet; then - echo "ℹī¸ No staged changes to commit." + echo "✔ī¸ No staged changes to commit." else echo "📝 Committing changes with GPG signature ..."