# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ### Version Master V8.02.768.2025.06.01 name: Generating a private Live ISO. permissions: contents: write on: push: branches: - master paths: - '.gitea/trigger/t_generate_iso.yaml' jobs: generate-private-ciss-debian-live-iso: name: Generating a private Live ISO. runs-on: ubuntu-latest ### Run all steps inside Debian Bookworm container: image: debian:trixie options: --user root steps: - name: Basic Image Setup and enable Bookworm Backports. run: | apt-get update apt-get install -y apt-transport-https apt-utils ca-certificates openssl echo 'deb https://deb.debian.org/debian bookworm-backports main' \ >| /etc/apt/sources.list.d/bookworm-backports.list apt-get update - name: Installing Build Tools. run: | apt-get update apt-get install -y \ cryptsetup \ curl \ debootstrap \ dosfstools \ efibootmgr \ gnupg \ git \ haveged \ live-build \ parted \ ssh \ ssl-cert \ sudo \ wget \ whois - name: Check GnuPG Version. run: | gpg --version - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. run: | rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts chmod 600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev HostName git.coresecret.dev Port 42842 IdentityFile ~/.ssh/id_ed25519 StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. run: | git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} - name: Cleaning the workspace. run: | git reset --hard git clean -fd - name: Importing the 'CI PGP DEPLOY ONLY' key. run: | ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" mkdir -m 700 "${GNUPGHOME}" echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc gpg --batch --import ci-bot.sec.asc ### Trust the key automatically KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" shell: bash - name: Configuring Git for signed CI/DEPLOY commits. run: | export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config commit.gpgsign true git config gpg.program gpg git config gpg.format openpgp - name: Preparing the build environment. run: | mkdir -p opt/config mkdir -p op/livebuild touch opt/config/password.txt && chmod 0600 opt/config/password.txt touch opt/config/authorized_keys && chmod 0600 opt/config/authorized_keys echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys - name: Starting CISS.debian.live.builder. This may take a while ... run: | chmod 0700 ciss_live_builder.sh && chown root:root ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ./ciss_live_builder.sh \ --autobuild=6.12.22+bpo-amd64 \ --architecture amd64 \ --build-directory opt/livebuild \ --control "${timestamp}" \ --debug \ --dhcp-centurion \ --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \ --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \ --root-password-file opt/config/password.txt \ --ssh-port 42842 \ --ssh-pubkey opt/config if [[ $(ls opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "❌ There must be exactly one .iso file in the directory!" exit 1 else VAR_ISO_FILE_PATH=$(ls opt/livebuild/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" fi - name: Preparing Centurion Cloud for LIVE ISO Upload. run: | NC_BASE="https://cloud.e2ee.li" SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}" SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" SHARE_SUBDIR="" echo "Get directory listing via PROPFIND ..." curl -s \ --user "${SHARE_TOKEN}:${SHARE_PASS}" \ -X PROPFIND \ -H "Depth: 1" \ "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ -o propfind_public.xml echo "Filter .iso files from the PROPFIND response ..." grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt if [[ -s public_iso_list.txt ]]; then echo "Old ISO files found and deleted :" while IFS= read -r href; do FILE_URL="${NC_BASE}${href}" echo " Delete: ${FILE_URL}" curl -s \ --user "${SHARE_TOKEN}:${SHARE_PASS}" \ -X DELETE \ "${FILE_URL}" if [[ $? -eq 0 ]]; then echo " ✅ Successfully deleted: $(basename "${href}")" else echo " ❌ Error: $(basename "${href}") could not be deleted" fi done < public_iso_list.txt else echo "No old ISO files found to delete." fi rm -f propfind_public.xml public_iso_list.txt - name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. run: | curl --progress-bar \ --retry 2 \ https://cloud.e2ee.li/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ --upload-file "${VAR_ISO_FILE_PATH}" \ -u '${SHARE_TOKEN}:${SHARE_PASS}' | cat if [[ $? -eq 0 ]]; then echo "✅ New ISO successfully uploaded." else echo "❌ Uploading the new ISO failed." exit 1 fi - name: Generating a hash of ISO and signing with the 'CI PGP DEPLOY ONLY' key. run: | VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_PATH}.sha512" sha512sum "${VAR_ISO_FILE}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" VAR_ISO_FILE_SHA512=$(< "${VAR_ISO_FILE_SHA512}") SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" rm -f "${VAR_ISO_FILE_PATH}" - name: Generate a success message file to push back into the repository. run: | PRIVATE_FILE="LIVE_ISO.private" touch "${PRIVATE_FILE}" cat << EOF >| "${PRIVATE_FILE}" # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-31; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu This file was automatically generated by the DEPLOY BOT on: "${timestamp}". CISS.debian.live.builder ISO : "${VAR_ISO_FILE}" CISS.debian.live.builder ISO sha512 : "${VAR_ISO_FILE_SHA512}" CISS.debian.live.builder ISO sha512 sign : $(< "${SIGNATURE_FILE}") EOF - name: Stage generated files. run: | git add "${PRIVATE_FILE}" env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Commit and Sign changes. run: | export GNUPGHOME="$(pwd)/.gnupg" git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit." env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Push back to Repository. run: | git push origin HEAD:${GITHUB_REF_NAME} env: GIT_SSH_COMMAND: "ssh -p 42842" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml