# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ### Version Master V8.02.768.2025.06.01 name: Retrieve the DNSSEC status at the time of updating the repository. permissions: contents: write on: push: branches: - master paths: - '.gitea/trigger/t_generate_dns.yaml' jobs: build-dnssec-diagram: name: Retrieve the DNSSEC status at the time of updating the repository. runs-on: ubuntu-latest steps: - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config. run: | rm -rf ~/.ssh mkdir -p ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts chmod 600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev HostName git.coresecret.dev Port 42842 IdentityFile ~/.ssh/id_ed25519 StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues. run: | git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} - name: Clean workspace. run: | git reset --hard git clean -fd - name: Convert APT sources to HTTPS. run: | sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true - name: Install DNSViz. run: | sudo apt-get update sudo apt-get install -y dnsviz - name: Import CI PGP DEPLOY ONLY Key. run: | ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" mkdir -m 700 "${GNUPGHOME}" echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc gpg --batch --import ci-bot.sec.asc ### Trust the key automatically KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" shell: bash - name: Configure Git for signed CI DEPLOY commits. run: | export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config commit.gpgsign true git config gpg.program gpg git config gpg.format openpgp - name: Ensure docs/SECURITY/ directory exists. run: | mkdir -p docs/SECURITY/ rm -f docs/SECURITY/coresecret.dev.png - name: Prepare DNS Cache. run: | sudo apt-get install -y dnsutils dig +dnssec +multi coresecret.dev @8.8.8.8 - name: Retrieve Zone Dump and generate .png Visualization. run: | dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png - name: Stage generated files. run: | git add docs/SECURITY/*.png env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Commit and Sign changes. run: | export GNUPGHOME="$(pwd)/.gnupg" git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit." env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Push back to Repository. run: | git push origin HEAD:${GITHUB_REF_NAME} env: GIT_SSH_COMMAND: "ssh -p 42842" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml