# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu # Version Master V8.13.768.2025.12.06 name: 🔐 Generating a Private Live ISO TRIXIE. permissions: contents: write on: push: branches: - master paths: - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml' jobs: generate-private-cdlb-trixie: name: 🔐 Generating a Private Live ISO TRIXIE. runs-on: cdlb.trixie container: image: debian:trixie defaults: run: shell: bash working-directory: ${{ github.workspace }} steps: - name: 🕑 Waiting random time to desynchronize parallel workflows. run: | set -euo pipefail var_wait=$(( RANDOM % 33 )) printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" sleep "${var_wait}" - name: 🔧 Basic Image Setup. run: | set -euo pipefail umask 0022 echo "APT_LISTCHANGES_FRONTEND=none" >> "${GITHUB_ENV}" echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}" echo "LC_ALL=C.UTF-8" >> "${GITHUB_ENV}" echo "TZ=UTC" >> "${GITHUB_ENV}" echo "VAR_CDLB_INSIDE_RUNNER=true" >> "${GITHUB_ENV}" export APT_LISTCHANGES_FRONTEND=none export DEBIAN_FRONTEND=noninteractive apt-get update -qq apt-get upgrade -y apt-get install -y --no-install-recommends \ apt-utils \ bash \ bat \ ca-certificates \ cryptsetup \ curl \ debootstrap \ git \ gnupg-utils \ gnupg \ gpg-agent \ gpgv \ live-build \ lsb-release \ openssh-client \ openssl \ perl \ pinentry-curses \ pinentry-tty \ sudo \ util-linux \ whois - name: ⚙️ Check GnuPG Version. run: | gpg --version - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. run: | set +x set -euo pipefail umask 0077 rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev BatchMode yes ConnectTimeout 5 ControlMaster auto ControlPath ~/.ssh/cm-%r@%h:%p ControlPersist 5m HostName git.coresecret.dev IdentityFile ~/.ssh/id_ed25519 Port 42842 ServerAliveCountMax 3 ServerAliveInterval 10 StrictHostKeyChecking yes User git UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues. env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | set -euo pipefail git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - name: ⚙️ Init GNUPGHOME. run: | set +x set -euo pipefail umask 0077 GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}" # shellcheck disable=SC2174 mkdir -p -m 0700 "${GNUPGHOME}" echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}" echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf" echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf" gpgconf --reload gpg-agent || true - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. env: PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }} run: | set +x set -euo pipefail umask 0077 printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV - name: ⚙️ Configuring Git for signed CI/DEPLOY commits. run: | set +x set -euo pipefail git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} git config commit.gpgsign true git config gpg.program gpg git config gpg.format openpgp git config --get user.signingkey - name: ⚙️ Preparing the build environment. run: | set +x set -euo pipefail umask 0077 mkdir -p /dev/shm/cdlb_secrets install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /dev/shm/cdlb_secrets/password.txt echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /dev/shm/cdlb_secrets/authorized_keys echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}" >| /dev/shm/cdlb_secrets/signing_ca.asc echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ... run: | set -euo pipefail chmod 0700 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'. chmod 0400 /dev/shm/cdlb_secrets/* ./ciss_live_builder.sh \ --architecture amd64 \ --autobuild=6.17.8+deb13-amd64 \ --build-directory /opt/cdlb \ --cdi \ --change-splash hexagon \ --control "${timestamp}" \ --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ --key_age=keys.txt \ --key_luks=luks.txt \ --root-password-file /dev/shm/cdlb_secrets/password.txt \ --signing_ca=signing_ca.asc \ --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \ --signing_key_pass=signing_key_pass.txt \ --signing_key=signing_key.asc \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ --ssh-pubkey /dev/shm/cdlb_secrets \ --sshfp \ --trixie - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" run: | set -euo pipefail SHARE_SUBDIR="" echo "📥 Get directory listing via PROPFIND ..." curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ -o propfind_public.xml echo "📥 Filter .iso files from the PROPFIND response ..." grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then echo "💡 Old ISO files found and deleted :" while IFS= read -r href; do FILE_URL="${NC_BASE}${href}" echo " Delete: ${FILE_URL}" if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then echo " ✅ Successfully deleted: $(basename "${href}")" else echo " ❌ Error: $(basename "${href}") could not be deleted" fi done < public_iso_list.txt else echo "💡 No old ISO files found to delete." fi - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" run: | set -euo pipefail if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "❌ There must be exactly one .iso file in the directory!" exit 1 else VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" fi AUTH="${SHARE_TOKEN}:${SHARE_PASS}" if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then echo "✅ New ISO successfully uploaded." else echo "❌ Uploading the new ISO failed." exit 1 fi - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. run: | if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "❌ There must be exactly one .iso file in the directory!" exit 1 else VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" fi VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" touch "${VAR_ISO_FILE_SHA512}" sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" touch "${SIGNATURE_FILE}" gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") VAR_DATE="$(date +%F)" PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private" touch "${PRIVATE_FILE}" cat << EOF >| "${PRIVATE_FILE}" # SPDX-Version: 3.0 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu This file was automatically generated by the DEPLOY BOT on: "${timestamp}" CISS.debian.live.builder ISO : "${VAR_ISO_FILE_NAME}" CISS.debian.live.builder ISO sha512 : $(< "${VAR_ISO_FILE_SHA512}") CISS.debian.live.builder ISO sha512 sign : $(< "${SIGNATURE_FILE}") # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF - name: 🚧 Stash local changes (including untracked). env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail ### Temporarily store any local modifications or untracked files. git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash." - name: 🔄 Sync with remote before commit using merge strategy. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail echo "🔄 Fetching origin/master ..." git fetch origin master echo "🔁 Merging origin/master into current branch ..." git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward." echo "📋 Post-merge status :" git status git log --oneline -n 5 - name: 🔧 Restore stashed changes. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail ### Apply previously stashed changes. git stash pop || echo "✔️ Nothing to pop." - name: 📦 Stage generated files. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private" git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail if git diff --cached --quiet; then echo "✔️ No staged changes to commit." else echo "📝 Committing changes with GPG signature ..." ### CI Metadata TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] ${CI_HEADER} Generated at : ${TIMESTAMP_UTC} Runner Host : ${HOSTNAME} Workflow ID : ${WORKFLOW_ID} Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} " echo "🔏 Commit message :" echo "${COMMIT_MSG}" git commit -S -m "${COMMIT_MSG}" fi - name: 🔁 Push back to repository. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." git push origin HEAD:${GITHUB_REF_NAME} # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml