# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu name: Generating private Live ISO. permissions: contents: write on: push: branches: - master paths: - '.gitea/autobuild.yaml' jobs: generating-ciss-debian-live-iso: runs-on: ubuntu-latest ### Run all steps inside Debian Bookworm container: image: debian:bookworm options: --user root steps: - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. run: | rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts chmod 600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev HostName git.coresecret.dev Port 42842 IdentityFile ~/.ssh/id_ed25519 StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. run: | git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} - name: Cleaning workspace. run: | git reset --hard git clean -fd - name: Installing Debian Live-Build and Tools. run: | apt-get update apt-get install -y live-build gnupg curl whois - name: Importing "CI PGP DEPLOY ONLY" Key. run: | ### GPG-Home relative to the Runner Workspace to avoid changing global files. export GNUPGHOME="$(pwd)/.gnupg" mkdir -m700 "${GNUPGHOME}" echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc gpg --batch --import ci-bot.sec.asc ### Trust the key automatically KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - name: Configuring Git for signed CI DEPLOY commits. run: | export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config commit.gpgsign true git config gpg.program gpg git config gpg.format openpgp - name: Preparing Build Environment. run: | rm -rf /opt/{config,livebuild} mkdir -p /opt/{config,livebuild} echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys chmod 0600 /opt/config/authorized_keys - name: Starting CISS.debian.live.builder. run: | timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ./ciss_live_builder.sh \ --autobuild=6.12.22+bpo-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ --debug \ --dhcp-centurion \ --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \ --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \ --renice-priority "-19" \ --reionice-priority 1 2 \ --root-password-file /opt/config/password.txt \ --ssh-port 4242 \ --ssh-pubkey /opt/config - name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV env: WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso" WEBDAV_USER: ${{ secrets.NC_USER }} WEBDAV_PASS: ${{ secrets.NC_PASS }} run: | ### Remove old ISO if exists curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true ### Upload new ISO curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}" ### Verify upload HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}") if [ "$HTTP_CODE" -ne 200 ]; then echo "Upload failed with HTTP status ${HTTP_CODE}" exit 1 fi echo "ISO successfully uploaded and verified." - name: Generating Hash and Signing with Private Key run: | : ### TODO: Implement this function - name: Generating Success Message to Push back into Repo run: | : ### TODO: Implement this function - name: Stage generated files. run: | git add !!!!!!!!!!!!! env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Commit and Sign changes. run: | export GNUPGHOME="$(pwd)/.gnupg" git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit." env: GIT_SSH_COMMAND: "ssh -p 42842" - name: Push back to Repository. run: | git push origin HEAD:${GITHUB_REF_NAME} env: GIT_SSH_COMMAND: "ssh -p 42842" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml