msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
939870edb72a1a24c04edeb0e47bce0b664d427c97db858f7dbdaeb350c7161d
CISS.debian.live.builder/.gitea/workflows/generate-iso.yaml
Marc S. Weidner 707b26064b V8.02.768.2025.06.01 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-01 15:14:30 +02:00

279 lines
11 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.768.2025.06.01
name: Generating a private Live ISO.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/trigger/t_generate_iso.yaml'
jobs:
generate-private-ciss-debian-live-iso:
name: Generating a private Live ISO.
runs-on: ciss.debian.live.builder
### Run all steps inside Debian Bookworm
container:
image: debian:trixie
steps:
- name: DEBUG
run: |
echo "test" > /dev/null && echo "Write OK" || echo "Write FAILED"
echo "ls -l /dev/null"
ls -l /dev/null
echo "stat /dev/null"
stat /dev/null
echo "mount | grep '/dev/null'"
mount | grep '/dev/null'
echo "ls -lL /proc/self/fd/1"
ls -lL /proc/self/fd/1
- name: Basic Image Setup and enable Bookworm Backports.
run: |
apt-get update
apt-get install -y apt-transport-https apt-utils ca-certificates openssl sudo
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update
- name: Installing Build Tools.
run: |
apt-get update
apt-get install -y \
cryptsetup \
curl \
debootstrap \
dosfstools \
efibootmgr \
gnupg \
git \
gpgv \
haveged \
live-build \
parted \
ssh \
ssl-cert \
wget \
whois
- name: Check GnuPG Version.
run: |
gpg --version
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
- name: Cleaning the workspace.
run: |
git reset --hard
git clean -fd
- name: Importing the 'CI PGP DEPLOY ONLY' key.
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
shell: bash
- name: Configuring Git for signed CI/DEPLOY commits.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: Preparing the build environment.
run: |
mkdir -p opt/config
mkdir -p op/livebuild
touch opt/config/password.txt && chmod 0600 opt/config/password.txt
touch opt/config/authorized_keys && chmod 0600 opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys
#mkdir -p opt/livebuild/chroot/dev
#mknod opt/livebuild/chroot/dev/null c 1 3
#chmod 666 opt/livebuild/chroot/dev/null
- name: Starting CISS.debian.live.builder. This may take a while ...
run: |
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
./ciss_live_builder.sh \
--autobuild=6.12.22+bpo-amd64 \
--architecture amd64 \
--build-directory opt/livebuild \
--control "${timestamp}" \
--debug \
--dhcp-centurion \
--jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
--provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
--root-password-file opt/config/password.txt \
--ssh-port 42842 \
--ssh-pubkey opt/config
if [[ $(ls opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls opt/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
- name: Preparing Centurion Cloud for LIVE ISO Upload.
run: |
NC_BASE="https://cloud.e2ee.li"
SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
SHARE_SUBDIR=""
echo "Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt
if [[ -s public_iso_list.txt ]]; then
echo "Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE \
"${FILE_URL}"
if [[ $? -eq 0 ]]; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
echo "No old ISO files found to delete."
fi
rm -f propfind_public.xml public_iso_list.txt
- name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
run: |
curl --progress-bar \
--retry 2 \
https://cloud.e2ee.li/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
--upload-file "${VAR_ISO_FILE_PATH}" \
-u '${SHARE_TOKEN}:${SHARE_PASS}' | cat
if [[ $? -eq 0 ]]; then
echo "✅ New ISO successfully uploaded."
else
echo "❌ Uploading the new ISO failed."
exit 1
fi
- name: Generating a hash of ISO and signing with the 'CI PGP DEPLOY ONLY' key.
run: |
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_PATH}.sha512"
sha512sum "${VAR_ISO_FILE}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
VAR_ISO_FILE_SHA512=$(< "${VAR_ISO_FILE_SHA512}")
SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
rm -f "${VAR_ISO_FILE_PATH}"
- name: Generate a success message file to push back into the repository.
run: |
PRIVATE_FILE="LIVE_ISO.private"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-31; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
CISS.debian.live.builder ISO :
"${VAR_ISO_FILE}"
CISS.debian.live.builder ISO sha512 :
"${VAR_ISO_FILE_SHA512}"
CISS.debian.live.builder ISO sha512 sign :
$(< "${SIGNATURE_FILE}")
EOF
- name: Stage generated files.
run: |
git add "${PRIVATE_FILE}"
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Commit and Sign changes.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Push back to Repository.
run: |
git push origin HEAD:${GITHUB_REF_NAME}
env:
GIT_SSH_COMMAND: "ssh -p 42842"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
Reference in New Issue View Git Blame Copy Permalink