msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
da86233cad22b0de6eb5d9a0b33ef7697cc0d7b352057e27bbfc3092fd2d013d
CISS.debian.live.builder/.gitea/TODO/generate-iso.yaml
Marc S. Weidner efa3a5d3aa
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / build-dnssec-diagram (push) Successful in 30s
Details
V8.02.644.2025.05.31 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-31 00:42:24 +02:00

170 lines
6.2 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
name: Generating private Live ISO.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/autobuild.yaml'
jobs:
generating-ciss-debian-live-iso:
runs-on: ubuntu-latest
### Run all steps inside Debian Bookworm
container:
image: debian:bookworm
options: --user root
steps:
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
- name: Cleaning workspace.
run: |
git reset --hard
git clean -fd
- name: Installing Debian Live-Build and Tools.
run: |
apt-get update
apt-get install -y live-build gnupg curl whois
- name: Importing "CI PGP DEPLOY ONLY" Key.
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: Configuring Git for signed CI DEPLOY commits.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: Preparing Build Environment.
run: |
rm -rf /opt/{config,livebuild}
mkdir -p /opt/{config,livebuild}
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
chmod 0600 /opt/config/authorized_keys
- name: Starting CISS.debian.live.builder.
run: |
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
./ciss_live_builder.sh \
--autobuild=6.12.22+bpo-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--control "${timestamp}" \
--debug \
--dhcp-centurion \
--jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
--provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
--renice-priority "-19" \
--reionice-priority 1 2 \
--root-password-file /opt/config/password.txt \
--ssh-port 4242 \
--ssh-pubkey /opt/config
- name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV
env:
WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso"
WEBDAV_USER: ${{ secrets.NC_USER }}
WEBDAV_PASS: ${{ secrets.NC_PASS }}
run: |
### Remove old ISO if exists
curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true
### Upload new ISO
curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}"
### Verify upload
HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}")
if [ "$HTTP_CODE" -ne 200 ]; then
echo "Upload failed with HTTP status ${HTTP_CODE}"
exit 1
fi
echo "ISO successfully uploaded and verified."
- name: Generating Hash and Signing with Private Key
run: |
:
### TODO: Implement this function
- name: Generating Success Message to Push back into Repo
run: |
:
### TODO: Implement this function
- name: Stage generated files.
run: |
git add !!!!!!!!!!!!!
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Commit and Sign changes.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Push back to Repository.
run: |
git push origin HEAD:${GITHUB_REF_NAME}
env:
GIT_SSH_COMMAND: "ssh -p 42842"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
Reference in New Issue View Git Blame Copy Permalink