msw/draft-weidner-catalog-rr-ext
SHA256
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V1.00.128.2025.06.03
Render Graphviz Diagrams. / Render Graphviz Diagrams. (push) Successful in 23s
Details
Retrieve DNSSEC status of coresecret.dev. / Retrieve DNSSEC status of coresecret.dev. (push) Successful in 33s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-03 19:29:32 +02:00
parent 021c74e687
commit 1060269740
33 changed files with 6239 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/ISSUE_TEMPLATE/RFC-ID-FEEDBACK.yaml
+60
View File
@@ -0,0 +1,60 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2
# SPDX-Comment: This file is part of the draft-weidner-catalog-rr-ext framework.
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
---
name: "RFC I-D Feedback"
about: "Submit feedback or change requests for the RFC Internet-Draft"
title: "[RFC I-D Feedback]: "
labels:
- "RFC-ID"
- "feedback"
assignees: [msw]
body:
- type: markdown
attributes:
value: |
_Please enter something like `draft-ietf-example-01`_
_Where in the document does this issue occur?_
_Section / Paragraph / Line_
- type: input
id: abstract
attributes:
label: "Abstract"
description: "Briefly describe the problem or suggestion."
placeholder: "MUST be provided"
validations:
required: true
- type: input
id: proposal
attributes:
label: "Proposal"
description: "What exact change do you propose? Please include text snippets if possible."
placeholder: "MUST be provided"
validations:
required: true
- type: input
id: rfc
attributes:
label: "RFC"
description: "Link to related RFCs, specs or real-world examples."
placeholder: "MAY be provided"
validations:
required: false
- type: checkboxes
id: pr-type
attributes:
label: "Feedback Type"
options:
- label: "Editorial (typos, formatting)"
- label: "Technical"
- label: "Security Consideration"
- label: "Compatibility / Interoperability"
- label: "Other (please specify)"
# vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml:
.gitea/TODO/render-md-to-html.yaml
+223
View File
@@ -0,0 +1,223 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2
# SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.00.128.2025.06.03
name: Render README.md to README.html.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- "README.md"
- '.gitea/properties/lua/linkfix.lua'
jobs:
render-md-to-html:
name: Render README.md to README.html.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install Pandoc & Dependencies.
shell: bash
run: |
set -euo pipefail
sudo apt-get update
sudo apt-get install -y pandoc
#- name: ⚙️ Ensure .html/ directory exists.
# shell: bash
# run:
# mkdir -p .html
#- name: 🛠️ Render *.md to full standalone HTML.
# shell: bash
# run: |
# set -euo pipefail
# find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print | while read file; do
# out=$(basename "${file%.md}.html")
# pandoc -s "${file}" \
# --metadata title="${file}" \
# --metadata lang=en \
# -f gfm+footnotes \
# -t html5 \
# --no-highlight \
# --strip-comments \
# --wrap=none \
# --lua-filter=.gitea/properties/lua/linkfix.lua \
# -o .html/"${out}"
# done
- name: 🛠️ Extract HTML fragment for Gitea for *.md.
shell: bash
run: |
set -euo pipefail
find . \( -path "*/.*" -prune \) -o -type f -name "README.md" -print | while read file; do
out="${file%.md}.html"
pandoc "${file}" \
-f gfm+footnotes \
-t html5 \
--no-highlight \
--strip-comments \
--wrap=none \
--lua-filter=.gitea/properties/lua/linkfix.lua \
-o "${out}"
done
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add *.html || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]
${CI_HEADER}
Generated at: ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD → ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/properties/json/gitea-issue-config.json
+45
View File
@@ -0,0 +1,45 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://json.schemastore.org/gitea-issue-config.json",
"$comment": "https://docs.gitea.com/usage/issue-pull-request-templates#syntax-for-issue-config",
"properties": {
"blank_issues_enabled": {
"description": "Specify whether forms have to be used or blank issue are allowed\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
"type": "boolean"
},
"contact_links": {
"title": "contact links",
"description": "Contact links\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": ["name", "url", "about"],
"properties": {
"name": {
"description": "The name of your link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"minLength": 1,
"examples": ["Sample name"]
},
"url": {
"description": "The URL of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"pattern": "^https?://",
"examples": ["https://sample/url"]
},
"about": {
"description": "A short description of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"minLength": 1,
"examples": ["Sample description"]
}
},
"additionalProperties": false
}
}
},
"additionalProperties": false,
"title": "Gitea issue template chooser config file schema",
"type": "object"
}
.gitea/properties/json/github-workflow.json
+1715
View File
File diff suppressed because it is too large Load Diff
.gitea/properties/lua/linkfix.lua
+8
View File
@@ -0,0 +1,8 @@
-- Linkfix.lua
function Link (el)
-- wenn Linkziel auf .md endet, ändere es zu .html
if el.target:match('%.md$') then
el.target = el.target:gsub('%.md$', '.html')
end
return el
end
.gitea/trigger/t_generate_dns.yaml
+15
View File
@@ -0,0 +1,15 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2
# SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 0
version: Master V1.00.128.2025.06.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/workflows/render-dnssec-status.yaml
+200
View File
@@ -0,0 +1,200 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2
# SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.00.128.2025.06.03
name: Retrieve DNSSEC status of coresecret.dev.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/trigger/t_generate_dns.yaml'
jobs:
build-dnssec-diagram:
name: Retrieve DNSSEC status of coresecret.dev.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install DNSViz.
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y dnsviz
- name: ⚙️ Ensure docs/SECURITY/ directory exists.
shell: bash
run: |
mkdir -p docs/SECURITY/
rm -f docs/SECURITY/coresecret.dev.png
- name: 🛠️ Prepare DNS Cache.
shell: bash
run: |
sudo apt-get install -y dnsutils
dig +dnssec +multi coresecret.dev @8.8.8.8
- name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
shell: bash
run: |
dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]
${CI_HEADER}
Generated at: ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD → ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/workflows/render-dot-to-png.yaml
+193
View File
@@ -0,0 +1,193 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2
# SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.00.128.2025.06.03
name: Render Graphviz Diagrams.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- "**/*.gv"
- "**/*.dot"
jobs:
build-graphiz-diagrams:
name: Render Graphviz Diagrams.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install Graphviz.
shell: bash
run: |
set -euo pipefail
sudo apt-get update
sudo apt-get install -y graphviz
- name: 🛠️ Render all .dot / .gv to PNG.
shell: bash
run: |
set -euo pipefail
find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
out="${file%.*}.png"
dot -Tpng "${file}" -o "${out}"
done
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add *.png || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
${CI_HEADER}
Generated at: ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD → ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/workflows/render-rfcxml-to-pdf.yaml
+194
View File
@@ -0,0 +1,194 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2
# SPDX-LicenseComment: This file is part of the draft-weidner-catalog-rr-ext framework.
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.00.128.2025.06.03
name: Render RFCXML to PDF.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- "**/*.rfc.xml"
jobs:
render-rfcxml-to-pdf:
name: Render RFCXML to PDF.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install Python, RFC2XML Utilities, Fonts, Libraries.
run: |
sudo apt-get update
sudo apt-get install -y python3-pip libxml2-utils
sudo apt-get install -y libpango-1.0-0 libcairo2 libgdk-pixbuf2.0-0 libffi-dev libfontconfig1 fonts-noto fonts-roboto wget unzip
- name: 🛠️ Install Python "xml2rfc" and "xml2rfc[pdf]"
run: |
pip3 install xml2rfc --break-system-packages
pip3 install "xml2rfc[pdf]" --break-system-packages
- name: 🛠️ Convert all RFCXML to PDF.
run: |
find . -name "*.rfc.xml" | while read file; do
out="${file%.rfc.xml}.pdf"
xml2rfc "${file}" --pdf -o "${out}"
done
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add *.pdf || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: Auto-Generate PDFs from *.rfc.xml. [skip ci]
${CI_HEADER}
Generated at: ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD → ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml