msw/draft-weidner-catalog-rr-ext
SHA256
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V1.01.192.2025.06.06
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 33s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m9s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-06 18:16:53 +02:00
parent e199bde419
commit 1e6b128a57
14 changed files with 508 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/TODO/render-md-to-html.yaml
+19 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.01.128.2025.06.04
### Version Master V1.01.192.2025.06.06
name: Render README.md to README.html.
@@ -150,6 +150,15 @@ jobs:
-o "${out}"
done
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -168,6 +177,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
.gitea/trigger/t_generate_dns.yaml
+1 -1
View File
@@ -11,5 +11,5 @@
build:
counter: 0
version: Master V1.01.128.2025.06.04
version: Master V1.01.192.2025.06.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/workflows/linter_char_scripts.yaml
+369
View File
@@ -0,0 +1,369 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.01.192.2025.06.06
# Gitea Workflow: Shell-Script Linting
#
# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
# 1. Windows CRLF line endings
# 2. unauthorized control characters (C0 control characters except \t, \n)
# 3. non-ASCII (ambiguous UTF) characters
#
# Findings are collected and at the end of the run with file, line number,
# and the respective character in the Runner output.
name: 🛡️ Shell Script Linting
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
shell-script-linter:
name: 🛡️ Shell Script Linting
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/draft-weidner-catalog-rr-ext.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install dependencies.
shell: bash
run: |
### Install grep with Perl-regex support, falls noch nicht vorhanden
apt-get update
apt-get upgrade -y
apt-get install -y grep
- name: 🔍 Lint shell scripts
shell: bash
run: |
# -------------------------------
# STEP 1: Find target files.
#
# We capture:
# - All files '*.sh', '*.rfc.xml'
# - All files whose first line begins with “#!” (shebang)
# -------------------------------
mapfile -t files_to_check < <(
find . -type f \( \
-iname '*.sh' -o \
-iname '*.rfc.xml' -o \
-exec grep -Iq '^#!' {} \; \
\) -print
)
# -------------------------------
# STEP 2: Regex definitions
#
# - CRLF_REGEX Carriage Return (\r) for Windows CRLF
# - CTRL_REGEX C0 control characters except Tab (\x09) and Newline (\x0A)
# Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
# - NON_ASCII_REGEX All bytes > 0x7F
# - EMOJI_REGEX Emoji characters in the ranges:
# - \x{1F300}-\x{1F5FF} Miscellaneous Symbols & Pictographs
# - \x{1F600}-\x{1F64F} Emoticons
# - \x{1F680}-\x{1F6FF} Transport & Map Symbols
# - \x{1F900}-\x{1F9FF} Supplemental Symbols & Pictographs
# - \x{2600}-\x{26FF} Miscellaneous Symbols
# - \x{2700}-\x{27BF} Dingbats
# - BAD_WHITESPACE_REGEX All whitespace characters except ASCII space (U+0020)
# - Tab (\x09)
# - No-Break Space (\xA0)
# - U+1680, U+2000U+200A, U+202F, U+205F, U+3000
# -------------------------------
CRLF_REGEX=$'\r'
CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
NON_ASCII_REGEX='[^\x00-\x7F]'
EMOJI_REGEX='[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}]'
BAD_WHITESPACE_REGEX='[\x09\xA0\x{1680}\x{2000}-\x{200A}\x{202F}\x{205F}\x{3000}]'
# -------------------------------
# STEP 3: Accumulator for findings
# -------------------------------
findings=""
# -------------------------------
# STEP 4: Perform all checks for each file
# -------------------------------
for file in "${files_to_check[@]}"; do
#
# 4.1: CRLF detection
# grep -nP returns "lineno:<Line-with-CRLF>"
# -------------------------------
while IFS=: read -r lineno _rest; do
findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
#
# 4.2: Unauthorized control characters
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
#
# 4.3: Non-ASCII-characters
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
#
# 4.4: emoji recognition
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: emoji-found at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${EMOJI_REGEX}" "${file}" || true)
#
# 4.5: Unauthorized spaces (whitespace except ASCII space)
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
# Make visible: Tab -> <TAB>, NBSP -> <NBSP>, other U+xxxx -> <U+xxxx>
# We are creating a simple representation here by replacing unprintable
# characters with their Unicode code points.
# Example: ${char} could be "\t", we convert it to "<TAB>".
if [[ "${char}" == $'\t' ]]; then
display="<TAB>"
elif [[ "${char}" == $'\xA0' ]]; then
display="<NBSP>"
else
# Convert other Unicode whitespace to <U+XXXX>
hex=$(printf '%04X' "'${char}")
display="<U+${hex}>"
fi
findings+="${file}: bad-whitespace at line ${lineno}: ${display}"$'\n'
done < <(grep -nP -o "${BAD_WHITESPACE_REGEX}" "${file}" || true)
done
# -------------------------------
# STEP 5: Output results
# -------------------------------
if [[ -n "${findings}" ]]; then
echo -e "⚠️ Linting issues detected:\n"
echo -e "${findings}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LINTER_RESULTS.txt"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
⚠️ The last linter check was NOT successful. ⚠️
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
else
echo "✅ No issues found in shell scripts or 'rfc.xml'."
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LINTER_RESULTS.txt"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
✅ The last linter check was successful. ✅
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
fi
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
PRIVATE_FILE="LINTER_RESULTS.txt"
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: 🛡️ Shell Script Linting [skip ci]
${CI_HEADER}
Generated at: ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/workflows/render-dnssec-status.yaml
+22 -4
View File
@@ -9,9 +9,9 @@
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.01.128.2025.06.04
### Version Master V1.01.192.2025.06.06
name: Retrieve DNSSEC status of coresecret.dev.
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
permissions:
contents: write
@@ -25,7 +25,7 @@ on:
jobs:
build-dnssec-diagram:
name: Retrieve DNSSEC status of coresecret.dev.
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
runs-on: ubuntu-latest
steps:
@@ -127,6 +127,15 @@ jobs:
dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -145,6 +154,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
@@ -174,7 +192,7 @@ jobs:
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]
COMMIT_MSG="DEPLOY BOT: 🛡️ Auto-Generate DNSSEC Status [skip ci]
${CI_HEADER}
.gitea/workflows/render-dot-to-png.yaml
+22 -4
View File
@@ -9,9 +9,9 @@
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.01.128.2025.06.04
### Version Master V1.01.192.2025.06.06
name: Render Graphviz Diagrams.
name: 🔁 Render Graphviz Diagrams.
permissions:
contents: write
@@ -26,7 +26,7 @@ on:
jobs:
build-graphiz-diagrams:
name: Render Graphviz Diagrams.
name: 🔁 Render Graphviz Diagrams.
runs-on: ubuntu-latest
steps:
@@ -120,6 +120,15 @@ jobs:
dot -Tpng "${file}" -o "${out}"
done
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -138,6 +147,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
@@ -167,7 +185,7 @@ jobs:
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate PNG from *.dot. [skip ci]
${CI_HEADER}
.gitea/workflows/render-rfcxml-to-pdf.yaml
+22 -4
View File
@@ -9,9 +9,9 @@
# SPDX-PackageName: draft-weidner-catalog-rr-ext
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V1.01.128.2025.06.04
### Version Master V1.01.192.2025.06.06
name: Render RFCXML to PDF.
name: 🔁 Render RFCXML to PDF.
permissions:
contents: write
@@ -25,7 +25,7 @@ on:
jobs:
render-rfcxml-to-pdf:
name: Render RFCXML to PDF.
name: 🔁 Render RFCXML to PDF.
runs-on: ubuntu-latest
steps:
@@ -121,6 +121,15 @@ jobs:
xml2rfc "${file}" --pdf -o "${out}"
done
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -139,6 +148,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
@@ -168,7 +186,7 @@ jobs:
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: Auto-Generate PDFs from *.rfc.xml. [skip ci]
COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate PDFs from *.rfc.xml. [skip ci]
${CI_HEADER}