theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: harden secret handling — tmpfs in /dev/shm, file-based passphrase, netrc auth, EXIT trap
build-and-publish / build (push) Failing after 2m46s
Details

Browse Source
This commit is contained in:
claude
2026-04-25 21:12:55 +00:00
parent f8a197dc49
commit e4d458b185
1 changed files with 82 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/build-publish.yml
+80 -58
View File
@@ -9,29 +9,31 @@ jobs:
build: build:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout - name: Checkout source
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install build deps - name: Install build dependencies
run: | run: |
set -euo pipefail
sudo apt-get update -y sudo apt-get update -y
sudo apt-get install -y --no-install-recommends \ sudo apt-get install -y --no-install-recommends \
git curl wget ca-certificates dpkg-dev fakeroot \ git curl wget ca-certificates dpkg-dev fakeroot \
build-essential gnupg dpkg-sig build-essential gnupg dpkg-sig
- name: Build NGINX (run.sh new + build + postfix) - name: Compile nginx and modules
run: | run: |
set -euo pipefail
sudo touch /.dockerenv sudo touch /.dockerenv
sudo bash build/run.sh new sudo bash build/run.sh new
sudo bash build/run.sh build sudo bash build/run.sh build
sudo bash build/run.sh postfix sudo bash build/run.sh postfix
- name: Package .deb - name: Assemble .deb package
id: pkg id: pkg
run: | run: |
set -e set -euo pipefail
PKG_NAME="twiy" PKG_NAME="twiy"
VERSION=$(nginx -v 2>&1 | awk -F'/' '{print $2}') VERSION="$(nginx -v 2>&1 | awk -F'/' '{print $2}')"
ARCH="amd64" ARCH="amd64"
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}" PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
DEB_DIR="${PKG_DIR}/DEBIAN" DEB_DIR="${PKG_DIR}/DEBIAN"
@@ -60,7 +62,7 @@ jobs:
Priority: optional Priority: optional
Architecture: ${ARCH} Architecture: ${ARCH}
Maintainer: Julio <me@julio.al> Maintainer: Julio <me@julio.al>
Description: Nginx L7 DDoS Protection (The-World-Is-Yours) built by RAWeb CI. Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI.
EOF EOF
sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF' sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF'
@@ -72,68 +74,88 @@ jobs:
sudo dpkg-deb --build "${PKG_DIR}" sudo dpkg-deb --build "${PKG_DIR}"
DEB_FILE="${PKG_DIR}.deb" DEB_FILE="${PKG_DIR}.deb"
echo "deb_file=${DEB_FILE}" >> "$GITHUB_OUTPUT" sudo chown "$(id -u):$(id -g)" "${DEB_FILE}"
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "pkg_name=${PKG_NAME}" >> "$GITHUB_OUTPUT" {
echo "deb_file=${DEB_FILE}"
echo "version=${VERSION}"
echo "pkg_name=${PKG_NAME}"
} >> "$GITHUB_OUTPUT"
ls -la "${DEB_FILE}" ls -la "${DEB_FILE}"
sha256sum "${DEB_FILE}" sha256sum "${DEB_FILE}"
- name: Import GPG key + sign .deb - name: Sign and publish to Nexus
env: env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
run: |
set -e
export GNUPGHOME="$(mktemp -d)"
chmod 700 "$GNUPGHOME"
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
# Pre-cache passphrase via gpg-agent so dpkg-sig can sign non-interactively
echo "allow-loopback-pinentry" >> "$GNUPGHOME/gpg-agent.conf"
echo "pinentry-mode loopback" >> "$GNUPGHOME/gpg.conf"
gpg-connect-agent reloadagent /bye >/dev/null
# Sign with dpkg-sig (preferred) — falls back to debsigs if dpkg-sig missing
if command -v dpkg-sig >/dev/null; then
sudo --preserve-env=GNUPGHOME,GPG_PASSPHRASE dpkg-sig \
-k "$GPG_KEY_ID" \
-g "--batch --pinentry-mode loopback --passphrase $GPG_PASSPHRASE" \
--sign builder "$DEB_FILE"
fi
# Verify the signature is present (informational)
dpkg-sig --verify "$DEB_FILE" || true
- name: Publish to apt.julio.al/${{ secrets.NEXUS_REPO }}
env:
NEXUS_URL: ${{ secrets.NEXUS_URL }}
NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
NEXUS_USER: ${{ secrets.NEXUS_USER }} NEXUS_USER: ${{ secrets.NEXUS_USER }}
NEXUS_PASS: ${{ secrets.NEXUS_PASS }} NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
NEXUS_URL: ${{ secrets.NEXUS_URL }}
NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
DEB_FILE: ${{ steps.pkg.outputs.deb_file }} DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
PKG_NAME: ${{ steps.pkg.outputs.pkg_name }} PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
run: | run: |
set -e set -euo pipefail
# Best-effort: delete an existing same-named component so re-publishes overwrite cleanly umask 077
COMPONENT_ID=$(curl -s -u "${NEXUS_USER}:${NEXUS_PASS}" \
"${NEXUS_URL}/service/rest/v1/components?repository=${NEXUS_REPO}" \ # Tmpfs (RAM-only) scratch for every byte of secret material.
| python3 -c " # Falls back to /tmp if /dev/shm is absent.
import sys, json SECDIR="$(mktemp -d -p /dev/shm raweb-XXXXXXXX 2>/dev/null \
d=json.load(sys.stdin) || mktemp -d -t raweb-XXXXXXXX)"
for c in d.get('items', []): chmod 700 "$SECDIR"
if c.get('name') == '${PKG_NAME}': export GNUPGHOME="$SECDIR/gnupg"
print(c.get('id')); break
" || true) cleanup() {
if [ -n "$COMPONENT_ID" ]; then (gpg --batch --yes --quiet \
echo "Removing previous ${PKG_NAME} component ${COMPONENT_ID}" --delete-secret-and-public-key "$GPG_KEY_ID" 2>/dev/null) || true
curl -s -u "${NEXUS_USER}:${NEXUS_PASS}" -X DELETE \ (gpgconf --kill all 2>/dev/null) || true
"${NEXUS_URL}/service/rest/v1/components/${COMPONENT_ID}" find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
rm -rf "$SECDIR"
}
trap cleanup EXIT
# Materialise secrets to in-memory files. After this, drop them from env
# so any subprocess (or accidental `env`) cannot read them.
printf '%s' "$GPG_PRIVATE_KEY" > "$SECDIR/key.asc"
printf '%s' "$GPG_PASSPHRASE" > "$SECDIR/pp"
printf 'machine apt.julio.al login %s password %s\n' \
"$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
unset GPG_PRIVATE_KEY GPG_PASSPHRASE NEXUS_PASS NEXUS_USER
# Ephemeral keyring on tmpfs.
mkdir -p "$GNUPGHOME"; chmod 700 "$GNUPGHOME"
printf 'allow-loopback-pinentry\n' > "$GNUPGHOME/gpg-agent.conf"
printf 'pinentry-mode loopback\n' > "$GNUPGHOME/gpg.conf"
gpg --batch --import "$SECDIR/key.asc"
# Sign the .deb. Passphrase passed via FILE — never argv, never env.
dpkg-sig -k "$GPG_KEY_ID" \
-g "--batch --pinentry-mode loopback --passphrase-file $SECDIR/pp" \
--sign builder "$DEB_FILE"
dpkg-sig --verify "$DEB_FILE"
# Replace any prior component of the same name (best-effort).
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
| PKG_NAME="$PKG_NAME" python3 -c '
import sys, json, os
for c in json.load(sys.stdin).get("items", []):
if c.get("name") == os.environ["PKG_NAME"]:
print(c["id"]); break
' || true)"
if [ -n "$OLD_ID" ]; then
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
fi fi
HTTP=$(curl -s -o /tmp/upload.out -w '%{http_code}' \ # Upload — auth via netrc (not -u, not query string).
-u "${NEXUS_USER}:${NEXUS_PASS}" \ HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
-X POST \ -o "$SECDIR/upload.body" -w '%{http_code}' \
-F "apt.asset=@${DEB_FILE}" \ -X POST -F "apt.asset=@$DEB_FILE" \
"${NEXUS_URL}/service/rest/v1/components?repository=${NEXUS_REPO}") "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
echo "Upload HTTP: $HTTP" case "$HTTP" in
[ "$HTTP" = "204" ] || [ "$HTTP" = "201" ] || { cat /tmp/upload.out; exit 1; } 201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
echo "Published $(basename "$DEB_FILE") to ${NEXUS_URL}/repository/${NEXUS_REPO}/" *) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
esac