Commit Graph

41 Commits

Author SHA1 Message Date
Ben Grande
076a242b55
feat: bump Chrome signing keys 2024-11-04 15:29:51 +01:00
Ben Grande
8fbd9a063c
feat: verify commit signature before push
Check commit signature and if it fails, check if any signed tags
associated with commit exist from a keyring that can be found only
locally.

For: https://github.com/ben-grande/qusal/issues/105
2024-10-25 11:18:52 +02:00
Ben Grande
d5b4190d3e
fix: skip projects with untracked states 2024-10-14 16:18:40 +02:00
Ben Grande
eb5cbe851c
fix: sys-gui-vnc and sys-gui-gpu titles 2024-09-25 20:14:24 +02:00
Ben Grande
bdd4c789c1
fix: avoid echo usage
Echo can interpret operand as an option and checking every variable to
be echoed is troublesome while with printf, if the format specifier is
present before the operand, printing as string can be enforced.
2024-08-06 18:15:24 +02:00
Ben Grande
1b2f1ba941
fix: avoid operand evaluation as argument
Explicit end option parsing as the shell can be quite dangerous without
it.
2024-08-06 17:13:25 +02:00
Ben Grande
95a184d1a9
fix: change directory to repository top level 2024-07-19 15:29:17 +02:00
Ben Grande
fa11a1da7f
fix: lint all Salt file extensions 2024-07-18 12:23:38 +02:00
Ben Grande
cf432651b3
fix: shell syntax typos 2024-07-15 10:08:19 +02:00
Ben Grande
04d1aaf63e
feat: find PGP keys from within the linter
- Find PGP keys using the same methods as other scripts;
- Lower threshold to 30 days by default;
- Add environment variable to set threshold;
- Add colors to distinguish expired from expires soon; and
- Add days until key expiration when it is below threshold.
2024-07-11 15:29:57 +02:00
Ben Grande
4239032cfc
fix: uniform lint scripts name 2024-07-10 15:06:11 +02:00
Ben Grande
224312ed42
feat: enable all optional shellcheck validations
Make shell a little bit safer with:

- add-default-case
- check-extra-masked-returns
- check-set-e-suppressed
- quote-safe-variables
- check-unassigned-uppercase

Although there are some stylistic decisions for uniformity:

- avoid-nullary-conditions
- deprecated-which
- require-variable-braces
2024-07-10 14:36:05 +02:00
Ben Grande
011a71a36d
style: limit line length per file extension
Editorconfig can only act based on file extension and path, not
attributes, it remains a mean only for multiple collaborators to use the
same configuration on their editor. When it is too restrictive, such as
not considering the file syntax, use a lint tool for the specific file
type instead of trusting editorconfig. Changes were made to increase
readability.
2024-07-09 17:42:07 +02:00
Ben Grande
6eb13fa07f
ci: reproducible license sort 2024-07-08 19:10:14 +02:00
Ben Grande
6e6c7b452f
ci: escape special sed character 2024-07-08 18:34:41 +02:00
Ben Grande
f30e5e11a9
build: dictionary sort licenses names
GHA can sort differently than local.
2024-07-08 18:20:12 +02:00
Ben Grande
0f6aa34a89
test: show RPM Spec differences on status check 2024-07-08 18:00:01 +02:00
Ben Grande
523bca2327
fix: conform files to editorconfig specification 2024-07-08 17:26:34 +02:00
Ben Grande
0e150382e1
ci: check if RPM Specs are up to date 2024-07-08 15:21:49 +02:00
Ben Grande
f60077f1a9
doc: spell check 2024-07-08 11:41:45 +02:00
Ben Grande
077b9b4e5e
ci: lint YAML and spell check code 2024-07-08 11:12:38 +02:00
Ben Grande
35fa43dadf
perf: make pre-commit hooks pass file extensions
- shell-lint: faster evaluation of shell scripts, hook 40% faster;
- *-lint: unify method to find the "find" utility; and
- pre-commit: pass file extensions to lint tools.
2024-07-06 22:25:54 +02:00
Ben Grande
d457302fc3
feat: lint python files 2024-07-05 12:24:24 +02:00
Ben Grande
2a4b453b58
fix: lint GitHub issue and pull request templates 2024-07-04 18:09:38 +02:00
Ben Grande
383c840f2f
doc: lint markdown files
Only way to have a unified markdown syntax is to enforce the wanted
syntax by linting the files. Don't rely on the many markdown syntaxes,
be consistent.
2024-07-04 17:27:31 +02:00
Ben Grande
c0508977c7
build: remove unpackaged hidden files
Dotfiles build failed as it is a submodule and contains ".git" and
"LICENSES". Hidden files in the base directory are normally used to
specify configuration of tools for development, not usable in packages.

For: https://github.com/ben-grande/qusal/issues/59
2024-06-24 17:11:46 +02:00
Ben Grande
e2791139ee
fix: build RPM contained in spec definitions
The spec-build.sh was necessary for a proper build, but it is not
correct to depend on external scripts to generate the correct
RPM_BUILD_ROOT files. Now everything is contained in the spec file. The
spec-build.sh can be used in the future to automate the process of
copying sources to the specified directory and signing, but not
modifying the sources contents on a per file basis.

For: https://github.com/ben-grande/qusal/issues/59
2024-06-24 08:24:48 +02:00
Ben Grande
ac6f707bf5
ci: set spec vendor as git user.name is unset
Fixes: https://github.com/ben-grande/qusal/issues/67
2024-06-22 12:39:51 +02:00
Ben Grande
c84dfea48e
fix: generate RPM Specs for Qubes Builder V2
It doesn't checkout the current directory when querying the spec, so we
provide the already modified version of the spec.
2024-06-21 17:00:06 +02:00
Ben Grande
8640b6d11b
feat: add Qubes Builder configuration
For: https://github.com/ben-grande/qusal/issues/59
2024-06-20 17:54:40 +02:00
Ben Grande
ff41103194
build: spec scriptlet fails when it is empty
Echoing the word true was getting evaluated instead of being assigned as
a string.
2024-06-14 19:22:43 +02:00
Ben Grande
3c2bba2a9a
build: quiet build and verbose changelog 2024-06-13 14:03:16 +02:00
Ben Grande
fe996b3a35
ci: untracked readme is an untracked project 2024-06-13 13:14:41 +02:00
Ben Grande
fc22726ee8
feat: build and sign RPM packages
Passing files to Dom0 is always dangerous:

- Passing a git repository is dangerous as it can have ignored modified
  files and signature verification will pass.
- Passing an archive is troublesome for updates.
- Passing an RPM package depends on the RPM verification to be correct,
  some times it is not.
- Passing a RPM repository definition is less troublesome for the user,
  as it is a small file to verify the contents and update mechanism is
  via the package manager. Trust in RPM verification is still required.

Many improvements were made to the build scripts:

- requires-program: Single function to check if program is installed;
- spec-get: Sort project names for the usage message;
- spec-get: Only running commands that are necessary;
- spec-get: Fix empty summary when readme has copyright header;
- spec-gen: Fix grep warning of escaped symbol;
- spec-build: Sign RPM and verify signature;
- spec-build: Only lint the first SPEC for faster runtime;
- yumrepo-gen: Generate a local yum repository with signed metadata;
- qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects;
- release: Build, sign and push all RPMs to repository.

Goal is to be able to build with qubes-builderv2 Qubes Executor.

For: https://github.com/ben-grande/qusal/issues/37
2024-06-12 14:44:04 +02:00
Ben Grande
40a4107290
fix: verify all subkeys expiration date
For: https://github.com/ben-grande/qusal/issues/46
2024-05-15 15:58:00 +02:00
Ben Grande
c6e4224e1b
feat: monitor pgp key expiration
For: https://github.com/ben-grande/qusal/issues/46
2024-05-15 01:26:59 +02:00
Ben Grande
ee7bfd5089 fix: remove sudo from RPM spec 2024-03-14 16:22:41 +01:00
Ben Grande
9b6895b06f feat: print hex of unicode
Useful to detect unwanted characters in third party contributions
patches using a CI hook.
2024-03-14 12:09:49 +01:00
Ben Grande
6efcc1da77 chore: copyright update 2024-01-29 16:49:54 +01:00
Ben Grande
9b740d8314 feat: allow to run setup outside of its directory 2024-01-18 09:25:01 +01:00
Ben Grande
5eebd789ed refactor: initial commit 2023-11-13 14:33:28 +00:00