action-common-setup/action.yml

# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2024 GregoryDosh
---
name: Common Homelab Forgejo Actions Setup
description: |
  Configure a handful of common required steps for all homelab related tasks.

inputs:
  SUBMODULE_UPDATE:
    description: Whether or not to update submodules after clone.
    default: "true"
    required: true
  STEP_INSTALL:
    description: Whether or not to install the step-cli.
    default: "false"
    required: true
  STEP_CA_URL:
    description: Step CA URL
    default: "https://ca.auengun.net"
    required: true
  STEP_CA_BOOTSTRAP:
    description: Whether or not to bootstrap the image with PKI certs/config.
    default: "false"
    required: true
  STEP_CA_FINGERPRINT:
    description: Fingerprint to use for online bootstrapping
    required: true
  STEP_CA_JWK_PASSWORD:
    description: Password for provisioning temporary certificates from the CA
    required: true

runs:
  using: "composite"
  steps:
    - shell: bash
      run: |
        echo "::group::Starting SSH Agent"
        if command -v ssh-agent &> /dev/null; then
          ssh_env=$(ssh-agent)
          eval $ssh_env
          {
            printf $ssh_env | grep -v "echo" | xargs -I {} sh -c 'echo "{}" | cut -f "1" -d ";"'
          } >> "$GITHUB_ENV"
        fi
        echo "::endgroup::"

    - shell: bash
      if: ${{ inputs.STEP_INSTALL == 'true' }}
      env:
        # renovate: datasource=github-releases depName=smallstep/cli
        STEP_VERSION: v0.28.7
      run: |
        echo "::group::Step CLI"
        if ! command -v step &> /dev/null; then
          echo "Installing step-cli binary as \`step\`"
          mkdir ./step
          export STEP_URL="https://github.com/smallstep/cli/releases/download/${STEP_VERSION}/step_linux_${STEP_VERSION##v}_amd64.tar.gz"
          if command -v curl &> /dev/null; then
            curl -s "$STEP_URL" -L -o - | tar xvz --strip-components=1 -C ./step
          elif command -v wget &> /dev/null; then
            wget -qO- "$STEP_URL" | tar xvz --strip-components=1 -C ./step
          else
            exit 1
          fi
          cp ./step/bin/step /usr/local/bin
        else
          echo "Skipping \`step\` install"
        fi
        echo "::endgroup::"

    - shell: bash
      run: |
        echo "::group::Bootstrapping Local Environment"
        if [ "$INPUT_STEP_CA_BOOTSTRAP" == "true" ]; then
          step ca bootstrap \
            --ca-url "$INPUT_STEP_CA_URL" \
            --fingerprint "$INPUT_STEP_CA_FINGERPRINT" \
            --force
            export STEP_CERT_PATH="$HOME/.step/certs/root_ca.crt"
        else
          if [ -f /spm-root.crt ]; then
            export STEP_CERT_PATH="/spm-root.crt"
          fi
        fi

        if [ -f $STEP_CERT_PATH ]; then
          {
            printf "STEP_CERT_PATH=%s" "${STEP_CERT_PATH}"
          } >> "$GITHUB_ENV"
        else
          echo "unable to find '$STEP_CERT_PATH'"
          exit 1
        fi

        # Git
        git config --global http."https://git.auengun.net/".sslCAInfo $STEP_CERT_PATH

        # System Certs
        if [ -w /usr/local/share/ca-certificates/ ]; then
          cp $STEP_CERT_PATH /usr/local/share/ca-certificates/SPM_Root_CA.crt
          if command -v update-ca-certificates &> /dev/null; then
            update-ca-certificates
          else
            echo "[WARN] Unable to find update-ca-certificates to system trust store."
          fi
        else
          echo "[WARN] Unable to write certificates to system trust store."
        fi

        echo "Completed bootstrapping"
        echo "::endgroup::"
        echo "SPM Homelab Certificates available at:"
        echo "  - System Path: $STEP_CERT_PATH"
        echo "  - ENV Var: STEP_CERT_PATH (resolve to $STEP_CERT_PATH)"

    - shell: bash
      if: ${{ inputs.STEP_CA_JWK_PASSWORD != '' }}
      run: |
        echo "::group::Provisioning a temporal SSH User Certificate"
        export STEP_CA_JWK_PASSWORD_PATH="$HOME/.STEP_CA_JWK_PASSWORD"
        while read -r line; do
          echo "::add-mask::${line}"
        done <<< "$INPUT_STEP_CA_JWK_PASSWORD"

        echo "$INPUT_STEP_CA_JWK_PASSWORD" > "$STEP_CA_JWK_PASSWORD_PATH"
        chmod 600 "$STEP_CA_JWK_PASSWORD_PATH"

        mkdir -p ~/.ssh/
        chmod '0700' ~/.ssh/
        step ssh certificate \
            --ca-url "$INPUT_STEP_CA_URL" \
            --root "$STEP_CERT_PATH" \
            ${GITHUB_ACTOR} \
            --principal ${GITHUB_ACTOR} \
            --principal root \
            --principal ubuntu \
            ~/.ssh/id_ecdsa \
            --provisioner-password-file "$STEP_CA_JWK_PASSWORD_PATH" \
            --issuer jwk_cicd \
            --insecure \
            --no-password && rm -f "$STEP_CA_JWK_PASSWORD_PATH"
        if [ -f "$STEP_CA_JWK_PASSWORD_PATH" ]; then echo "couldn't safely purge JWK password"; exit 1; fi
        step ssh config --ca-url "$INPUT_STEP_CA_URL" --root "$STEP_CERT_PATH" -f
        echo "Step SSH Config complete"
        echo "::endgroup::"

    - name: Clone Repo into Workspace
      uses: https://git.auengun.net/actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        github-server-url: https://git.auengun.net
        persist-credentials: true

    - name: Submodule Update
      if: ${{ inputs.SUBMODULE_UPDATE == 'true' }}
      shell: bash
      run: |
        echo "::group::Submodule clone & initialization"
        git submodule update --init --recursive
        echo "::endgroup::"