From e0d6619e138d61f8cb1452f9ed7590e90eba6bd5 Mon Sep 17 00:00:00 2001 From: Attila Gombos Date: Sun, 22 Mar 2026 07:13:48 +0100 Subject: [PATCH 1/3] Run apt repository check at the start of CI workflows --- .github/workflows/release.yml | 2 + .github/workflows/test.yml | 3 + Dockerfile | 3 +- Dockerfile-cross | 3 +- apt_check | 59 ------------------- build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py | 1 - 6 files changed, 7 insertions(+), 64 deletions(-) delete mode 100755 apt_check diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0d82ce1..6d7ba4b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,6 +15,8 @@ on: - "v*.*.*" jobs: + check-apt-repository: + uses: EffectiveRange/ci-workflows/.github/workflows/apt-repository-check.yaml@main call_build_cross_base-armhf-bookworm: uses: ./.github/workflows/docker-image-cross.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 173a462..73172e6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,6 +8,9 @@ on: - reopened jobs: + check-apt-repository: + uses: EffectiveRange/ci-workflows/.github/workflows/apt-repository-check.yaml@main + test: runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index 6e91704..a1d2c81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,10 +11,9 @@ ARG BUILD_ARCH=armhf COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening COPY --chmod=0755 retry /usr/local/bin/retry -COPY --chmod=0755 apt_check /usr/local/bin/apt_check COPY --chmod=0755 apt_update /usr/local/bin/apt_update COPY --chmod=0755 apt_install /usr/local/bin/apt_install -RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd && apt_check +RUN apt_update && apt_install -y wget # Checks if the 'crossbuilder' user exists. RUN if ! id crossbuilder 2>/dev/null;then \ diff --git a/Dockerfile-cross b/Dockerfile-cross index 630ed61..fb493ac 100644 --- a/Dockerfile-cross +++ b/Dockerfile-cross @@ -12,10 +12,9 @@ ARG EARLY_EXIT_STEP="" COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening COPY --chmod=0755 retry /usr/local/bin/retry -COPY --chmod=0755 apt_check /usr/local/bin/apt_check COPY --chmod=0755 apt_update /usr/local/bin/apt_update COPY --chmod=0755 apt_install /usr/local/bin/apt_install -RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd && apt_check +RUN apt_update && apt_install -y wget RUN groupadd -g $BUILD_GID crossbuilder RUN useradd -d /home/crossbuilder -m -g $BUILD_GID -u $BUILD_UID -s /bin/bash crossbuilder diff --git a/apt_check b/apt_check deleted file mode 100755 index b2b0d86..0000000 --- a/apt_check +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash - -REPO_HOST="aptrepo.effective-range.com" - -echo -n "ℹ️ Runner public IP: " -curl -s https://api.ipify.org -echo - -echo - -echo "ℹ️ Checking DNS resolution for $REPO_HOST..." -DNS_RESULT=$(getent hosts "$REPO_HOST") -echo "$DNS_RESULT" -if [ -z "$DNS_RESULT" ]; then - echo "❌ DNS resolution failed for $REPO_HOST" >&2 - exit 1 -else - echo "✅ DNS resolution successful for $REPO_HOST" - REPO_IP=$(echo "$DNS_RESULT" | awk '{print $1}') -fi - -echo - -echo "ℹ️ Checking route to host $REPO_HOST..." -ROUTE_RESULT=$(ip route get "$REPO_IP" 2>&1) -if [ $? -ne 0 ]; then - echo "$ROUTE_RESULT" | head -n 1 - echo "❌ No route to host $REPO_HOST ($REPO_IP)" >&2 - exit 2 -else - echo "$ROUTE_RESULT" | head -n 1 - echo "✅ Found route to host $REPO_HOST ($REPO_IP)" -fi - -echo - -echo "ℹ️ Checking TCP connectivity to $REPO_HOST..." -if ! nc -vz -w 5 "$REPO_IP" 80; then - echo "❌ TCP connectivity to $REPO_HOST ($REPO_IP) on port 80 failed" >&2 - exit 3 -else - echo "✅ TCP connectivity to $REPO_HOST ($REPO_IP) on port 80 is successful" -fi - -echo - -KEY_URL="http://$REPO_HOST/effectiverange.gpg.key" -echo "ℹ️ Checking HTTP connectivity to $KEY_URL..." -if ! wget -nv --spider --timeout=10 --tries=2 "$KEY_URL"; then - echo "❌ Failed to fetch $KEY_URL" >&2 - exit 4 -else - echo "✅ Successfully fetched $KEY_URL" -fi - -echo - -echo "✅ All connectivity checks passed for $REPO_HOST" -exit 0 diff --git a/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py b/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py index c3a3e77..59997e2 100755 --- a/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py +++ b/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py @@ -266,7 +266,6 @@ def install_in_buildroot(args, allDeps): def install_in_hostroot(args, allDeps): - run_in_hostroot_with_lock(build_arch, "apt_check") install_in_root(build_arch, run_in_hostroot_with_lock, allDeps, side="host") From 205b9893fea9e9a6d4e265d2fffd995cd70a867b Mon Sep 17 00:00:00 2001 From: Attila Gombos Date: Sun, 22 Mar 2026 11:06:46 +0100 Subject: [PATCH 2/3] Revert "Run apt repository check at the start of CI workflows" This reverts commit e0d6619e138d61f8cb1452f9ed7590e90eba6bd5. --- .github/workflows/release.yml | 2 - .github/workflows/test.yml | 3 - Dockerfile | 3 +- Dockerfile-cross | 3 +- apt_check | 59 +++++++++++++++++++ build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py | 1 + 6 files changed, 64 insertions(+), 7 deletions(-) create mode 100755 apt_check diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6d7ba4b..0d82ce1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,8 +15,6 @@ on: - "v*.*.*" jobs: - check-apt-repository: - uses: EffectiveRange/ci-workflows/.github/workflows/apt-repository-check.yaml@main call_build_cross_base-armhf-bookworm: uses: ./.github/workflows/docker-image-cross.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 73172e6..173a462 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,9 +8,6 @@ on: - reopened jobs: - check-apt-repository: - uses: EffectiveRange/ci-workflows/.github/workflows/apt-repository-check.yaml@main - test: runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index a1d2c81..6e91704 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,9 +11,10 @@ ARG BUILD_ARCH=armhf COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening COPY --chmod=0755 retry /usr/local/bin/retry +COPY --chmod=0755 apt_check /usr/local/bin/apt_check COPY --chmod=0755 apt_update /usr/local/bin/apt_update COPY --chmod=0755 apt_install /usr/local/bin/apt_install -RUN apt_update && apt_install -y wget +RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd && apt_check # Checks if the 'crossbuilder' user exists. RUN if ! id crossbuilder 2>/dev/null;then \ diff --git a/Dockerfile-cross b/Dockerfile-cross index fb493ac..630ed61 100644 --- a/Dockerfile-cross +++ b/Dockerfile-cross @@ -12,9 +12,10 @@ ARG EARLY_EXIT_STEP="" COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening COPY --chmod=0755 retry /usr/local/bin/retry +COPY --chmod=0755 apt_check /usr/local/bin/apt_check COPY --chmod=0755 apt_update /usr/local/bin/apt_update COPY --chmod=0755 apt_install /usr/local/bin/apt_install -RUN apt_update && apt_install -y wget +RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd && apt_check RUN groupadd -g $BUILD_GID crossbuilder RUN useradd -d /home/crossbuilder -m -g $BUILD_GID -u $BUILD_UID -s /bin/bash crossbuilder diff --git a/apt_check b/apt_check new file mode 100755 index 0000000..b2b0d86 --- /dev/null +++ b/apt_check @@ -0,0 +1,59 @@ +#!/bin/bash + +REPO_HOST="aptrepo.effective-range.com" + +echo -n "ℹ️ Runner public IP: " +curl -s https://api.ipify.org +echo + +echo + +echo "ℹ️ Checking DNS resolution for $REPO_HOST..." +DNS_RESULT=$(getent hosts "$REPO_HOST") +echo "$DNS_RESULT" +if [ -z "$DNS_RESULT" ]; then + echo "❌ DNS resolution failed for $REPO_HOST" >&2 + exit 1 +else + echo "✅ DNS resolution successful for $REPO_HOST" + REPO_IP=$(echo "$DNS_RESULT" | awk '{print $1}') +fi + +echo + +echo "ℹ️ Checking route to host $REPO_HOST..." +ROUTE_RESULT=$(ip route get "$REPO_IP" 2>&1) +if [ $? -ne 0 ]; then + echo "$ROUTE_RESULT" | head -n 1 + echo "❌ No route to host $REPO_HOST ($REPO_IP)" >&2 + exit 2 +else + echo "$ROUTE_RESULT" | head -n 1 + echo "✅ Found route to host $REPO_HOST ($REPO_IP)" +fi + +echo + +echo "ℹ️ Checking TCP connectivity to $REPO_HOST..." +if ! nc -vz -w 5 "$REPO_IP" 80; then + echo "❌ TCP connectivity to $REPO_HOST ($REPO_IP) on port 80 failed" >&2 + exit 3 +else + echo "✅ TCP connectivity to $REPO_HOST ($REPO_IP) on port 80 is successful" +fi + +echo + +KEY_URL="http://$REPO_HOST/effectiverange.gpg.key" +echo "ℹ️ Checking HTTP connectivity to $KEY_URL..." +if ! wget -nv --spider --timeout=10 --tries=2 "$KEY_URL"; then + echo "❌ Failed to fetch $KEY_URL" >&2 + exit 4 +else + echo "✅ Successfully fetched $KEY_URL" +fi + +echo + +echo "✅ All connectivity checks passed for $REPO_HOST" +exit 0 diff --git a/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py b/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py index 59997e2..c3a3e77 100755 --- a/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py +++ b/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py @@ -266,6 +266,7 @@ def install_in_buildroot(args, allDeps): def install_in_hostroot(args, allDeps): + run_in_hostroot_with_lock(build_arch, "apt_check") install_in_root(build_arch, run_in_hostroot_with_lock, allDeps, side="host") From f60d51639e39a2ba728c6885355281d2e3a24d19 Mon Sep 17 00:00:00 2001 From: Attila Gombos Date: Sun, 22 Mar 2026 11:23:51 +0100 Subject: [PATCH 3/3] Download script at image build --- Dockerfile | 6 +- Dockerfile-cross | 6 +- apt_check | 59 ------------------- build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py | 1 + 4 files changed, 9 insertions(+), 63 deletions(-) delete mode 100755 apt_check diff --git a/Dockerfile b/Dockerfile index 6e91704..35defc9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,10 +11,12 @@ ARG BUILD_ARCH=armhf COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening COPY --chmod=0755 retry /usr/local/bin/retry -COPY --chmod=0755 apt_check /usr/local/bin/apt_check COPY --chmod=0755 apt_update /usr/local/bin/apt_update COPY --chmod=0755 apt_install /usr/local/bin/apt_install -RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd && apt_check +RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd +RUN wget -O /usr/local/bin/apt_check https://raw.githubusercontent.com/EffectiveRange/infrastructure-configuration/refs/heads/main/aptrepo/repository/check_repo.sh \ + && chmod +x /usr/local/bin/apt_check +RUN apt_check # Checks if the 'crossbuilder' user exists. RUN if ! id crossbuilder 2>/dev/null;then \ diff --git a/Dockerfile-cross b/Dockerfile-cross index 630ed61..b7b6a1f 100644 --- a/Dockerfile-cross +++ b/Dockerfile-cross @@ -12,10 +12,12 @@ ARG EARLY_EXIT_STEP="" COPY apt-ci-hardening /etc/apt/apt.conf.d/99-ci-hardening COPY --chmod=0755 retry /usr/local/bin/retry -COPY --chmod=0755 apt_check /usr/local/bin/apt_check COPY --chmod=0755 apt_update /usr/local/bin/apt_update COPY --chmod=0755 apt_install /usr/local/bin/apt_install -RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd && apt_check +RUN apt_update && apt_install -y curl wget iproute2 netcat-openbsd +RUN wget -O /usr/local/bin/apt_check https://raw.githubusercontent.com/EffectiveRange/infrastructure-configuration/refs/heads/main/aptrepo/repository/check_repo.sh \ + && chmod +x /usr/local/bin/apt_check +RUN apt_check RUN groupadd -g $BUILD_GID crossbuilder RUN useradd -d /home/crossbuilder -m -g $BUILD_GID -u $BUILD_UID -s /bin/bash crossbuilder diff --git a/apt_check b/apt_check deleted file mode 100755 index b2b0d86..0000000 --- a/apt_check +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash - -REPO_HOST="aptrepo.effective-range.com" - -echo -n "ℹ️ Runner public IP: " -curl -s https://api.ipify.org -echo - -echo - -echo "ℹ️ Checking DNS resolution for $REPO_HOST..." -DNS_RESULT=$(getent hosts "$REPO_HOST") -echo "$DNS_RESULT" -if [ -z "$DNS_RESULT" ]; then - echo "❌ DNS resolution failed for $REPO_HOST" >&2 - exit 1 -else - echo "✅ DNS resolution successful for $REPO_HOST" - REPO_IP=$(echo "$DNS_RESULT" | awk '{print $1}') -fi - -echo - -echo "ℹ️ Checking route to host $REPO_HOST..." -ROUTE_RESULT=$(ip route get "$REPO_IP" 2>&1) -if [ $? -ne 0 ]; then - echo "$ROUTE_RESULT" | head -n 1 - echo "❌ No route to host $REPO_HOST ($REPO_IP)" >&2 - exit 2 -else - echo "$ROUTE_RESULT" | head -n 1 - echo "✅ Found route to host $REPO_HOST ($REPO_IP)" -fi - -echo - -echo "ℹ️ Checking TCP connectivity to $REPO_HOST..." -if ! nc -vz -w 5 "$REPO_IP" 80; then - echo "❌ TCP connectivity to $REPO_HOST ($REPO_IP) on port 80 failed" >&2 - exit 3 -else - echo "✅ TCP connectivity to $REPO_HOST ($REPO_IP) on port 80 is successful" -fi - -echo - -KEY_URL="http://$REPO_HOST/effectiverange.gpg.key" -echo "ℹ️ Checking HTTP connectivity to $KEY_URL..." -if ! wget -nv --spider --timeout=10 --tries=2 "$KEY_URL"; then - echo "❌ Failed to fetch $KEY_URL" >&2 - exit 4 -else - echo "✅ Successfully fetched $KEY_URL" -fi - -echo - -echo "✅ All connectivity checks passed for $REPO_HOST" -exit 0 diff --git a/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py b/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py index c3a3e77..d80d189 100755 --- a/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py +++ b/build_tools/dpkgdeps_src/dpkgdeps/dpkgdeps.py @@ -281,6 +281,7 @@ def main(): with traceback_with_variables.printing_exc( file_=traceback_with_variables.LoggerAsFile(logger) ): + run_in_hostroot_with_lock(build_arch, "apt_check") deps = read_deps_json_recursive(args, pathlib.Path(args.depfiledir)) if args.list: print(json.dumps(deps, indent=2))