From 7b45ea78984bb13db9131910fe71f44296334b72 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Tue, 27 Feb 2024 20:27:32 +0100 Subject: [PATCH 1/2] gitlab-ci: always use HTTPS for apt repos This has been in place in a number of other places and has proven stable, so I'm introducing it here, since the "docker" job actually publishes docker images that are publicly used. So little painless security fixes are worthwhile. --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 866a2ec8..bcf2ac28 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -76,7 +76,13 @@ metadata_v0: 'Dpkg::Use-Pty "0";' 'quiet "1";' >> /etc/apt/apt.conf.d/99gitlab + # Ubuntu and other distros often lack https:// support + - grep Debian /etc/issue.net + && { find /etc/apt/sources.list* -type f | xargs sed -i s,http:,https:, ; } + - echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99nocacertificates - apt-get update + - apt-get install ca-certificates + - rm /etc/apt/apt.conf.d/99nocacertificates - apt-get dist-upgrade From 3560a2522a0eb6937bd8b3cb0b1a48714cc12c60 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Wed, 6 Mar 2024 14:50:24 +0100 Subject: [PATCH 2/2] gitlab-ci: docker:git has become stable, so switch to stable tag When this job was implemented, it needed the "git" tag. Now that it works, still with the stable tag. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bcf2ac28..a72ad3dd 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -647,7 +647,7 @@ docker: - buildserver/* variables: - $CI_COMMIT_BRANCH == "master" || $CI_PROJECT_NAMESPACE != "fdroid" - image: docker:git + image: docker:dind services: - docker:dind variables: