marfrit-packages/.gitea/workflows/build.yml at 2cfe3112ca01decdcff496e393016677669ae503

marfrit/marfrit-packages

Fork 1

Files

T

marfrit 209566518c

build and publish packages / distcc-avahi-aarch64 (push) Successful in 28s

Details

ci: wipe stale gpg state at each build start

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 19:44:54 +00:00

127 lines

5.0 KiB

YAML

Raw Blame History

 name: build and publish packages
 on:
   push:
     branches: [main]
     paths:
       - 'arch/**'
       - '.gitea/workflows/build.yml'
   workflow_dispatch:
 jobs:
   distcc-avahi-aarch64:
     runs-on: arch-aarch64
     steps:
       - name: checkout
         uses: actions/checkout@v4
       - name: install builder deps (idempotent)
         run: |
           # runner image is Arch aarch64 with base-devel + gnupg + rsync + sudo.
           # This step exists so a freshly re-imaged runner bootstraps itself.
           pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools
       - name: import signing key
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
         run: |
           set -e
           # Runner container persists between runs; wipe any stale gpg state
           # so old gpg.conf / socket paths can't confuse this build.
           rm -rf /root/.gnupg /root/repo_pass
           mkdir -m700 -p /root/.gnupg
           printf '%s' "$PASS" > /root/repo_pass
           chmod 600 /root/repo_pass
           printf '%s\n' "$PRIV" | gpg --batch --import
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
       - name: install deploy ssh key
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
           mkdir -m700 -p /root/.ssh
           printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
           chmod 600 /root/.ssh/id_ed25519
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
       - name: makepkg
         run: |
           set -e
           # act's workspace lives under /root/.cache/act which the unprivileged
           # 'builder' user can't write to. Copy the package source into a
           # builder-owned /tmp dir.
           rm -rf /tmp/build-distcc-avahi
           cp -r arch/distcc-avahi /tmp/build-distcc-avahi
           chown -R builder:builder /tmp/build-distcc-avahi
           cd /tmp/build-distcc-avahi
           sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild
           ls -la *.pkg.tar.* | grep -v "\.sig$"
       - name: sign package
         run: |
           set -e
           cd /tmp/build-distcc-avahi
           for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do
             [ -f "$f" ] || continue
             gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
                 --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
           done
           ls -la *.sig
       - name: fetch current repo db and rebuild
         run: |
           set -e
           mkdir -p /tmp/arch-stage
           cd /tmp/arch-stage
           # pull current db (may be empty skeleton on first run)
           curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.db.tar.gz -o marfrit.db.tar.gz || true
           curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.files.tar.gz -o marfrit.files.tar.gz || true
           # move freshly built package(s) in
           for ext in xz zst gz; do
             ls /tmp/build-distcc-avahi/*.pkg.tar.$ext 2>/dev/null && \
               mv /tmp/build-distcc-avahi/*.pkg.tar.$ext /tmp/build-distcc-avahi/*.pkg.tar.$ext.sig .
           done || true
           # regenerate the db, signing it with our key
           export GPG_TTY=""
           export GNUPGHOME=/root/.gnupg
           # repo-add wants explicit passphrase; wrap via gpg-agent loopback
           printf 'pinentry-mode loopback\npassphrase-file /root/repo_pass\n' > /root/.gnupg/gpg.conf
           printf 'allow-loopback-pinentry\n' > /root/.gnupg/gpg-agent.conf
           gpg-connect-agent reloadagent /bye
           # exclude .sig files from repo-add's positional args
           pkgs=()
           for ext in xz zst gz; do
             for f in *.pkg.tar.$ext; do [ -f "$f" ] && pkgs+=("$f"); done
           done
           echo "packages to add: ${pkgs[*]}"
           repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
             --verify marfrit.db.tar.gz "${pkgs[@]}"
           # refresh "unversioned" symlinks expected by pacman
           ln -sf marfrit.db.tar.gz     marfrit.db
           ln -sf marfrit.files.tar.gz  marfrit.files
           ln -sf marfrit.db.tar.gz.sig marfrit.db.sig
           ln -sf marfrit.files.tar.gz.sig marfrit.files.sig
           ls -la
       - name: publish via rrsync
         run: |
           set -e
           cd /tmp/arch-stage
           # rrsync on nc is scoped to /srv/packages/; target path is relative.
           rsync -avL --copy-unsafe-links \
             -e 'ssh -i /root/.ssh/id_ed25519' \
             ./ mfritsche@nc.reauktion.de:arch/aarch64/
       - name: wipe secrets
         if: always()
         run: rm -f /root/repo_pass /root/.ssh/id_ed25519
   # x86_64 job will mirror this one and run on the pve4 runner.
   # Kept commented out until a package actually targets x86_64 —
   # no point spinning pve4 for a no-op.
   #
   # distcc-avahi-x86_64:
   #   runs-on: arch-x86_64
   #   steps: (same as above, with arch/x86_64/ target)

127 lines 5.0 KiB YAML Raw Blame History

127 lines

5.0 KiB

YAML

Raw Blame History