diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index f54ae1179..9af0b110e 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -1,50 +1,106 @@ name: build and publish packages -# STUB — wired in a follow-up session. Current design sketch: -# -# jobs: -# arch-aarch64: -# runs-on: [self-hosted, alarm, aarch64] -# steps: -# - uses: actions/checkout@v4 -# - name: makepkg -# run: | -# cd arch/distcc-avahi -# makepkg --nocheck --noconfirm --syncdeps -# - name: import signing key -# env: -# KEY: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }} -# PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }} -# run: | -# echo "$KEY" | gpg --import -# echo "$PASS" > /tmp/pass -# - name: sign package -# run: | -# gpg --batch --pinentry-mode loopback --passphrase-file /tmp/pass \ -# --detach-sign --yes arch/distcc-avahi/*.pkg.tar.zst -# - name: publish to packages.reauktion.de -# env: -# SSH_KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }} -# run: | -# mkdir -p ~/.ssh && echo "$SSH_KEY" > ~/.ssh/id_ed25519 -# chmod 600 ~/.ssh/id_ed25519 -# scp arch/distcc-avahi/*.pkg.tar.zst{,.sig} \ -# mfritsche@nc.reauktion.de:/srv/packages/arch/aarch64/ -# # Regenerate db remotely (on an aarch64 runner with pacman): -# ssh mfritsche@nc.reauktion.de 'cd /srv/packages/arch/aarch64 && \ -# repo-add --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \ -# marfrit.db.tar.gz *.pkg.tar.zst' -# -# Runner requirements: -# - feynman (CT115 on data) currently has the Actions runner for ARM -# bare-metal builds. For ALARM packages we'd want either: -# (a) a dedicated ALARM runner container, OR -# (b) makechrootpkg inside feynman with an ALARM pacstrap. -# - x86_64 Arch runner: can live on any nuccie. -# - Debian runners: debootstrap bookworm/trixie for each arch. -on: workflow_dispatch +on: + push: + branches: [main] + paths: + - 'arch/**' + - '.gitea/workflows/build.yml' + workflow_dispatch: + jobs: - placeholder: - runs-on: ubuntu-latest + distcc-avahi-aarch64: + runs-on: arch-aarch64 steps: - - run: echo "build pipeline not yet wired — see file header" + - name: checkout + uses: actions/checkout@v4 + + - name: install builder deps (idempotent) + run: | + # runner image is Arch aarch64 with base-devel + gnupg + rsync + sudo. + # This step exists so a freshly re-imaged runner bootstraps itself. + pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools + + - name: import signing key + env: + PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }} + PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }} + run: | + set -e + mkdir -m700 -p /root/.gnupg + printf '%s\n' "$PRIV" | gpg --batch --import + # echo trust so gpg doesn't complain during signing + echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust + printf '%s' "$PASS" > /root/repo_pass + chmod 600 /root/repo_pass + + - name: install deploy ssh key + env: + KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }} + run: | + mkdir -m700 -p /root/.ssh + printf '%s\n' "$KEY" > /root/.ssh/id_ed25519 + chmod 600 /root/.ssh/id_ed25519 + ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null + + - name: makepkg + run: | + set -e + chown -R builder:builder arch/distcc-avahi + cd arch/distcc-avahi + sudo -u builder makepkg --nocheck --noconfirm --syncdeps --cleanbuild + ls -la *.pkg.tar.zst + + - name: sign package + run: | + set -e + cd arch/distcc-avahi + for f in *.pkg.tar.zst; do + gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \ + --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f" + done + ls -la *.sig + + - name: fetch current repo db and rebuild + run: | + set -e + mkdir -p /tmp/arch-stage + cd /tmp/arch-stage + # pull current db (may be empty skeleton on first run) + curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.db.tar.gz -o marfrit.db.tar.gz || true + curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.files.tar.gz -o marfrit.files.tar.gz || true + # move freshly built package(s) in + mv "$GITHUB_WORKSPACE"/arch/distcc-avahi/*.pkg.tar.zst . + mv "$GITHUB_WORKSPACE"/arch/distcc-avahi/*.pkg.tar.zst.sig . + # regenerate the db, signing it with our key + GPG_TTY= \ + GNUPGHOME=/root/.gnupg \ + repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \ + --verify marfrit.db.tar.gz *.pkg.tar.zst + # refresh "unversioned" symlinks expected by pacman + ln -sf marfrit.db.tar.gz marfrit.db + ln -sf marfrit.files.tar.gz marfrit.files + ln -sf marfrit.db.tar.gz.sig marfrit.db.sig + ln -sf marfrit.files.tar.gz.sig marfrit.files.sig + ls -la + + - name: publish via rrsync + run: | + set -e + cd /tmp/arch-stage + # rrsync on nc is scoped to /srv/packages/; target path is relative. + rsync -avL --copy-unsafe-links \ + -e 'ssh -i /root/.ssh/id_ed25519' \ + ./ mfritsche@nc.reauktion.de:arch/aarch64/ + + - name: wipe secrets + if: always() + run: rm -f /root/repo_pass /root/.ssh/id_ed25519 + + # x86_64 job will mirror this one and run on the pve4 runner. + # Kept commented out until a package actually targets x86_64 — + # no point spinning pve4 for a no-op. + # + # distcc-avahi-x86_64: + # runs-on: arch-x86_64 + # steps: (same as above, with arch/x86_64/ target) diff --git a/arch/distcc-avahi/PKGBUILD b/arch/distcc-avahi/PKGBUILD index 88e266207..6c027565d 100644 --- a/arch/distcc-avahi/PKGBUILD +++ b/arch/distcc-avahi/PKGBUILD @@ -23,16 +23,16 @@ conflicts=('distcc') replaces=('distcc') backup=('etc/conf.d/distccd') source=( - "https://github.com/distcc/distcc/releases/download/v${pkgver}/distcc-${pkgver}.tar.gz" + "${_pkgname}-${pkgver}.tar.gz::https://github.com/distcc/distcc/archive/refs/tags/v${pkgver}.tar.gz" "distccd.conf" "distccd.service" "distcc.tmpfiles" ) sha256sums=( - 'SKIP' # pin when first built in CI - 'SKIP' - 'SKIP' - 'SKIP' + '37a34c9555498a1168fea026b292ab07e7bb394715d87d8403e0c33b16d2d008' + '38cb1912bfa15efd762dd868e049bdbcd58f1a46065255bc4648f821ba516d65' + 'a4f1d1bb21d61d41f22e918b448cfb852a6d95b0d3b922bd82805090cb2ce41a' + 'd8aee2eb895c02a39e0f2b76fd4a5c9dce91405f1c443286ca324628eadbf3f1' ) prepare() {