marfrit/marfrit-packages
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

PKGBUILD: pin source sha256 + wire real CI pipeline
build and publish packages / distcc-avahi-aarch64 (push) Failing after 8s
Details

Browse Source 
- distcc-3.4 tarball hash + local support files hashed (no more SKIP)
- .gitea/workflows/build.yml now builds, signs, repo-adds and rsyncs
  to nc via the marfrit-repo-deploy key. Triggers on push to arch/**
  or manual workflow_dispatch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Markus Fritsche
2026-04-14 19:36:49 +00:00
parent 713fe2f03d
commit 2a72de0727
2 changed files with 107 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/build.yml
+102 -46
View File
@@ -1,50 +1,106 @@
name: build and publish packages
# STUB — wired in a follow-up session. Current design sketch:
#
# jobs:
# arch-aarch64:
# runs-on: [self-hosted, alarm, aarch64]
# steps:
# - uses: actions/checkout@v4
# - name: makepkg
# run: |
# cd arch/distcc-avahi
# makepkg --nocheck --noconfirm --syncdeps
# - name: import signing key
# env:
# KEY: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
# PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
# run: |
# echo "$KEY" | gpg --import
# echo "$PASS" > /tmp/pass
# - name: sign package
# run: |
# gpg --batch --pinentry-mode loopback --passphrase-file /tmp/pass \
# --detach-sign --yes arch/distcc-avahi/*.pkg.tar.zst
# - name: publish to packages.reauktion.de
# env:
# SSH_KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
# run: |
# mkdir -p ~/.ssh && echo "$SSH_KEY" > ~/.ssh/id_ed25519
# chmod 600 ~/.ssh/id_ed25519
# scp arch/distcc-avahi/*.pkg.tar.zst{,.sig} \
# mfritsche@nc.reauktion.de:/srv/packages/arch/aarch64/
# # Regenerate db remotely (on an aarch64 runner with pacman):
# ssh mfritsche@nc.reauktion.de 'cd /srv/packages/arch/aarch64 && \
# repo-add --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
# marfrit.db.tar.gz *.pkg.tar.zst'
#
# Runner requirements:
# - feynman (CT115 on data) currently has the Actions runner for ARM
# bare-metal builds. For ALARM packages we'd want either:
# (a) a dedicated ALARM runner container, OR
# (b) makechrootpkg inside feynman with an ALARM pacstrap.
# - x86_64 Arch runner: can live on any nuccie.
# - Debian runners: debootstrap bookworm/trixie for each arch.
on: workflow_dispatch
on:
push:
branches: [main]
paths:
- 'arch/**'
- '.gitea/workflows/build.yml'
workflow_dispatch:
jobs:
placeholder:
runs-on: ubuntu-latest
distcc-avahi-aarch64:
runs-on: arch-aarch64
steps:
- run: echo "build pipeline not yet wired — see file header"
- name: checkout
uses: actions/checkout@v4
- name: install builder deps (idempotent)
run: |
# runner image is Arch aarch64 with base-devel + gnupg + rsync + sudo.
# This step exists so a freshly re-imaged runner bootstraps itself.
pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools
- name: import signing key
env:
PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
run: |
set -e
mkdir -m700 -p /root/.gnupg
printf '%s\n' "$PRIV" | gpg --batch --import
# echo trust so gpg doesn't complain during signing
echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
printf '%s' "$PASS" > /root/repo_pass
chmod 600 /root/repo_pass
- name: install deploy ssh key
env:
KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
run: |
mkdir -m700 -p /root/.ssh
printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
chmod 600 /root/.ssh/id_ed25519
ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
- name: makepkg
run: |
set -e
chown -R builder:builder arch/distcc-avahi
cd arch/distcc-avahi
sudo -u builder makepkg --nocheck --noconfirm --syncdeps --cleanbuild
ls -la *.pkg.tar.zst
- name: sign package
run: |
set -e
cd arch/distcc-avahi
for f in *.pkg.tar.zst; do
gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
--detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
done
ls -la *.sig
- name: fetch current repo db and rebuild
run: |
set -e
mkdir -p /tmp/arch-stage
cd /tmp/arch-stage
# pull current db (may be empty skeleton on first run)
curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.db.tar.gz -o marfrit.db.tar.gz || true
curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.files.tar.gz -o marfrit.files.tar.gz || true
# move freshly built package(s) in
mv "$GITHUB_WORKSPACE"/arch/distcc-avahi/*.pkg.tar.zst .
mv "$GITHUB_WORKSPACE"/arch/distcc-avahi/*.pkg.tar.zst.sig .
# regenerate the db, signing it with our key
GPG_TTY= \
GNUPGHOME=/root/.gnupg \
repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
--verify marfrit.db.tar.gz *.pkg.tar.zst
# refresh "unversioned" symlinks expected by pacman
ln -sf marfrit.db.tar.gz marfrit.db
ln -sf marfrit.files.tar.gz marfrit.files
ln -sf marfrit.db.tar.gz.sig marfrit.db.sig
ln -sf marfrit.files.tar.gz.sig marfrit.files.sig
ls -la
- name: publish via rrsync
run: |
set -e
cd /tmp/arch-stage
# rrsync on nc is scoped to /srv/packages/; target path is relative.
rsync -avL --copy-unsafe-links \
-e 'ssh -i /root/.ssh/id_ed25519' \
./ mfritsche@nc.reauktion.de:arch/aarch64/
- name: wipe secrets
if: always()
run: rm -f /root/repo_pass /root/.ssh/id_ed25519
# x86_64 job will mirror this one and run on the pve4 runner.
# Kept commented out until a package actually targets x86_64 —
# no point spinning pve4 for a no-op.
#
# distcc-avahi-x86_64:
# runs-on: arch-x86_64
# steps: (same as above, with arch/x86_64/ target)