name: build and publish packages on: push: branches: [main] paths: - 'arch/**' - 'debian/**' - '.gitea/workflows/**' workflow_dispatch: jobs: distcc-avahi-aarch64: runs-on: arch-aarch64 steps: - uses: actions/checkout@v4 - name: bootstrap runner (idempotent) run: | pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools - name: import signing key env: PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }} PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }} run: | set -e rm -rf /root/.gnupg /root/repo_pass mkdir -m700 -p /root/.gnupg printf '%s' "$PASS" > /root/repo_pass chmod 600 /root/repo_pass printf '%s\n' "$PRIV" | gpg --batch --import echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust - name: install deploy ssh key env: KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }} run: | mkdir -m700 -p /root/.ssh printf '%s\n' "$KEY" > /root/.ssh/id_ed25519 chmod 600 /root/.ssh/id_ed25519 ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null - name: makepkg distcc-avahi run: | set -e rm -rf /tmp/build-distcc-avahi cp -r arch/distcc-avahi /tmp/build-distcc-avahi chown -R builder:builder /tmp/build-distcc-avahi cd /tmp/build-distcc-avahi sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild ls -la *.pkg.tar.* | grep -v "\.sig$" - name: sign distcc-avahi run: | set -e cd /tmp/build-distcc-avahi for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do [ -f "$f" ] || continue gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \ --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f" done - name: update aarch64 repo db run: | set -e mkdir -p /tmp/arch-stage cd /tmp/arch-stage rm -f * for f in marfrit.db.tar.gz marfrit.db.tar.gz.sig marfrit.files.tar.gz marfrit.files.tar.gz.sig; do curl -sSLf "https://packages.reauktion.de/arch/aarch64/$f" -o "$f" || rm -f "$f" done for ext in xz zst gz; do ls /tmp/build-distcc-avahi/*.pkg.tar.$ext 2>/dev/null && \ mv /tmp/build-distcc-avahi/*.pkg.tar.$ext /tmp/build-distcc-avahi/*.pkg.tar.$ext.sig . done || true export GNUPGHOME=/root/.gnupg printf 'pinentry-mode loopback\npassphrase-file /root/repo_pass\n' > /root/.gnupg/gpg.conf printf 'allow-loopback-pinentry\n' > /root/.gnupg/gpg-agent.conf gpg-connect-agent reloadagent /bye pkgs=() for ext in xz zst gz; do for f in *.pkg.tar.$ext; do [ -f "$f" ] && pkgs+=("$f"); done done repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \ --verify marfrit.db.tar.gz "${pkgs[@]}" ln -sf marfrit.db.tar.gz marfrit.db ln -sf marfrit.files.tar.gz marfrit.files ln -sf marfrit.db.tar.gz.sig marfrit.db.sig # marfrit.files isn't signed by repo-add (pacman only verifies .db) rm -f marfrit.files.sig - name: publish to aarch64 run: | cd /tmp/arch-stage rsync -avL --copy-unsafe-links \ -e 'ssh -i /root/.ssh/id_ed25519' \ ./ mfritsche@nc.reauktion.de:arch/aarch64/ - name: wipe secrets if: always() run: rm -f /root/repo_pass /root/.ssh/id_ed25519 # ------------------------------------------------------------------------- # lmcp is pure Lua (arch=any). One build on the aarch64 runner produces a # package that's valid on every pacman-based target, so we publish the same # .pkg.tar.* to both /arch/aarch64/ and /arch/x86_64/ after rebuilding each # db with the package registered. # ------------------------------------------------------------------------- lmcp-any: needs: distcc-avahi-aarch64 # serialize on shared aarch64 db; expand later runs-on: arch-aarch64 steps: - uses: actions/checkout@v4 - name: bootstrap runner (idempotent) run: pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo lua lua-socket - name: import signing key env: PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }} PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }} run: | set -e rm -rf /root/.gnupg /root/repo_pass mkdir -m700 -p /root/.gnupg printf '%s' "$PASS" > /root/repo_pass chmod 600 /root/repo_pass printf '%s\n' "$PRIV" | gpg --batch --import echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust - name: install deploy ssh key env: KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }} run: | mkdir -m700 -p /root/.ssh printf '%s\n' "$KEY" > /root/.ssh/id_ed25519 chmod 600 /root/.ssh/id_ed25519 ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null - name: makepkg lmcp run: | set -e rm -rf /tmp/build-lmcp cp -r arch/lmcp /tmp/build-lmcp chown -R builder:builder /tmp/build-lmcp cd /tmp/build-lmcp sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild ls -la *.pkg.tar.* | grep -v "\.sig$" - name: sign lmcp run: | set -e cd /tmp/build-lmcp for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do [ -f "$f" ] || continue gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \ --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f" done - name: publish lmcp to both arches run: | set -e export GNUPGHOME=/root/.gnupg printf 'pinentry-mode loopback\npassphrase-file /root/repo_pass\n' > /root/.gnupg/gpg.conf printf 'allow-loopback-pinentry\n' > /root/.gnupg/gpg-agent.conf gpg-connect-agent reloadagent /bye for target in aarch64 x86_64; do stage="/tmp/arch-stage-$target" rm -rf "$stage"; mkdir -p "$stage"; cd "$stage" for f in marfrit.db.tar.gz marfrit.db.tar.gz.sig marfrit.files.tar.gz marfrit.files.tar.gz.sig; do curl -sSLf "https://packages.reauktion.de/arch/$target/$f" -o "$f" || rm -f "$f" done cp /tmp/build-lmcp/*.pkg.tar.* . pkgs=() for ext in xz zst gz; do for f in *.pkg.tar.$ext; do [ -f "$f" ] && pkgs+=("$f"); done done repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \ --verify marfrit.db.tar.gz "${pkgs[@]}" ln -sf marfrit.db.tar.gz marfrit.db ln -sf marfrit.files.tar.gz marfrit.files ln -sf marfrit.db.tar.gz.sig marfrit.db.sig ln -sf marfrit.files.tar.gz.sig marfrit.files.sig rsync -avL --copy-unsafe-links \ -e 'ssh -i /root/.ssh/id_ed25519' \ ./ "mfritsche@nc.reauktion.de:arch/$target/" done - name: wipe secrets if: always() run: rm -f /root/repo_pass /root/.ssh/id_ed25519