name: build and publish packages on: push: branches: [main] paths: - 'arch/**' - '.gitea/workflows/build.yml' workflow_dispatch: jobs: distcc-avahi-aarch64: runs-on: arch-aarch64 steps: - name: checkout uses: actions/checkout@v4 - name: install builder deps (idempotent) run: | # runner image is Arch aarch64 with base-devel + gnupg + rsync + sudo. # This step exists so a freshly re-imaged runner bootstraps itself. pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools - name: import signing key env: PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }} PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }} run: | set -e mkdir -m700 -p /root/.gnupg printf '%s\n' "$PRIV" | gpg --batch --import # echo trust so gpg doesn't complain during signing echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust printf '%s' "$PASS" > /root/repo_pass chmod 600 /root/repo_pass - name: install deploy ssh key env: KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }} run: | mkdir -m700 -p /root/.ssh printf '%s\n' "$KEY" > /root/.ssh/id_ed25519 chmod 600 /root/.ssh/id_ed25519 ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null - name: makepkg run: | set -e # act's workspace lives under /root/.cache/act which the unprivileged # 'builder' user can't write to. Copy the package source into a # builder-owned /tmp dir. rm -rf /tmp/build-distcc-avahi cp -r arch/distcc-avahi /tmp/build-distcc-avahi chown -R builder:builder /tmp/build-distcc-avahi cd /tmp/build-distcc-avahi sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild ls -la *.pkg.tar.zst - name: sign package run: | set -e cd /tmp/build-distcc-avahi for f in *.pkg.tar.zst; do gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \ --detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f" done ls -la *.sig - name: fetch current repo db and rebuild run: | set -e mkdir -p /tmp/arch-stage cd /tmp/arch-stage # pull current db (may be empty skeleton on first run) curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.db.tar.gz -o marfrit.db.tar.gz || true curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.files.tar.gz -o marfrit.files.tar.gz || true # move freshly built package(s) in mv /tmp/build-distcc-avahi/*.pkg.tar.zst . mv /tmp/build-distcc-avahi/*.pkg.tar.zst.sig . # regenerate the db, signing it with our key GPG_TTY= \ GNUPGHOME=/root/.gnupg \ repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \ --verify marfrit.db.tar.gz *.pkg.tar.zst # refresh "unversioned" symlinks expected by pacman ln -sf marfrit.db.tar.gz marfrit.db ln -sf marfrit.files.tar.gz marfrit.files ln -sf marfrit.db.tar.gz.sig marfrit.db.sig ln -sf marfrit.files.tar.gz.sig marfrit.files.sig ls -la - name: publish via rrsync run: | set -e cd /tmp/arch-stage # rrsync on nc is scoped to /srv/packages/; target path is relative. rsync -avL --copy-unsafe-links \ -e 'ssh -i /root/.ssh/id_ed25519' \ ./ mfritsche@nc.reauktion.de:arch/aarch64/ - name: wipe secrets if: always() run: rm -f /root/repo_pass /root/.ssh/id_ed25519 # x86_64 job will mirror this one and run on the pve4 runner. # Kept commented out until a package actually targets x86_64 — # no point spinning pve4 for a no-op. # # distcc-avahi-x86_64: # runs-on: arch-x86_64 # steps: (same as above, with arch/x86_64/ target)