194 lines
7.5 KiB
YAML
194 lines
7.5 KiB
YAML
name: build and publish packages
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'arch/**'
|
|
- 'debian/**'
|
|
- '.gitea/workflows/**'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
distcc-avahi-aarch64:
|
|
runs-on: arch-aarch64
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: bootstrap runner (idempotent)
|
|
run: |
|
|
pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools
|
|
|
|
- name: import signing key
|
|
env:
|
|
PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
|
|
PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
|
|
run: |
|
|
set -e
|
|
rm -rf /root/.gnupg /root/repo_pass
|
|
mkdir -m700 -p /root/.gnupg
|
|
printf '%s' "$PASS" > /root/repo_pass
|
|
chmod 600 /root/repo_pass
|
|
printf '%s\n' "$PRIV" | gpg --batch --import
|
|
echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
|
|
|
|
- name: install deploy ssh key
|
|
env:
|
|
KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
|
|
run: |
|
|
mkdir -m700 -p /root/.ssh
|
|
printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
|
|
chmod 600 /root/.ssh/id_ed25519
|
|
ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
|
|
|
|
- name: makepkg distcc-avahi
|
|
run: |
|
|
set -e
|
|
rm -rf /tmp/build-distcc-avahi
|
|
cp -r arch/distcc-avahi /tmp/build-distcc-avahi
|
|
chown -R builder:builder /tmp/build-distcc-avahi
|
|
cd /tmp/build-distcc-avahi
|
|
sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild
|
|
ls -la *.pkg.tar.* | grep -v "\.sig$"
|
|
|
|
- name: sign distcc-avahi
|
|
run: |
|
|
set -e
|
|
cd /tmp/build-distcc-avahi
|
|
for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do
|
|
[ -f "$f" ] || continue
|
|
gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
|
|
--detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
|
|
done
|
|
|
|
- name: update aarch64 repo db
|
|
run: |
|
|
set -e
|
|
mkdir -p /tmp/arch-stage
|
|
cd /tmp/arch-stage
|
|
rm -f *
|
|
for f in marfrit.db.tar.gz marfrit.db.tar.gz.sig marfrit.files.tar.gz marfrit.files.tar.gz.sig; do
|
|
curl -sSLf "https://packages.reauktion.de/arch/aarch64/$f" -o "$f" || rm -f "$f"
|
|
done
|
|
for ext in xz zst gz; do
|
|
ls /tmp/build-distcc-avahi/*.pkg.tar.$ext 2>/dev/null && \
|
|
mv /tmp/build-distcc-avahi/*.pkg.tar.$ext /tmp/build-distcc-avahi/*.pkg.tar.$ext.sig .
|
|
done || true
|
|
export GNUPGHOME=/root/.gnupg
|
|
printf 'pinentry-mode loopback\npassphrase-file /root/repo_pass\n' > /root/.gnupg/gpg.conf
|
|
printf 'allow-loopback-pinentry\n' > /root/.gnupg/gpg-agent.conf
|
|
gpg-connect-agent reloadagent /bye
|
|
pkgs=()
|
|
for ext in xz zst gz; do
|
|
for f in *.pkg.tar.$ext; do [ -f "$f" ] && pkgs+=("$f"); done
|
|
done
|
|
repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
|
|
--verify marfrit.db.tar.gz "${pkgs[@]}"
|
|
ln -sf marfrit.db.tar.gz marfrit.db
|
|
ln -sf marfrit.files.tar.gz marfrit.files
|
|
ln -sf marfrit.db.tar.gz.sig marfrit.db.sig
|
|
# marfrit.files isn't signed by repo-add (pacman only verifies .db)
|
|
rm -f marfrit.files.sig
|
|
|
|
- name: publish to aarch64
|
|
run: |
|
|
cd /tmp/arch-stage
|
|
rsync -avL --copy-unsafe-links \
|
|
-e 'ssh -i /root/.ssh/id_ed25519' \
|
|
./ mfritsche@nc.reauktion.de:arch/aarch64/
|
|
|
|
- name: wipe secrets
|
|
if: always()
|
|
run: rm -f /root/repo_pass /root/.ssh/id_ed25519
|
|
|
|
# -------------------------------------------------------------------------
|
|
# lmcp is pure Lua (arch=any). One build on the aarch64 runner produces a
|
|
# package that's valid on every pacman-based target, so we publish the same
|
|
# .pkg.tar.* to both /arch/aarch64/ and /arch/x86_64/ after rebuilding each
|
|
# db with the package registered.
|
|
# -------------------------------------------------------------------------
|
|
lmcp-any:
|
|
needs: distcc-avahi-aarch64 # serialize on shared aarch64 db; expand later
|
|
runs-on: arch-aarch64
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: bootstrap runner (idempotent)
|
|
run: pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo lua lua-socket
|
|
|
|
- name: import signing key
|
|
env:
|
|
PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
|
|
PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
|
|
run: |
|
|
set -e
|
|
rm -rf /root/.gnupg /root/repo_pass
|
|
mkdir -m700 -p /root/.gnupg
|
|
printf '%s' "$PASS" > /root/repo_pass
|
|
chmod 600 /root/repo_pass
|
|
printf '%s\n' "$PRIV" | gpg --batch --import
|
|
echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
|
|
|
|
- name: install deploy ssh key
|
|
env:
|
|
KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
|
|
run: |
|
|
mkdir -m700 -p /root/.ssh
|
|
printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
|
|
chmod 600 /root/.ssh/id_ed25519
|
|
ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
|
|
|
|
- name: makepkg lmcp
|
|
run: |
|
|
set -e
|
|
rm -rf /tmp/build-lmcp
|
|
cp -r arch/lmcp /tmp/build-lmcp
|
|
chown -R builder:builder /tmp/build-lmcp
|
|
cd /tmp/build-lmcp
|
|
sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild
|
|
ls -la *.pkg.tar.* | grep -v "\.sig$"
|
|
|
|
- name: sign lmcp
|
|
run: |
|
|
set -e
|
|
cd /tmp/build-lmcp
|
|
for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do
|
|
[ -f "$f" ] || continue
|
|
gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
|
|
--detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
|
|
done
|
|
|
|
- name: publish lmcp to both arches
|
|
run: |
|
|
set -e
|
|
export GNUPGHOME=/root/.gnupg
|
|
printf 'pinentry-mode loopback\npassphrase-file /root/repo_pass\n' > /root/.gnupg/gpg.conf
|
|
printf 'allow-loopback-pinentry\n' > /root/.gnupg/gpg-agent.conf
|
|
gpg-connect-agent reloadagent /bye
|
|
|
|
for target in aarch64 x86_64; do
|
|
stage="/tmp/arch-stage-$target"
|
|
rm -rf "$stage"; mkdir -p "$stage"; cd "$stage"
|
|
for f in marfrit.db.tar.gz marfrit.db.tar.gz.sig marfrit.files.tar.gz marfrit.files.tar.gz.sig; do
|
|
curl -sSLf "https://packages.reauktion.de/arch/$target/$f" -o "$f" || rm -f "$f"
|
|
done
|
|
cp /tmp/build-lmcp/*.pkg.tar.* .
|
|
pkgs=()
|
|
for ext in xz zst gz; do
|
|
for f in *.pkg.tar.$ext; do [ -f "$f" ] && pkgs+=("$f"); done
|
|
done
|
|
repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
|
|
--verify marfrit.db.tar.gz "${pkgs[@]}"
|
|
ln -sf marfrit.db.tar.gz marfrit.db
|
|
ln -sf marfrit.files.tar.gz marfrit.files
|
|
ln -sf marfrit.db.tar.gz.sig marfrit.db.sig
|
|
ln -sf marfrit.files.tar.gz.sig marfrit.files.sig
|
|
rsync -avL --copy-unsafe-links \
|
|
-e 'ssh -i /root/.ssh/id_ed25519' \
|
|
./ "mfritsche@nc.reauktion.de:arch/$target/"
|
|
done
|
|
|
|
- name: wipe secrets
|
|
if: always()
|
|
run: rm -f /root/repo_pass /root/.ssh/id_ed25519
|