marfrit/marfrit-packages
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9bfad146f7483b0d614daf8c974ce3173f56312
marfrit-packages/.gitea/workflows/build.yml
T
Workflow config file is invalid. Please check your config file: model.ReadWorkflow: yaml: line 88: could not find expected ':'
marfrit b9bfad146f ci: accept any pkg.tar.* extension, configure gpg for repo-add 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 19:42:19 +00:00

124 lines
4.6 KiB
YAML
Raw Blame History

name: build and publish packages
on:
push:
branches: [main]
paths:
- 'arch/**'
- '.gitea/workflows/build.yml'
workflow_dispatch:
jobs:
distcc-avahi-aarch64:
runs-on: arch-aarch64
steps:
- name: checkout
uses: actions/checkout@v4
- name: install builder deps (idempotent)
run: |
# runner image is Arch aarch64 with base-devel + gnupg + rsync + sudo.
# This step exists so a freshly re-imaged runner bootstraps itself.
pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools
- name: import signing key
env:
PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
run: |
set -e
mkdir -m700 -p /root/.gnupg
printf '%s\n' "$PRIV" | gpg --batch --import
# echo trust so gpg doesn't complain during signing
echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
printf '%s' "$PASS" > /root/repo_pass
chmod 600 /root/repo_pass
- name: install deploy ssh key
env:
KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
run: |
mkdir -m700 -p /root/.ssh
printf '%s\n' "$KEY" > /root/.ssh/id_ed25519
chmod 600 /root/.ssh/id_ed25519
ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
- name: makepkg
run: |
set -e
# act's workspace lives under /root/.cache/act which the unprivileged
# 'builder' user can't write to. Copy the package source into a
# builder-owned /tmp dir.
rm -rf /tmp/build-distcc-avahi
cp -r arch/distcc-avahi /tmp/build-distcc-avahi
chown -R builder:builder /tmp/build-distcc-avahi
cd /tmp/build-distcc-avahi
sudo -u builder -H makepkg --nocheck --noconfirm --syncdeps --cleanbuild
ls -la *.pkg.tar.* | grep -v "\.sig$"
- name: sign package
run: |
set -e
cd /tmp/build-distcc-avahi
for f in *.pkg.tar.xz *.pkg.tar.zst *.pkg.tar.gz; do
[ -f "$f" ] || continue
gpg --batch --pinentry-mode loopback --passphrase-file /root/repo_pass \
--detach-sign --yes -u 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C "$f"
done
ls -la *.sig
- name: fetch current repo db and rebuild
run: |
set -e
mkdir -p /tmp/arch-stage
cd /tmp/arch-stage
# pull current db (may be empty skeleton on first run)
curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.db.tar.gz -o marfrit.db.tar.gz || true
curl -sSL https://packages.reauktion.de/arch/aarch64/marfrit.files.tar.gz -o marfrit.files.tar.gz || true
# move freshly built package(s) in
for ext in xz zst gz; do
ls /tmp/build-distcc-avahi/*.pkg.tar.$ext 2>/dev/null && \
mv /tmp/build-distcc-avahi/*.pkg.tar.$ext /tmp/build-distcc-avahi/*.pkg.tar.$ext.sig .
done || true
# regenerate the db, signing it with our key
export GPG_TTY=""
export GNUPGHOME=/root/.gnupg
# repo-add wants explicit passphrase; wrap via gpg-agent loopback
cat > /root/.gnupg/gpg.conf <<EOF
pinentry-mode loopback
passphrase-file /root/repo_pass
EOF
cat > /root/.gnupg/gpg-agent.conf <<EOF
allow-loopback-pinentry
EOF
gpg-connect-agent reloadagent /bye
repo-add --new --sign --key 92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C \
--verify marfrit.db.tar.gz *.pkg.tar.*
# refresh "unversioned" symlinks expected by pacman
ln -sf marfrit.db.tar.gz marfrit.db
ln -sf marfrit.files.tar.gz marfrit.files
ln -sf marfrit.db.tar.gz.sig marfrit.db.sig
ln -sf marfrit.files.tar.gz.sig marfrit.files.sig
ls -la
- name: publish via rrsync
run: |
set -e
cd /tmp/arch-stage
# rrsync on nc is scoped to /srv/packages/; target path is relative.
rsync -avL --copy-unsafe-links \
-e 'ssh -i /root/.ssh/id_ed25519' \
./ mfritsche@nc.reauktion.de:arch/aarch64/
- name: wipe secrets
if: always()
run: rm -f /root/repo_pass /root/.ssh/id_ed25519
# x86_64 job will mirror this one and run on the pve4 runner.
# Kept commented out until a package actually targets x86_64 —
# no point spinning pve4 for a no-op.
#
# distcc-avahi-x86_64:
# runs-on: arch-x86_64
# steps: (same as above, with arch/x86_64/ target)
Reference in New Issue View Git Blame Copy Permalink