alex/bcachefs-tools
1
0
Fork 0
mirror of https://github.com/koverstreet/bcachefs-tools.git synced 2025-12-12 00:00:12 +03:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Deb PPA rewrite, adding packages for ppc64el

Browse Source 
TLDR: instead of running the entirety of the job in the container,
start a detached container, and manually run each step
in detached container. This allows to run stuff outside of container.
This commit is contained in:
Roman Lebedev 2025-10-04 18:29:15 +03:00
parent 65e90ce9cf
commit 07bf2c16cb
No known key found for this signature in database
GPG Key ID: 083C3EBB4A1689E0
6 changed files with 712 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

310
.github/workflows/deb-buildd.yml vendored
View File

@ -7,7 +7,13 @@ on:
runs-on: runs-on:
required: true required: true
type: string type: string
arch: machine-arch:
required: true
type: string
build-arch:
required: true
type: string
host-arch:
required: true required: true
type: string type: string
dist-name: dist-name:
@ -23,45 +29,94 @@ on:
jobs: jobs:
linux: linux:
runs-on: ${{ inputs.runs-on }} runs-on: ${{ inputs.runs-on }}
container:
image: debian:unstable-slim
options: --privileged --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
env:
DEBFULLNAME: apt.bcachefs.org CI bot
DEBEMAIL: linux-bcachefs@vger.kernel.org
DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
permissions: permissions:
id-token: write id-token: write
contents: read contents: read
attestations: write attestations: write
steps: steps:
- name: Install necessary packages - name: Configure baseline system
timeout-minutes: 2 timeout-minutes: 1
shell: sudo sh "{0}"
run: | run: |
set -xe set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT mount -t tmpfs tmpfs ${{ github.workspace }}
force-unsafe-io echo "set man-db/auto-update false" | debconf-communicate
EOT dpkg-reconfigure man-db
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT mkdir -p /etc/apt/apt.conf.d
Dir::Cache::Archives "/tmp/apt/archives"; mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp"; APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10"; Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false"; APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false"; APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true"; APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true"; APT::Get::Fix-Missing "true";
EOT EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
if [ "${{ inputs.machine-arch }}" = "amd64" ];
then
MIRROR="http://archive.ubuntu.com/ubuntu"
else
MIRROR="http://ports.ubuntu.com/ubuntu-ports"
fi
tee /etc/apt/sources.list > /dev/null <<EOT
deb $MIRROR noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
qemu-user-static \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--privileged \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list* rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT tee /etc/apt/sources.list > /dev/null <<EOT
@ -72,6 +127,7 @@ jobs:
eatmydata apt full-upgrade eatmydata apt full-upgrade
eatmydata apt install \ eatmydata apt install \
${{ inputs.dist-name }}-keyring \ ${{ inputs.dist-name }}-keyring \
arch-test \
autopkgtest \ autopkgtest \
curl \ curl \
devscripts \ devscripts \
@ -81,11 +137,13 @@ jobs:
fdisk \ fdisk \
gnupg \ gnupg \
iproute2 \ iproute2 \
ipxe-qemu \
libarchive13 \ libarchive13 \
mmdebstrap \ mmdebstrap \
mtools \ mtools \
ovmf \ ovmf \
qemu-efi-aarch64 \ qemu-efi-aarch64 \
qemu-kvm \
qemu-utils \ qemu-utils \
sbuild \ sbuild \
sudo \ sudo \
@ -99,25 +157,32 @@ jobs:
apt clean apt clean
USER=`whoami` USER=`whoami`
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
- name: Import GPG key - name: Import/Configure GPG
timeout-minutes: 1 timeout-minutes: 1
id: gpg id: gpg
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Configure GPG
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
run: | run: |
set -xe set -xe
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} gpg --import <<EOT
${{ secrets.GPG_SECRET_SUBKEYS }}
EOT
gpg \
--output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
--armor \
--export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
EOT EOT
tee -a ~/.gbp.conf > /dev/null <<EOT tee -a ~/.gbp.conf > /dev/null <<EOT
[buildpackage] [buildpackage]
@ -129,20 +194,25 @@ jobs:
EOT EOT
tee -a ~/.sbuildrc > /dev/null <<EOT tee -a ~/.sbuildrc > /dev/null <<EOT
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
\$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; \$dpkg_buildpackage_user_options = [
'--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}',
'--force-sign'
];
EOT EOT
- name: Configure sbuild - name: Configure sbuild
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}" BUILD_DIR="${{ github.workspace }}/deb-bin/${{ inputs.dist-version }}/${{ inputs.host-arch }}"
echo "BUILD_DIR=$(echo ${BUILD_DIR})" >> $GITHUB_ENV echo "BUILD_DIR=$(echo ${BUILD_DIR})" >> ~/.env
mkdir -p "$BUILD_DIR" mkdir -p "$BUILD_DIR"
tee -a ~/.sbuildrc > /dev/null <<EOT tee -a ~/.sbuildrc > /dev/null <<EOT
\$verbose = 1; \$verbose = 1;
\$build_dir = '$BUILD_DIR'; \$build_dir = '$BUILD_DIR';
\$distribution = '${{ inputs.dist-version }}'; \$distribution = '${{ inputs.dist-version }}';
#\$host_arch = '${{ inputs.arch }}'; \$build_arch = '${{ inputs.build-arch }}';
\$host_arch = '${{ inputs.host-arch }}';
\$chroot_mode = 'unshare'; \$chroot_mode = 'unshare';
\$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX'; \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
\$run_lintian = 1; \$run_lintian = 1;
@ -157,12 +227,18 @@ jobs:
then then
tee -a ~/.sbuildrc > /dev/null <<EOT tee -a ~/.sbuildrc > /dev/null <<EOT
\$external_commands = { \$external_commands = {
'chroot-setup-commands' => [ "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" ] 'chroot-setup-commands' => [
"export LD_PRELOAD=/usr/lib/$(dpkg-architecture -a "${{ inputs.build-arch }}" -q DEB_HOST_MULTIARCH)/libeatmydata.so"
]
}; };
\$build_environment = { \$build_environment = {
"LD_PRELOAD" => "/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" "LD_PRELOAD" =>
"/usr/lib/$(dpkg-architecture -a "${{ inputs.build-arch }}" -q DEB_HOST_MULTIARCH)/libeatmydata.so"
}; };
\$environment_filter = [Dpkg::BuildInfo::get_build_env_allowed(), '^LD_PRELOAD$']; \$environment_filter = [
Dpkg::BuildInfo::get_build_env_allowed(),
'^LD_PRELOAD$'
];
push @{\$unshare_mmdebstrap_extra_args}, "*", [ push @{\$unshare_mmdebstrap_extra_args}, "*", [
'--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata' '--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata'
]; ];
@ -171,10 +247,10 @@ jobs:
if [ "${{ inputs.dist-name }}" = "debian" ]; if [ "${{ inputs.dist-name }}" = "debian" ];
then then
MIRROR="http://deb.debian.org/debian" MIRROR="http://deb.debian.org/debian"
elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" = "amd64" ]; elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.build-arch }}" = "amd64" ];
then then
MIRROR="http://archive.ubuntu.com/ubuntu" MIRROR="http://archive.ubuntu.com/ubuntu"
elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" != "amd64" ]; elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.build-arch }}" != "amd64" ];
then then
MIRROR="http://ports.ubuntu.com/ubuntu-ports" MIRROR="http://ports.ubuntu.com/ubuntu-ports"
else else
@ -189,7 +265,7 @@ jobs:
else else
exit 1 exit 1
fi fi
echo "MIRROR=$(echo ${MIRROR})" >> $GITHUB_ENV echo "MIRROR=$(echo ${MIRROR})" >> ~/.env
if [ "${{ inputs.dist-name }}" = "debian" ]; if [ "${{ inputs.dist-name }}" = "debian" ];
then then
tee -a ~/.sbuildrc > /dev/null <<EOT tee -a ~/.sbuildrc > /dev/null <<EOT
@ -224,63 +300,114 @@ jobs:
]; ];
EOT EOT
fi fi
- name: Ensure that the download directory does not exist
timeout-minutes: 1
run: |
set -xe
rm -rf "${{ github.workspace }}/deb-src"
- name: Download source-only .deb to be built - name: Download source-only .deb to be built
timeout-minutes: 1 timeout-minutes: 1
uses: actions/download-artifact@v5 uses: actions/download-artifact@v5
with: with:
artifact-ids: ${{ inputs.deb-src-artifact-id }} artifact-ids: ${{ inputs.deb-src-artifact-id }}
path: deb-src path: deb-src
- name: Unpack the downloaded tarball - name: Check attestation of all incoming artifact archives
timeout-minutes: 1 timeout-minutes: 1
if: github.event_name != 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-src" cd "${{ github.workspace }}/deb-src"
tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" find . -type f -print0 | xargs --null -I'{}' sh -c " \
rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" echo '::group::Attestation check for {}' && \
( \
gh attestation verify \
{} \
--repo ${{ github.repository }} \
--signer-repo ${{ github.repository }} \
--source-digest ${{ github.sha }} \
--signer-digest ${{ github.sha }} \
|| \
( \
echo '::error file={}::NOT ATTESTED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Unpack the downloaded tarball
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "${{ github.workspace }}/deb-src"
tar -xf "${{ github.workspace }}/deb-src/artifact-src.tar"
rm "${{ github.workspace }}/deb-src/artifact-src.tar"
- name: Ensure that all incoming source artifacts are signed - name: Ensure that all incoming source artifacts are signed
timeout-minutes: 1 timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped' if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-src" cd "${{ github.workspace }}/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo 'Processing {}' \ echo '::group::Signature check for {}' && \
&& ( \ ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \ ( \
) \ echo '::error file={}::NOT SIGNED!' && \
&& echo 'Processing {}: ok' \ echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
" "
- name: Build the package - name: Build the package
timeout-minutes: 10 timeout-minutes: 60
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-bin" cd "${{ github.workspace }}/deb-bin"
if [ "${{ inputs.dist-name }}" = "ubuntu" ]; if [ "${{ inputs.dist-name }}" = "ubuntu" ];
then then
export DEB_BUILD_OPTIONS=noautodbgsym export DEB_BUILD_OPTIONS=noautodbgsym
fi fi
eatmydata sbuild --verbose --arch-any --arch-all "$GITHUB_WORKSPACE/deb-src/"*.dsc echo '::group::Building the package'
sbuild \
--verbose \
--arch-any \
--arch-all \
"${{ github.workspace }}/deb-src/"*.dsc \
;
echo '::endgroup::'
- name: Ensure that all binary artifacts are signed, or sign them - name: Ensure that all binary artifacts are signed, or sign them
timeout-minutes: 1 timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped' if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-bin" cd "${{ github.workspace }}/deb-bin"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo 'Processing {}' && ( \ echo '::group::Signing {}' && \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ ( \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
|| gpg --verbose --detach-sign {} \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
) \ gpg --verbose --detach-sign {} \
) && \
echo '::endgroup::' \
" "
- name: Archive build artifacts - name: Archive build artifacts
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-bin" cd "${{ github.workspace }}/deb-bin"
tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar" * tar -cf "${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar" *
- name: Attest build artifact - name: Attest build artifact
timeout-minutes: 1 timeout-minutes: 1
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
@ -292,8 +419,8 @@ jobs:
id: deb-bin-upload id: deb-bin-upload
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with:
name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar
path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar' path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar'
if-no-files-found: error if-no-files-found: error
compression-level: 0 compression-level: 0
- name: Attest uploaded build artifact - name: Attest uploaded build artifact
@ -301,20 +428,45 @@ jobs:
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: actions/attest-build-provenance@v3 uses: actions/attest-build-provenance@v3
with: with:
subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar.zip subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar.zip
subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }} subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }}
- name: Build Qemu image for autopkgtest - name: Build Qemu image for autopkgtest
timeout-minutes: 2 timeout-minutes: 2
id: qemu-image id: qemu-image
if: inputs.dist-name == 'debian' && inputs.dist-version != 'trixie' && inputs.arch == 'amd64' if: inputs.dist-name == 'debian' && inputs.dist-version != 'trixie' && inputs.machine-arch == 'amd64' && inputs.build-arch == inputs.machine-arch && inputs.host-arch == inputs.build-arch
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
. ~/.env
IMAGE="/tmp/autopkgtest-qemu-image.qcow2" IMAGE="/tmp/autopkgtest-qemu-image.qcow2"
echo "IMAGE=$(echo ${IMAGE})" >> $GITHUB_ENV echo "IMAGE=$(echo ${IMAGE})" >> ~/.env
eatmydata mmdebstrap-autopkgtest-build-qemu --boot=efi --mirror "${{ env.MIRROR }}" "${{ inputs.dist-version }}" "$IMAGE" mmdebstrap-autopkgtest-build-qemu --boot=efi --mirror "$MIRROR" "${{ inputs.dist-version }}" "$IMAGE"
- name: Run autopkgtest - name: Run autopkgtest
timeout-minutes: 10 timeout-minutes: 10
if: steps.qemu-image.conclusion != 'skipped' if: steps.qemu-image.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
eatmydata autopkgtest --no-built-binaries --apt-upgrade "$GITHUB_WORKSPACE/deb-src"/*.dsc "${{ env.BUILD_DIR }}"/*.changes -- autopkgtest-virt-qemu --qemu-options="-smp $(nproc --all)" --boot=efi "${{ env.IMAGE }}" . ~/.env
if [ "${{ inputs.machine-arch }}" = "amd64" ];
then
QEMU_OPTIONS="-enable-kvm -cpu host"
elif [ "${{ inputs.machine-arch }}" = "arm64" ];
then
QEMU_OPTIONS="-machine virt -cpu cortex-a710 -accel tcg"
else
exit 1
fi
autopkgtest \
--no-built-binaries \
--setup-commands "apt update && apt install openssl" \
--apt-upgrade \
"${{ github.workspace }}/deb-src"/*.dsc \
"$BUILD_DIR"/*.changes \
-- \
autopkgtest-virt-qemu \
--cpus=$(nproc --all) \
--qemu-options="$QEMU_OPTIONS" \
--boot=efi \
"$IMAGE" \
;

17
.github/workflows/deb-orchestrator.yml vendored
View File

@ -22,9 +22,7 @@ jobs:
attestations: write attestations: write
uses: ./.github/workflows/deb-src.yml uses: ./.github/workflows/deb-src.yml
with: with:
runs-on: ubuntu-latest runs-on: ubuntu-24.04
dist-name: debian
dist-version: unstable
secrets: secrets:
GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
@ -38,8 +36,9 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
stack: stack:
- { runs-on: "ubuntu-latest", arch: "amd64" } - { runs-on: "ubuntu-24.04", machine-arch: "amd64", build-arch: "amd64", host-arch: "amd64" }
- { runs-on: "ubuntu-24.04-arm", arch: "arm64" } - { runs-on: "ubuntu-24.04", machine-arch: "amd64", build-arch: "ppc64el", host-arch: "ppc64el" }
- { runs-on: "ubuntu-24.04-arm", machine-arch: "arm64", build-arch: "arm64", host-arch: "arm64" }
dist: dist:
- { name: debian, version: unstable } - { name: debian, version: unstable }
- { name: debian, version: forky } # Debian 14 - { name: debian, version: forky } # Debian 14
@ -50,7 +49,9 @@ jobs:
with: with:
deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }} deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
runs-on: ${{ matrix.stack.runs-on }} runs-on: ${{ matrix.stack.runs-on }}
arch: ${{ matrix.stack.arch }} machine-arch: ${{ matrix.stack.machine-arch }}
build-arch: ${{ matrix.stack.build-arch }}
host-arch: ${{ matrix.stack.host-arch }}
dist-name: ${{ matrix.dist.name }} dist-name: ${{ matrix.dist.name }}
dist-version: ${{ matrix.dist.version }} dist-version: ${{ matrix.dist.version }}
secrets: secrets:
@ -61,7 +62,7 @@ jobs:
uses: ./.github/workflows/deb-reprotest.yml uses: ./.github/workflows/deb-reprotest.yml
with: with:
deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }} deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
runs-on: "ubuntu-latest" runs-on: "ubuntu-24.04"
arch: amd64 arch: amd64
dist-name: debian dist-name: debian
dist-version: unstable dist-version: unstable
@ -72,6 +73,8 @@ jobs:
needs: [ source-only, buildd, reprotest ] needs: [ source-only, buildd, reprotest ]
if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master')) if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master'))
uses: ./.github/workflows/deb-publish.yml uses: ./.github/workflows/deb-publish.yml
with:
runs-on: ubuntu-24.04
secrets: secrets:
GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}

236
.github/workflows/deb-publish.yml vendored
View File

@ -1,5 +1,9 @@
on: on:
workflow_call: workflow_call:
inputs:
runs-on:
required: true
type: string
secrets: secrets:
GPG_SECRET_SUBKEYS: GPG_SECRET_SUBKEYS:
required: true required: true
@ -14,49 +18,98 @@ on:
jobs: jobs:
linux: linux:
concurrency: apt.bcachefs.org runs-on: ${{ inputs.runs-on }}
runs-on: ubuntu-latest
container:
image: debian:unstable-slim
options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --device /dev/fuse --tmpfs /tmp --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
env: env:
SUITE: ${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }} SUITE: ${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }}
permissions:
id-token: write
contents: read
attestations: write
steps: steps:
- name: Install necessary packages - name: Configure baseline system
timeout-minutes: 2 timeout-minutes: 1
shell: sudo sh "{0}"
run: | run: |
set -xe set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT mount -t tmpfs tmpfs ${{ github.workspace }}
force-unsafe-io echo "set man-db/auto-update false" | debconf-communicate
EOT dpkg-reconfigure man-db
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT mkdir -p /etc/apt/apt.conf.d
Dir::Cache::Archives "/tmp/apt/archives"; mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp"; APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10"; Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false"; APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false"; APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true"; APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true"; APT::Get::Fix-Missing "true";
EOT EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
deb http://archive.ubuntu.com/ubuntu noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list* rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT tee /etc/apt/sources.list > /dev/null <<EOT
deb http://deb.debian.org/debian unstable main deb http://deb.debian.org/debian unstable main
EOT EOT
apt update apt update
apt full-upgrade apt install eatmydata
apt install \ eatmydata apt full-upgrade
eatmydata apt install \
devscripts \ devscripts \
gettext-base \ gettext-base \
git \ git \
@ -71,6 +124,7 @@ jobs:
apt clean apt clean
- name: Pre-Configure gpg-agent / ssh - name: Pre-Configure gpg-agent / ssh
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
mkdir -p ~/.gnupg ~/.ssh mkdir -p ~/.gnupg ~/.ssh
@ -79,34 +133,35 @@ jobs:
gpgconf --kill gpg-agent gpgconf --kill gpg-agent
gpgconf --launch gpg-agent gpgconf --launch gpg-agent
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> $GITHUB_ENV echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> ~/.env
echo "" >> /etc/ssh/ssh_known_hosts echo "" >> /etc/ssh/ssh_known_hosts
echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts
- name: Import GPG key - name: Import/Configure GPG
timeout-minutes: 1 timeout-minutes: 1
id: gpg id: gpg
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Finish configuring gpg-agent / ssh
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
run: | run: |
set -xe set -xe
gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye gpg --import <<EOT
- name: Configure GPG ${{ secrets.GPG_SECRET_SUBKEYS }}
timeout-minutes: 1 EOT
if: steps.gpg.conclusion != 'skipped' gpg \
run: | --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
set -xe --armor \
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} --export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
EOT EOT
tee -a ~/.gbp.conf > /dev/null <<EOT tee -a ~/.gbp.conf > /dev/null <<EOT
[buildpackage] [buildpackage]
@ -121,43 +176,83 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
path: 'bcachefs-tools' path: 'bcachefs-tools'
- name: Ensure that the download directory does not exist
timeout-minutes: 1
run: |
set -xe
rm -rf "${{ github.workspace }}/packed-artifacts"
- name: Download all artifacts - name: Download all artifacts
timeout-minutes: 1 timeout-minutes: 1
uses: actions/download-artifact@v5 uses: actions/download-artifact@v5
with: with:
path: packed-artifacts path: packed-artifacts
- name: Unpack all artifacts - name: Check attestation of all incoming artifact archives
timeout-minutes: 1 timeout-minutes: 2
if: github.event_name != 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
run: | run: |
set -xe set -xe
SRC_DIR="$GITHUB_WORKSPACE/incoming/src-artifacts" cd "${{ github.workspace }}/packed-artifacts"
find . -type f -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Attestation check for {}' && \
( \
gh attestation verify \
{} \
--repo ${{ github.repository }} \
--signer-repo ${{ github.repository }} \
--source-digest ${{ github.sha }} \
--signer-digest ${{ github.sha }} \
|| \
( \
echo '::error file={}::NOT ATTESTED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Unpack all artifacts
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
SRC_DIR="${{ github.workspace }}/incoming/src-artifacts"
mkdir -p "$SRC_DIR" mkdir -p "$SRC_DIR"
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete find "${{ github.workspace }}/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
BIN_DIR="$GITHUB_WORKSPACE/incoming/bin-artifacts" BIN_DIR="${{ github.workspace }}/incoming/bin-artifacts"
mkdir -p "$BIN_DIR" mkdir -p "$BIN_DIR"
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete find "${{ github.workspace }}/packed-artifacts" -type f -name 'artifact-bin-*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
rm -rf "$GITHUB_WORKSPACE/packed-artifacts" rm -rf "${{ github.workspace }}/packed-artifacts"
- name: Ensure that all incoming artifacts are signed - name: Ensure that all incoming artifacts are signed
timeout-minutes: 1 timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped' if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/incoming" cd "${{ github.workspace }}/incoming"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo 'Processing {}' \ echo '::group::Signature check for {}' && \
&& ( \ ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \ ( \
) \ echo '::error file={}::NOT SIGNED!' && \
&& echo 'Processing {}: ok' \ echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
" "
- name: Create and populate repos - name: Create and populate repos
timeout-minutes: 60 timeout-minutes: 60
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
ls -lahR . ~/.env
MOUNTPOINT="$GITHUB_WORKSPACE/remotefs" MOUNTPOINT="${{ github.workspace }}/remotefs"
mkdir -p "$MOUNTPOINT" mkdir -p "$MOUNTPOINT"
if [ -n "${{ secrets.SSH_HOST }}" ]; then if [ -n "${{ secrets.SSH_HOST }}" ]; then
sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT" sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT"
@ -169,18 +264,20 @@ jobs:
fi fi
if [ "${{ (github.event_name == 'push' && github.ref_type == 'branch' && github.ref_name == 'master') && 'true' || 'false' }}" = "true" ]; then if [ "${{ (github.event_name == 'push' && github.ref_type == 'branch' && github.ref_name == 'master') && 'true' || 'false' }}" = "true" ]; then
export GPG_SIGNING_SUBKEY_FINGERPRINT=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} export GPG_SIGNING_SUBKEY_FINGERPRINT=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
envsubst < "$GITHUB_WORKSPACE/bcachefs-tools/doc/apt.bcachefs.org-README.md" | pandoc --from=markdown --to=html --output="$REPO_ROOT/.footer/README" envsubst < "${{ github.workspace }}/bcachefs-tools/doc/apt.bcachefs.org-README.md" | \
pandoc --from=markdown --to=html --output="$REPO_ROOT/.footer/README"
fi fi
cd "$GITHUB_WORKSPACE/incoming/bin-artifacts" cd "${{ github.workspace }}/incoming/bin-artifacts"
for DIST in * for DIST in *
do do
SRCDIR="$GITHUB_WORKSPACE/incoming/bin-artifacts/$DIST" echo "::group::Distribution $DIST"
SRCDIR="${{ github.workspace }}/incoming/bin-artifacts/$DIST"
cd "$SRCDIR" cd "$SRCDIR"
REPO="$REPO_ROOT/$DIST" REPO="$REPO_ROOT/$DIST"
mkdir -p "$REPO/conf/distributions" mkdir -p "$REPO/conf/distributions"
tee "$REPO/conf/distributions/$SUITE.conf" > /dev/null <<EOT tee "$REPO/conf/distributions/${{ env.SUITE }}.conf" > /dev/null <<EOT
Codename: bcachefs-tools-$SUITE Codename: bcachefs-tools-${{ env.SUITE }}
Architectures: source amd64 arm64 Architectures: source amd64 arm64 ppc64el
Components: main Components: main
Contents: Contents:
Origin: apt.bcachefs.org Origin: apt.bcachefs.org
@ -197,12 +294,13 @@ jobs:
verbose verbose
ignore longkeyid ignore longkeyid
EOT EOT
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/incoming/src-artifacts/"*.changes reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-${{ env.SUITE }} "${{ github.workspace }}/incoming/src-artifacts/"*.changes
for f in "$SRCDIR"/*/*.changes for f in "$SRCDIR"/*/*.changes
do do
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-${{ env.SUITE }} $f
done done
reprepro --basedir "$REPO" createsymlinks reprepro --basedir "$REPO" createsymlinks
reprepro --basedir "$REPO" export reprepro --basedir "$REPO" export
echo '::endgroup::'
done done
umount "$MOUNTPOINT" || /bin/true umount "$MOUNTPOINT" || /bin/true

205
.github/workflows/deb-reprotest.yml vendored
View File

@ -23,41 +23,89 @@ on:
jobs: jobs:
linux: linux:
runs-on: ${{ inputs.runs-on }} runs-on: ${{ inputs.runs-on }}
container:
image: debian:unstable-slim
options: --privileged --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /var/lib/schroot/unpack:exec --tmpfs /var/lib/schroot/union/overlay:exec --tmpfs /var/lib/schroot/session:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
permissions: permissions:
id-token: write id-token: write
contents: read contents: read
attestations: write attestations: write
steps: steps:
- name: Install necessary packages - name: Configure baseline system
timeout-minutes: 1 timeout-minutes: 1
id: init
shell: sudo sh "{0}"
run: | run: |
set -xe set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT mount -t tmpfs tmpfs ${{ github.workspace }}
force-unsafe-io echo "set man-db/auto-update false" | debconf-communicate
EOT dpkg-reconfigure man-db
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT mkdir -p /etc/apt/apt.conf.d
Dir::Cache::Archives "/tmp/apt/archives"; mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp"; APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10"; Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false"; APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false"; APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true"; APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true"; APT::Get::Fix-Missing "true";
EOT EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
deb http://archive.ubuntu.com/ubuntu noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--tmpfs=/var/lib/schroot/union/overlay \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--privileged \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list* rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT tee /etc/apt/sources.list > /dev/null <<EOT
@ -82,57 +130,104 @@ jobs:
apt clean apt clean
USER=`whoami` USER=`whoami`
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
- name: Import GPG key - name: Import/Configure GPG
timeout-minutes: 1 timeout-minutes: 1
id: gpg id: gpg
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Configure GPG
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
run: | run: |
set -xe set -xe
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} gpg --import <<EOT
${{ secrets.GPG_SECRET_SUBKEYS }}
EOT
set -xe
gpg \
--output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
--armor \
--export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
- name: Ensure that the download directory does not exist
timeout-minutes: 1
run: |
set -xe
rm -rf "${{ github.workspace }}/deb-src"
- name: Download source-only .deb to be built - name: Download source-only .deb to be built
timeout-minutes: 1 timeout-minutes: 1
uses: actions/download-artifact@v5 uses: actions/download-artifact@v5
with: with:
artifact-ids: ${{ inputs.deb-src-artifact-id }} artifact-ids: ${{ inputs.deb-src-artifact-id }}
path: deb-src path: deb-src
- name: Unpack the downloaded tarball - name: Check attestation of all incoming artifact archives
timeout-minutes: 1 timeout-minutes: 1
if: github.event_name != 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-src" cd "${{ github.workspace }}/deb-src"
tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" find . -type f -print0 | xargs --null -I'{}' sh -c " \
rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" echo '::group::Attestation check for {}' && \
( \
gh attestation verify \
{} \
--repo ${{ github.repository }} \
--signer-repo ${{ github.repository }} \
--source-digest ${{ github.sha }} \
--signer-digest ${{ github.sha }} \
|| \
( \
echo '::error file={}::NOT ATTESTED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Unpack the downloaded tarball
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "${{ github.workspace }}/deb-src"
tar -xf "${{ github.workspace }}/deb-src/artifact-src.tar"
rm "${{ github.workspace }}/deb-src/artifact-src.tar"
- name: Ensure that all incoming source artifacts are signed - name: Ensure that all incoming source artifacts are signed
timeout-minutes: 1 timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped' if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-src" cd "${{ github.workspace }}/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo 'Processing {}' \ echo '::group::Signature check for {}' && \
&& ( \ ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \ ( \
) \ echo '::error file={}::NOT SIGNED!' && \
&& echo 'Processing {}: ok' \ echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
" "
- name: Create container for reprotest - name: Create container for reprotest
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
mkdir -p /tmp/chroot/unstable-amd64-sbuild mkdir -p /tmp/chroot/unstable-amd64-sbuild
eatmydata mmdebstrap \ mmdebstrap \
--comp=main \ --comp=main \
--variant=apt \ --variant=apt \
--skip=output/mknod \ --skip=output/mknod \
@ -146,7 +241,10 @@ jobs:
--aptopt='APT::Get::Fix-Missing "true";' \ --aptopt='APT::Get::Fix-Missing "true";' \
--dpkgopt='force-unsafe-io' \ --dpkgopt='force-unsafe-io' \
--dpkgopt='force-confdef' \ --dpkgopt='force-confdef' \
unstable /tmp/chroot/unstable-amd64-sbuild http://deb.debian.org/debian unstable \
/tmp/chroot/unstable-amd64-sbuild \
http://deb.debian.org/debian \
;
chroot /tmp/chroot/unstable-amd64-sbuild apt update chroot /tmp/chroot/unstable-amd64-sbuild apt update
mkdir -p /etc/schroot/chroot.d mkdir -p /etc/schroot/chroot.d
tee /etc/schroot/chroot.d/unstable-amd64-sbuild > /dev/null <<EOT tee /etc/schroot/chroot.d/unstable-amd64-sbuild > /dev/null <<EOT
@ -158,10 +256,21 @@ jobs:
EOT EOT
- name: Run reprotest - name: Run reprotest
timeout-minutes: 10 timeout-minutes: 10
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
useradd -U first-user useradd -U first-user
useradd -U second-user useradd -U second-user
cd "$GITHUB_WORKSPACE/deb-src" cd "${{ github.workspace }}/deb-src"
# FIXME: not reproducible without --vary=-build_path # FIXME: not reproducible without --vary=-build_path
eatmydata reprotest --no-diffoscope --vary=-build_path --vary=user_group.available+=first-user:first-user --vary=user_group.available+=second-user:second-user --vary=domain_host.use_sudo=1 "$GITHUB_WORKSPACE/deb-src"/*.dsc -- schroot unstable-amd64-sbuild reprotest \
--no-diffoscope \
--vary=-build_path \
--vary=user_group.available+=first-user:first-user \
--vary=user_group.available+=second-user:second-user \
--vary=domain_host.use_sudo=1 \
"${{ github.workspace }}/deb-src"/*.dsc \
-- \
schroot \
unstable-amd64-sbuild \
;

210
.github/workflows/deb-src.yml vendored
View File

@ -4,12 +4,6 @@ on:
runs-on: runs-on:
required: true required: true
type: string type: string
dist-name:
required: true
type: string
dist-version:
required: true
type: string
outputs: outputs:
deb-src-artifact-id: deb-src-artifact-id:
value: ${{ jobs.linux.outputs.deb-src-artifact-id }} value: ${{ jobs.linux.outputs.deb-src-artifact-id }}
@ -20,43 +14,88 @@ on:
jobs: jobs:
linux: linux:
runs-on: ${{ inputs.runs-on }} runs-on: ${{ inputs.runs-on }}
container:
image: debian:unstable-slim
options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
env: env:
RUST_VERSION: 1.89.0 RUST_VERSION: 1.89.0
DEBFULLNAME: apt.bcachefs.org CI bot DEBFULLNAME: apt.bcachefs.org CI bot
DEBEMAIL: linux-bcachefs@vger.kernel.org DEBEMAIL: linux-bcachefs@vger.kernel.org
DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
DEBPKG_EPOCH: 1 DEBPKG_EPOCH: 1
steps: steps:
- name: Install necessary packages - name: Configure baseline system
timeout-minutes: 2 timeout-minutes: 1
id: init
shell: sudo sh "{0}"
run: | run: |
set -xe set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT mount -t tmpfs tmpfs ${{ github.workspace }}
force-unsafe-io echo "set man-db/auto-update false" | debconf-communicate
EOT dpkg-reconfigure man-db
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT mkdir -p /etc/apt/apt.conf.d
Dir::Cache::Archives "/tmp/apt/archives"; mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp"; APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10"; Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false"; APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false"; APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true"; APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true"; APT::Get::Fix-Missing "true";
EOT EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
deb http://archive.ubuntu.com/ubuntu noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list* rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT tee /etc/apt/sources.list > /dev/null <<EOT
@ -66,8 +105,8 @@ jobs:
apt install eatmydata apt install eatmydata
eatmydata apt full-upgrade eatmydata apt full-upgrade
eatmydata apt install \ eatmydata apt install \
${{ inputs.dist-name }}-keyring \
curl \ curl \
debian-keyring \
devscripts \ devscripts \
git \ git \
git-buildpackage \ git-buildpackage \
@ -75,33 +114,40 @@ jobs:
iproute2 \ iproute2 \
mmdebstrap \ mmdebstrap \
sbuild \ sbuild \
sudo \
tar \ tar \
uidmap \ uidmap \
xz-utils \ xz-utils \
zip zip \
;
apt clean apt clean
USER=`whoami` USER=`whoami`
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
- name: Import GPG key - name: Import/Configure GPG
timeout-minutes: 1 timeout-minutes: 1
id: gpg id: gpg
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Configure GPG
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
run: | run: |
set -xe set -xe
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} gpg --import <<EOT
${{ secrets.GPG_SECRET_SUBKEYS }}
EOT
gpg \
--output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
--armor \
--export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
EOT EOT
tee -a ~/.gbp.conf > /dev/null <<EOT tee -a ~/.gbp.conf > /dev/null <<EOT
[buildpackage] [buildpackage]
@ -113,13 +159,17 @@ jobs:
EOT EOT
tee -a ~/.sbuildrc > /dev/null <<EOT tee -a ~/.sbuildrc > /dev/null <<EOT
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
\$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; \$dpkg_buildpackage_user_options = [
'--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}',
'--force-sign'
];
EOT EOT
- name: Configure sbuild - name: Configure sbuild
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
BUILD_DIR="$GITHUB_WORKSPACE/deb-src" BUILD_DIR="${{ github.workspace }}/deb-src"
mkdir -p "$BUILD_DIR" mkdir -p "$BUILD_DIR"
tee -a ~/.sbuildrc > /dev/null <<EOT tee -a ~/.sbuildrc > /dev/null <<EOT
\$verbose = 1; \$verbose = 1;
@ -131,12 +181,18 @@ jobs:
EOT EOT
tee -a ~/.sbuildrc > /dev/null <<EOT tee -a ~/.sbuildrc > /dev/null <<EOT
\$external_commands = { \$external_commands = {
'chroot-setup-commands' => [ "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" ] 'chroot-setup-commands' => [
"export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
]
}; };
\$build_environment = { \$build_environment = {
"LD_PRELOAD" => "/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" "LD_PRELOAD" =>
"/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
}; };
\$environment_filter = [Dpkg::BuildInfo::get_build_env_allowed(), '^LD_PRELOAD$']; \$environment_filter = [
Dpkg::BuildInfo::get_build_env_allowed(),
'^LD_PRELOAD$'
];
push @{\$unshare_mmdebstrap_extra_args}, "*", [ push @{\$unshare_mmdebstrap_extra_args}, "*", [
'--include=eatmydata', '--include=eatmydata',
'--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata', '--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata',
@ -148,10 +204,11 @@ jobs:
EOT EOT
- name: Install Rust / cargo - name: Install Rust / cargo
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
eatmydata curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
eatmydata sh -s -- --default-toolchain $RUST_VERSION --profile minimal -y sh -s -- --default-toolchain ${{ env.RUST_VERSION }} --profile minimal -y
. "$HOME/.cargo/env" . "$HOME/.cargo/env"
- name: Fetch our git repository - name: Fetch our git repository
timeout-minutes: 1 timeout-minutes: 1
@ -162,11 +219,15 @@ jobs:
fetch-tags: true fetch-tags: true
- name: Update package version/changelog - name: Update package version/changelog
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
git config --global user.email "${{ env.DEBFULLNAME }}" export DEBFULLNAME="${{ env.DEBFULLNAME }}"
git config --global user.name "${{ env.DEBEMAIL }}" export DEBEMAIL="${{ env.DEBEMAIL }}"
cd "$GITHUB_WORKSPACE/bcachefs-tools" git config --global user.email "${DEBFULLNAME}"
git config --global user.name "${DEBEMAIL}"
cd "${{ github.workspace }}/bcachefs-tools"
git config --global --add safe.directory .
CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))" CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))"
PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))" PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))"
NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')" NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')"
@ -179,32 +240,51 @@ jobs:
fi fi
- name: Build the source-only .deb package - name: Build the source-only .deb package
timeout-minutes: 10 timeout-minutes: 10
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
. "$HOME/.cargo/env" . "$HOME/.cargo/env"
cd "$GITHUB_WORKSPACE/bcachefs-tools" export DEBFULLNAME="${{ env.DEBFULLNAME }}"
mkdir -p "$GITHUB_WORKSPACE/deb-src" export DEBEMAIL="${{ env.DEBEMAIL }}"
cd "${{ github.workspace }}/bcachefs-tools"
mkdir -p "${{ github.workspace }}/deb-src"
# FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails # FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails
eatmydata gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ inputs.dist-version }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any echo '::group::Building the package'
gbp buildpackage \
--git-verbose \
--git-ignore-branch \
--no-clean \
--git-dist=${{ inputs.dist-version }} \
--git-builder=sbuild \
--source \
--source-only-changes \
--no-arch-all \
--no-arch-any \
;
echo '::endgroup::'
- name: Ensure that all source artifacts are signed, or sign them - name: Ensure that all source artifacts are signed, or sign them
timeout-minutes: 1 timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped' if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-src" cd "${{ github.workspace }}/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo 'Processing {}' && ( \ echo '::group::Signing {}' && \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ ( \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
|| gpg --verbose --detach-sign {} \ gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
) \ gpg --verbose --detach-sign {} \
) && \
echo '::endgroup::' \
" "
- name: Archive source build artifacts - name: Archive source build artifacts
timeout-minutes: 1 timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: | run: |
set -xe set -xe
cd "$GITHUB_WORKSPACE/deb-src" cd "${{ github.workspace }}/deb-src"
tar -cf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" * tar -cf "${{ github.workspace }}/deb-src/artifact-src.tar" *
- name: Attest the source-only .deb package artifact - name: Attest the source-only .deb package artifact
timeout-minutes: 1 timeout-minutes: 1
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'

3
debian/control vendored
View File

@ -56,7 +56,8 @@ Depends: ${misc:Depends},
initramfs-tools | linux-initramfs-tool, initramfs-tools | linux-initramfs-tool,
linux-headers-generic (>= 6.16) | pve-headers (>= 6.16) [amd64] | linux-headers-generic (>= 6.16) | pve-headers (>= 6.16) [amd64] |
linux-headers-amd64 (>= 6.16) [amd64] | linux-headers-cloud-amd64 (>= 6.16) [amd64] | linux-headers-rt-amd64 (>= 6.16) [amd64] | linux-headers-amd64 (>= 6.16) [amd64] | linux-headers-cloud-amd64 (>= 6.16) [amd64] | linux-headers-rt-amd64 (>= 6.16) [amd64] |
linux-headers-arm64 (>= 6.16) [arm64] | linux-headers-cloud-arm64 (>= 6.16) [arm64] | linux-headers-rt-arm64 (>= 6.16) [arm64] linux-headers-arm64 (>= 6.16) [arm64] | linux-headers-cloud-arm64 (>= 6.16) [arm64] | linux-headers-rt-arm64 (>= 6.16) [arm64] |
linux-headers-ppc64el (>= 6.16) [ppc64el] | linux-headers-cloud-ppc64el (>= 6.16) [ppc64el] | linux-headers-rt-ppc64el (>= 6.16) [ppc64el]
Pre-Depends: bcachefs-tools (= ${binary:Version}), Pre-Depends: bcachefs-tools (= ${binary:Version}),
Provides: bcachefs-kernel Provides: bcachefs-kernel
Description: bcachefs kernel module DKMS source Description: bcachefs kernel module DKMS source