Merge pull request #407 from LebedevRI/debian

debian package vendoring and PPA

.github/workflows/deb-buildd.yml

@@ -0,0 +1,199 @@
+on:
+  workflow_call:
+    inputs:
+      deb-src-artifact-id:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+      arch:
+        required: true
+        type: string
+      dist:
+        required: true
+        type: string
+    secrets:
+      GPG_SECRET_SUBKEYS:
+      GPG_SIGNING_SUBKEY_FINGERPRINT:
+
+jobs:
+  linux:
+    runs-on: ${{ inputs.runs-on }}
+    container:
+      image: debian:unstable-slim
+      options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec
+    env:
+      DEBFULLNAME: apt.bcachefs.org CI bot
+      DEBEMAIL: linux-bcachefs@vger.kernel.org
+      DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    steps:
+      - name: Install necessary packages
+        timeout-minutes: 1
+        run: |
+          set -xe
+          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
+          force-unsafe-io
+          EOT
+          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
+          Dir::Cache::Archives "/tmp/apt/archives";
+          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
+          EOT
+          mkdir -p /tmp/apt/archives
+          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
+          Acquire::Retries "10";
+          EOT
+          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
+          APT::Install-Recommends "false";
+          EOT
+          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
+          APT::Install-Suggests "false";
+          EOT
+          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
+          APT::Get::Assume-Yes "true";
+          EOT
+          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
+          APT::Get::Fix-Missing "true";
+          EOT
+          rm -rf /var/lib/apt/lists/*
+          rm -rf /etc/apt/sources.list*
+          tee /etc/apt/sources.list > /dev/null <<EOT
+          deb http://deb.debian.org/debian unstable main
+          EOT
+          apt update
+          apt full-upgrade
+          apt install \
+            curl \
+            debian-keyring \
+            devscripts \
+            gpg \
+            iproute2 \
+            mmdebstrap \
+            sbuild \
+            sudo \
+            tar \
+            uidmap \
+            xz-utils \
+            zip
+          apt clean
+          USER=`whoami`
+          sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
+          BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist }}/${{ inputs.arch }}"
+          mkdir -p "$BUILD_DIR"
+          tee ~/.sbuildrc > /dev/null <<EOT
+          \$verbose = 0;
+          \$build_dir = '$BUILD_DIR';
+          \$distribution = '${{ inputs.dist }}';
+          #\$host_arch = '${{ inputs.arch }}';
+          \$chroot_mode = 'unshare';
+          \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
+          \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
+          EOT
+          if    [ "${{ inputs.dist }}" != "unstable" ] \
+             && [ "${{ inputs.dist }}" != "testing" ];
+          then
+          tee -a ~/.sbuildrc > /dev/null <<EOT
+          \$extra_repositories = [
+            'deb http://deb.debian.org/debian ${{ inputs.dist }}-updates main',
+            'deb http://deb.debian.org/debian ${{ inputs.dist }}-backports main'
+          ];
+          EOT
+          fi
+      - name: Import GPG key
+        timeout-minutes: 1
+        id: gpg
+        if: github.event_name != 'pull_request'
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        with:
+          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
+          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          trust_level: 5
+      - name: Configure GPG
+        timeout-minutes: 1
+        if: steps.gpg.conclusion != 'skipped'
+        run: |
+          set -xe
+          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+          tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
+          default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a  ~/.gbp.conf > /dev/null <<EOT
+          [buildpackage]
+          sign-tags = True
+          keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a ~/.devscripts > /dev/null <<EOT
+          DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a ~/.sbuildrc > /dev/null <<EOT
+          \$verbose = 1;
+          \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
+          EOT
+      - name: Download source-only .deb to be built
+        timeout-minutes: 1
+        uses: actions/download-artifact@v5
+        with:
+          artifact-ids: ${{ inputs.deb-src-artifact-id }}
+          path: deb-src
+      - name: Unpack the downloaded tarball
+        timeout-minutes: 1
+        run: |
+          set -xe
+          cd "$GITHUB_WORKSPACE/deb-src"
+          tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
+      - name: Ensure that source package is signed
+        timeout-minutes: 1
+        if: steps.gpg.conclusion != 'skipped'
+        run: |
+          set -xe
+          dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes
+      - name: Build the package
+        timeout-minutes: 10
+        run: |
+          set -xe
+          cd "$GITHUB_WORKSPACE/deb-bin/"
+          sbuild --verbose "$GITHUB_WORKSPACE/deb-src/"*.dsc
+      - name: Sign the .deb's
+        timeout-minutes: 1
+        if: steps.gpg.conclusion != 'skipped'
+        run: |
+          set -xe
+          find "$GITHUB_WORKSPACE/deb-bin/" -type f -name '*.deb' -exec gpg --verbose --detach-sign {} ';'
+      - name: Ensure that binary package is signed
+        timeout-minutes: 1
+        if: steps.gpg.conclusion != 'skipped'
+        run: |
+          set -xe
+          cd "$GITHUB_WORKSPACE/deb-bin/"
+          find -name '*.changes' -print0 | xargs -0 dscverify --verbose
+      - name: Archive build artifacts
+        timeout-minutes: 1
+        run: |
+          set -xe
+          cd "$GITHUB_WORKSPACE/deb-bin/"
+          tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar" *
+      - name: Attest build artifact
+        timeout-minutes: 1
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: '${{ github.workspace }}/deb-bin'
+      - name: Upload build artifact archive
+        timeout-minutes: 1
+        id: deb-bin-upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar
+          path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar'
+          if-no-files-found: error
+          compression-level: 0
+      - name: Attest uploaded build artifact
+        timeout-minutes: 1
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar.zip
+          subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }}

.github/workflows/deb-orchestrator.yml

@@ -0,0 +1,58 @@
+name: .deb build orchestrator
+
+on:
+  pull_request:
+    branches:
+      - "**"
+  push:
+    branches:
+      - "**"
+    tags:
+      - v*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  source-only:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    uses: ./.github/workflows/deb-src.yml
+    secrets:
+      GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
+      GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+  buildd:
+    needs: source-only
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    strategy:
+      fail-fast: false
+      matrix:
+        stack:
+          - { runs-on: "ubuntu-latest",    arch: "amd64" }
+          - { runs-on: "ubuntu-24.04-arm", arch: "arm64" }
+        dist: [ unstable, forky, trixie ]
+    uses: ./.github/workflows/deb-buildd.yml
+    with:
+      deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
+      runs-on: ${{ matrix.stack.runs-on }}
+      arch: ${{ matrix.stack.arch }}
+      dist: ${{ matrix.dist }}
+    secrets:
+      GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
+      GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+  publish:
+    needs: [ source-only, buildd ]
+    if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master'))
+    uses: ./.github/workflows/deb-publish.yml
+    secrets:
+      GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
+      GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+      GPG_AUTH_SUBKEY_KEYGRIP: ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }}
+      SSH_HOST: ${{ secrets.SSH_HOST }}
+      SSH_SERVER_KEYS: ${{ secrets.SSH_SERVER_KEYS }}

.github/workflows/deb-publish.yml

@@ -0,0 +1,197 @@
+on:
+  workflow_call:
+    secrets:
+      GPG_SECRET_SUBKEYS:
+        required: true
+      GPG_SIGNING_SUBKEY_FINGERPRINT:
+        required: true
+      GPG_AUTH_SUBKEY_KEYGRIP:
+        required: true
+      SSH_HOST:
+        required: true
+      SSH_SERVER_KEYS:
+        required: true
+
+jobs:
+  linux:
+    concurrency: apt.bcachefs.org
+    runs-on: ubuntu-latest
+    container:
+      image: debian:unstable-slim
+      options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --device /dev/fuse --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec
+    env:
+      SUITE: ${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }}
+    steps:
+      - name: Install necessary packages
+        timeout-minutes: 1
+        run: |
+          set -xe
+          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
+          force-unsafe-io
+          EOT
+          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
+          Dir::Cache::Archives "/tmp/apt/archives";
+          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
+          EOT
+          mkdir -p /tmp/apt/archives
+          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
+          Acquire::Retries "10";
+          EOT
+          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
+          APT::Install-Recommends "false";
+          EOT
+          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
+          APT::Install-Suggests "false";
+          EOT
+          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
+          APT::Get::Assume-Yes "true";
+          EOT
+          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
+          APT::Get::Fix-Missing "true";
+          EOT
+          rm -rf /var/lib/apt/lists/*
+          rm -rf /etc/apt/sources.list*
+          tee /etc/apt/sources.list > /dev/null <<EOT
+          deb http://deb.debian.org/debian unstable main
+          EOT
+          apt update
+          apt full-upgrade
+          apt install \
+            devscripts \
+            gnupg \
+            gpg-agent \
+            openssh-client \
+            reprepro \
+            sshfs \
+            tar \
+            xz-utils \
+            zip
+          apt clean
+      - name: Configure gpg-agent / ssh
+        timeout-minutes: 1
+        run: |
+          set -xe
+          mkdir -p ~/.gnupg ~/.ssh
+          echo "" >> ~/.gnupg/gpg-agent.conf
+          echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+          export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+          echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> $GITHUB_ENV
+          echo "" >> /etc/ssh/ssh_known_hosts
+          echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts
+      - name: Import GPG key
+        timeout-minutes: 1
+        if: github.event_name != 'pull_request'
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        with:
+          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
+          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          trust_level: 5
+      - name: Configure GPG
+        timeout-minutes: 1
+        run: |
+          set -xe
+          gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye
+          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+          tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
+          default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a  ~/.gbp.conf > /dev/null <<EOT
+          [buildpackage]
+          sign-tags = True
+          keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a ~/.devscripts > /dev/null <<EOT
+          DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a ~/.sbuildrc > /dev/null <<EOT
+          \$verbose = 1;
+          \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
+          EOT
+      - name: Download all artifacts
+        timeout-minutes: 1
+        uses: actions/download-artifact@v5
+        with:
+          path: packed-artifacts
+      - name: Unpack all artifacts
+        timeout-minutes: 1
+        run: |
+          set -xe
+          SRC_DIR="$GITHUB_WORKSPACE/src-artifacts"
+          mkdir -p "$SRC_DIR"
+          find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
+          BIN_DIR="$GITHUB_WORKSPACE/bin-artifacts"
+          mkdir -p "$BIN_DIR"
+          find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
+          rm -rf "$GITHUB_WORKSPACE/packed-artifacts"
+      - name: Create and populate repos
+        timeout-minutes: 60
+        run: |
+          set -xe
+          ls -lahR
+          MOUNTPOINT="$GITHUB_WORKSPACE/remotefs"
+          mkdir -p "$MOUNTPOINT"
+          sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT"
+          REPO_ROOT="$MOUNTPOINT/public_html"
+          mkdir -p "$REPO_ROOT"
+          cp -f /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc "$REPO_ROOT"
+          cat > "$REPO_ROOT/README.txt" <<EOF
+          To add this repository to your computer, do:
+
+
+              wget -qO- https://apt.bcachefs.org/apt.bcachefs.org.asc | sudo tee /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+              # Fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+              sudo cat > "/etc/apt/sources.list.d/apt.bcachefs.org.sources" <<EOF
+              Types: deb deb-src
+              URIs: https://apt.bcachefs.org/unstable/
+              Suites: bcachefs-tools-snapshot # or -release
+              Components: main
+              Signed-By: /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+              EOF
+              sudo apt update
+              sudo apt install bcachefs-tools
+
+
+
+          For more information, see:
+          https://wiki.debian.org/DebianRepository/UseThirdParty
+
+          Source, Debian tarballs and dsc files can be verified using https://github.com/sigstore/rekor.
+          EOF
+          cd "$GITHUB_WORKSPACE/bin-artifacts"
+          for DIST in *
+          do
+          SRCDIR="$GITHUB_WORKSPACE/bin-artifacts/$DIST"
+          cd "$SRCDIR"
+          REPO="$REPO_ROOT/$DIST"
+          mkdir -p "$REPO/conf/distributions"
+          tee "$REPO/conf/distributions/$SUITE.conf" > /dev/null <<EOT
+          Codename: bcachefs-tools-$SUITE
+          Architectures: source amd64 arm64
+          Components: main
+          Contents:
+          Origin: apt.bcachefs.org
+          Label: apt.bcachefs.org Packages
+          Description: bcachefs APT repository
+          SignWith: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          Signed-By: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          Uploaders: uploaders
+          EOT
+          tee "$REPO/conf/uploaders" > /dev/null <<EOT
+          allow * by key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee "$REPO/conf/options" > /dev/null <<EOT
+          verbose
+          ignore longkeyid
+          EOT
+          reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/src-artifacts/"*.changes
+          for f in "$SRCDIR"/*/*.changes
+          do
+          reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f
+          done
+          reprepro --basedir "$REPO" createsymlinks
+          reprepro --basedir "$REPO" export
+          done
+          umount "$MOUNTPOINT"

.github/workflows/deb-src.yml

@@ -0,0 +1,192 @@
+on:
+  workflow_call:
+    outputs:
+      deb-src-artifact-id:
+        value: ${{ jobs.linux.outputs.deb-src-artifact-id }}
+    secrets:
+      GPG_SECRET_SUBKEYS:
+      GPG_SIGNING_SUBKEY_FINGERPRINT:
+
+jobs:
+  linux:
+    runs-on: ubuntu-latest
+    container:
+      image: debian:unstable-slim
+      options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec
+    env:
+      DIST: unstable
+      ARCH: x86_64
+      RUST_VERSION: 1.89.0
+      DEBFULLNAME: apt.bcachefs.org CI bot
+      DEBEMAIL: linux-bcachefs@vger.kernel.org
+      DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
+      DEBPKG_EPOCH: 1
+    steps:
+      - name: Install necessary packages
+        timeout-minutes: 1
+        run: |
+          set -xe
+          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
+          force-unsafe-io
+          EOT
+          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
+          Dir::Cache::Archives "/tmp/apt/archives";
+          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
+          EOT
+          mkdir -p /tmp/apt/archives
+          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
+          Acquire::Retries "10";
+          EOT
+          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
+          APT::Install-Recommends "false";
+          EOT
+          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
+          APT::Install-Suggests "false";
+          EOT
+          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
+          APT::Get::Assume-Yes "true";
+          EOT
+          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
+          APT::Get::Fix-Missing "true";
+          EOT
+          rm -rf /var/lib/apt/lists/*
+          rm -rf /etc/apt/sources.list*
+          tee /etc/apt/sources.list > /dev/null <<EOT
+          deb http://deb.debian.org/debian unstable main
+          EOT
+          apt update
+          apt full-upgrade
+          apt install \
+            curl \
+            devscripts \
+            git \
+            git-buildpackage \
+            gpg \
+            iproute2 \
+            mmdebstrap \
+            sbuild \
+            sudo \
+            tar \
+            uidmap \
+            xz-utils \
+            zip
+          apt clean
+          USER=`whoami`
+          sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
+          tee ~/.sbuildrc > /dev/null <<EOT
+          \$build_dir = '$GITHUB_WORKSPACE/deb-src';
+          \$chroot_mode = 'unshare';
+          \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
+          \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
+          EOT
+      - name: Import GPG key
+        timeout-minutes: 1
+        id: gpg
+        if: github.event_name != 'pull_request'
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        with:
+          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
+          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          trust_level: 5
+      - name: Configure GPG
+        timeout-minutes: 1
+        if: steps.gpg.conclusion != 'skipped'
+        run: |
+          set -xe
+          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
+          tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
+          default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a  ~/.gbp.conf > /dev/null <<EOT
+          [buildpackage]
+          sign-tags = True
+          keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a ~/.devscripts > /dev/null <<EOT
+          DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
+          EOT
+          tee -a ~/.sbuildrc > /dev/null <<EOT
+          \$verbose = 1;
+          \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
+          EOT
+      - name: Install Rust / cargo
+        timeout-minutes: 1
+        run: |
+          set -xe
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain $RUST_VERSION --profile minimal -y
+          . "$HOME/.cargo/env"
+      - name: Fetch our git repository
+        timeout-minutes: 1
+        uses: actions/checkout@v4
+        with:
+          path: 'bcachefs-tools'
+          fetch-depth: 0
+          fetch-tags: true
+      - name: Update package version/changelog
+        timeout-minutes: 1
+        run: |
+          set -xe
+          git config --global user.email "${{ env.DEBFULLNAME }}"
+          git config --global user.name "${{ env.DEBEMAIL }}"
+          cd "$GITHUB_WORKSPACE/bcachefs-tools/"
+          CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))"
+          PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))"
+          NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')"
+          git checkout -B WIP
+          export EDITOR=/bin/true
+          if [ "${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }}" = "release" ]; then
+          gbp dch --new-version="$NEW_VERSION" --since=$PREV_TAG --release --commit
+          else
+          gbp dch --new-version="$NEW_VERSION" --since=$CURR_TAG --snapshot --snapshot-number=`date -u +%Y%m%d%H%M%S` --commit
+          fi
+      - name: Build the source-only .deb package
+        timeout-minutes: 10
+        run: |
+          set -xe
+          . "$HOME/.cargo/env"
+          cd "$GITHUB_WORKSPACE/bcachefs-tools/"
+          mkdir -p "$GITHUB_WORKSPACE/deb-src"
+          # FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails
+          gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ env.DIST }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any
+      - name: Sign the source tarball
+        timeout-minutes: 1
+        if: steps.gpg.conclusion != 'skipped'
+        run: |
+          set -xe
+          find "$GITHUB_WORKSPACE/deb-src/" -type f -name '*.tar.*' -exec gpg --verbose --detach-sign {} ';'
+      - name: Ensure that source package is signed
+        timeout-minutes: 1
+        if: steps.gpg.conclusion != 'skipped'
+        run: |
+          set -xe
+          dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes
+      - name: Archive source build artifacts
+        timeout-minutes: 1
+        run: |
+          set -xe
+          cd "$GITHUB_WORKSPACE/deb-src/"
+          tar -cf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" *
+      - name: Attest the source-only .deb package artifact
+        timeout-minutes: 1
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: '${{ github.workspace }}/deb-src'
+      - name: Upload the source-only .deb package artifact archive
+        timeout-minutes: 1
+        id: deb-src-upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifact-src.tar
+          path: '${{ github.workspace }}/deb-src/artifact-src.tar'
+          if-no-files-found: error
+          compression-level: 0
+      - name: Attest the uploaded source-only .deb package artifact
+        timeout-minutes: 1
+        uses: actions/attest-build-provenance@v3
+        id: upload
+        with:
+          subject-name: artifact-src.tar.zip
+          subject-digest: sha256:${{ steps.deb-src-upload.outputs.artifact-digest }}
+    outputs:
+      deb-src-artifact-id: ${{ steps.deb-src-upload.outputs.artifact-id }}

Makefile

@@ -62,7 +62,7 @@ ifdef CARGO_TOOLCHAIN_VERSION
   CARGO_TOOLCHAIN = +$(CARGO_TOOLCHAIN_VERSION)
 endif
 
-CARGO_ARGS=${CARGO_TOOLCHAIN}
+override CARGO_ARGS+=${CARGO_TOOLCHAIN}
 CARGO=cargo $(CARGO_ARGS)
 CARGO_PROFILE=release
 # CARGO_PROFILE=debug

debian/cargo.config

@@ -0,0 +1,8 @@
+[net]
+offline = true
+
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"

debian/changelog

@@ -1,3 +1,10 @@
+bcachefs-tools (1:1.31.0) unstable; urgency=medium
+
+  * Fix package, build against vendored deps
+  * Implement apt.bcachefs.org repo
+
+ -- Roman Lebedev <lebedev.ri@gmail.com>  Tue, 16 Sep 2025 12:50:36 +0300
+
 bcachefs-tools (1:1.13.0-1~exp1) experimental; urgency=medium
 
   * QA Upload

debian/control

@@ -1,19 +1,16 @@
 Source: bcachefs-tools
-Maintainer: Debian QA Group <packages@qa.debian.org>
+Maintainer: Roman Lebedev <lebedev.ri@gmail.com>
 Section: utils
 Priority: optional
 Standards-Version: 4.7.0
 Rules-Requires-Root: no
 Build-Depends: debhelper-compat (= 13),
                cargo,
-               rustfmt,
-               python3:native,
-               pkgconf,
-               python3-docutils,
-               python3-pytest,
+               jq,
                libaio-dev,
-               libfuse3-dev,
                libblkid-dev,
+               libclang-dev,
+               libfuse3-dev,
                libkeyutils-dev,
                liblz4-dev,
                libscrypt-dev,
@@ -21,39 +18,14 @@ Build-Depends: debhelper-compat (= 13),
                libudev-dev,
                liburcu-dev,
                libzstd-dev,
+               pkgconf,
+               python3-docutils,
+               python3-pytest,
+               python3:native,
+               rustfmt,
                systemd-dev,
                uuid-dev,
                zlib1g-dev,
-#              -- Cargo.toml
-               librust-atty-0.2-dev (>= 0.2.14-~~),
-               librust-log-0.4-dev,
-               librust-log-0+std-dev,
-               librust-clap-4-dev (>= 4.0.32-~~),
-               librust-clap-4+derive-dev,
-               librust-clap-4+wrap-help-dev,
-               librust-clap-complete-4-dev (>= 4.3.2-~~),
-	       librust-chrono-dev,
-	       librust-gag-dev,
-	       librust-getset-dev,
-               librust-anyhow-1.0-dev,
-               librust-libc-0.2-dev,
-               librust-udev-0-dev (>= 0.7-~~),
-               librust-uuid-1-dev (>= 1.2.2-~~),
-               librust-errno-0-dev (>= 0.2),
-               librust-either-1-dev (>= 1.5),
-               librust-rpassword-7-dev,
-               librust-byteorder-1-dev (>= 1.3),
-	       librust-owo-colors-dev,
-	       librust-strum-dev (>= 0.26),
-	       librust-env-logger-dev,
-#              -- bch_bindgen/Cargo.toml
-#              anyhow, uuid, byteorder are covered above
-               librust-bitfield-0-dev (>= 0.14.0-~~),
-               librust-memoffset-dev,
-               librust-bitflags-1-dev (>= 1.3.2-~~),
-               librust-paste-1.0-dev,
-               librust-pkg-config-0.3-dev,
-               librust-bindgen-0.70-dev
 Homepage: https://bcachefs.org/
 Vcs-Git: https://salsa.debian.org/debian/bcachefs-tools.git
 Vcs-Browser: https://salsa.debian.org/debian/bcachefs-tools

debian/gbp.conf

@@ -2,4 +2,10 @@
 pristine-tar = False
 upstream-tag = v%(version)s
 ignore-branch = True
+cleaner =
+export-dir = ../bcachefs-tools-deb-export-dir
+postexport = cargo vendor
+compression = xz
+compression-level = 9
 
+[buildpackage]

debian/rules

@@ -3,6 +3,8 @@
 include /usr/share/dpkg/architecture.mk
 include /usr/share/rustc/architecture.mk
 
+export DH_VERBOSE=1
+
 export DEB_HOST_RUST_TYPE DEB_HOST_GNU_TYPE
 
 export DEB_BUILD_MAINT_OPTIONS=hardening=+all
@@ -10,6 +12,12 @@ export CARGO=/usr/share/cargo/bin/cargo
 export CARGO_HOME=$(CURDIR)/debian/cargo_home
 export DEB_CARGO_CRATE=bcachefs-tools_$(DEB_VERSION_UPSTREAM)
 
+NUMJOBS = 1
+ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+    NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+    MAKEFLAGS += -j$(NUMJOBS)
+endif
+
 PREFIX := /usr
 ROOT_SBINDIR := /usr/sbin
 
@@ -19,23 +27,30 @@ ifeq ($(DEB_BUILD_ARCH),amd64)
     DEB_BUILD_MAINT_OPTIONS += optimize=-lto
 endif
 
-%:
-	dh $@
+export CARGO_ARGS = "--frozen"
 
-override_dh_auto_configure:
-	$(CARGO) prepare-debian $(CURDIR)/vendor --link-from-system
+%:
+	dh $@ --parallel
+
+override_dh_clean:
+	# HACK: breaks cargo checksumming by deleting some vendored files.
+
+cargo_config:
+	rm -rf .cargo
+	mkdir -p .cargo
+	cp debian/cargo.config .cargo/config.toml
 
 override_dh_auto_build:
-	$(RM) Cargo.lock
-	dh_auto_build -- CARGO="$(CARGO)"
-
-override_dh_auto_install:
-	dh_auto_install -- "PREFIX=$(PREFIX)" "ROOT_SBINDIR=$(ROOT_SBINDIR)"
+	$(MAKE) -f debian/rules cargo_config
+	dh_auto_build
 
 override_dh_auto_clean:
-	! [ -d $(CURDIR)/vendor ] || $(RM) -r $(CURDIR)/vendor
-	! [ -d $(CARGO_HOME) ] || $(RM) -r $(CARGO_HOME)
-	$(RM) Cargo.lock
+	$(MAKE) -f debian/rules cargo_config
 	dh_auto_clean
+	rm -rf .cargo
+
+override_dh_usrlocal:
+	# FIXME: fails with
+	# dh_usrlocal: error: debian/bcachefs-tools/usr/local/libexec/bcachefsck_all is not a directory
 
 override_dh_auto_test:

debian/source/format

@@ -1 +1 @@
-3.0 (quilt)
+3.0 (native)

debian/source/options

@@ -0,0 +1,36 @@
+tar-ignore=*.a
+tar-ignore=*.la
+tar-ignore=*.o
+tar-ignore=*.so
+tar-ignore=.*.sw?
+tar-ignore=*/*~
+tar-ignore=,,*
+tar-ignore=.[#~]*
+tar-ignore=.arch-ids
+tar-ignore=.arch-inventory
+tar-ignore=.be
+tar-ignore=.bzr
+tar-ignore=.bzr.backup
+tar-ignore=.bzr.tags
+tar-ignore=.bzrignore
+tar-ignore=.cvsignore
+tar-ignore=.deps
+tar-ignore=.git
+tar-ignore=.gitattributes
+#tar-ignore=.gitignore
+#tar-ignore=.gitmodules
+tar-ignore=.gitreview
+tar-ignore=.hg
+tar-ignore=.hgignore
+tar-ignore=.hgsigs
+tar-ignore=.hgtags
+tar-ignore=.mailmap
+tar-ignore=.mtn-ignore
+tar-ignore=.shelf
+tar-ignore=.svn
+tar-ignore=CVS
+tar-ignore=DEADJOE
+tar-ignore=RCS
+tar-ignore=_MTN
+tar-ignore=_darcs
+tar-ignore={arch}