alex/bcachefs-tools
1
0
Fork 0
mirror of https://github.com/koverstreet/bcachefs-tools.git synced 2025-12-08 00:00:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Merge pull request #446 from LebedevRI/debian

Browse Source 
Deb PPA rewrite, adding packages for ppc64el
This commit is contained in:
koverstreet 2025-10-05 14:01:50 -04:00 committed by GitHub
commit 5ec60f7f0f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 712 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

310
.github/workflows/deb-buildd.yml vendored
View File

@ -7,7 +7,13 @@ on:
runs-on:
required: true
type: string
arch:
machine-arch:
required: true
type: string
build-arch:
required: true
type: string
host-arch:
required: true
type: string
dist-name:
@ -23,45 +29,94 @@ on:
jobs:
linux:
runs-on: ${{ inputs.runs-on }}
container:
image: debian:unstable-slim
options: --privileged --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
env:
DEBFULLNAME: apt.bcachefs.org CI bot
DEBEMAIL: linux-bcachefs@vger.kernel.org
DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
permissions:
id-token: write
contents: read
attestations: write
steps:
- name: Install necessary packages
timeout-minutes: 2
- name: Configure baseline system
timeout-minutes: 1
shell: sudo sh "{0}"
run: |
set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
force-unsafe-io
EOT
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
Dir::Cache::Archives "/tmp/apt/archives";
mount -t tmpfs tmpfs ${{ github.workspace }}
echo "set man-db/auto-update false" | debconf-communicate
dpkg-reconfigure man-db
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
if [ "${{ inputs.machine-arch }}" = "amd64" ];
then
MIRROR="http://archive.ubuntu.com/ubuntu"
else
MIRROR="http://ports.ubuntu.com/ubuntu-ports"
fi
tee /etc/apt/sources.list > /dev/null <<EOT
deb $MIRROR noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
qemu-user-static \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--privileged \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
@ -72,6 +127,7 @@ jobs:
eatmydata apt full-upgrade
eatmydata apt install \
${{ inputs.dist-name }}-keyring \
arch-test \
autopkgtest \
curl \
devscripts \
@ -81,11 +137,13 @@ jobs:
fdisk \
gnupg \
iproute2 \
ipxe-qemu \
libarchive13 \
mmdebstrap \
mtools \
ovmf \
qemu-efi-aarch64 \
qemu-kvm \
qemu-utils \
sbuild \
sudo \
@ -99,25 +157,32 @@ jobs:
apt clean
USER=`whoami`
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
- name: Import GPG key
- name: Import/Configure GPG
timeout-minutes: 1
id: gpg
if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Configure GPG
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
gpg --import <<EOT
${{ secrets.GPG_SECRET_SUBKEYS }}
EOT
gpg \
--output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
--armor \
--export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
EOT
tee -a ~/.gbp.conf > /dev/null <<EOT
[buildpackage]
@ -129,20 +194,25 @@ jobs:
EOT
tee -a ~/.sbuildrc > /dev/null <<EOT
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
\$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
\$dpkg_buildpackage_user_options = [
'--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}',
'--force-sign'
];
EOT
- name: Configure sbuild
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}"
echo "BUILD_DIR=$(echo ${BUILD_DIR})" >> $GITHUB_ENV
BUILD_DIR="${{ github.workspace }}/deb-bin/${{ inputs.dist-version }}/${{ inputs.host-arch }}"
echo "BUILD_DIR=$(echo ${BUILD_DIR})" >> ~/.env
mkdir -p "$BUILD_DIR"
tee -a ~/.sbuildrc > /dev/null <<EOT
\$verbose = 1;
\$build_dir = '$BUILD_DIR';
\$distribution = '${{ inputs.dist-version }}';
#\$host_arch = '${{ inputs.arch }}';
\$build_arch = '${{ inputs.build-arch }}';
\$host_arch = '${{ inputs.host-arch }}';
\$chroot_mode = 'unshare';
\$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
\$run_lintian = 1;
@ -157,12 +227,18 @@ jobs:
then
tee -a ~/.sbuildrc > /dev/null <<EOT
\$external_commands = {
'chroot-setup-commands' => [ "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" ]
'chroot-setup-commands' => [
"export LD_PRELOAD=/usr/lib/$(dpkg-architecture -a "${{ inputs.build-arch }}" -q DEB_HOST_MULTIARCH)/libeatmydata.so"
]
};
\$build_environment = {
"LD_PRELOAD" => "/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
"LD_PRELOAD" =>
"/usr/lib/$(dpkg-architecture -a "${{ inputs.build-arch }}" -q DEB_HOST_MULTIARCH)/libeatmydata.so"
};
\$environment_filter = [Dpkg::BuildInfo::get_build_env_allowed(), '^LD_PRELOAD$'];
\$environment_filter = [
Dpkg::BuildInfo::get_build_env_allowed(),
'^LD_PRELOAD$'
];
push @{\$unshare_mmdebstrap_extra_args}, "*", [
'--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata'
];
@ -171,10 +247,10 @@ jobs:
if [ "${{ inputs.dist-name }}" = "debian" ];
then
MIRROR="http://deb.debian.org/debian"
elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" = "amd64" ];
elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.build-arch }}" = "amd64" ];
then
MIRROR="http://archive.ubuntu.com/ubuntu"
elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" != "amd64" ];
elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.build-arch }}" != "amd64" ];
then
MIRROR="http://ports.ubuntu.com/ubuntu-ports"
else
@ -189,7 +265,7 @@ jobs:
else
exit 1
fi
echo "MIRROR=$(echo ${MIRROR})" >> $GITHUB_ENV
echo "MIRROR=$(echo ${MIRROR})" >> ~/.env
if [ "${{ inputs.dist-name }}" = "debian" ];
then
tee -a ~/.sbuildrc > /dev/null <<EOT
@ -224,63 +300,114 @@ jobs:
];
EOT
fi
- name: Ensure that the download directory does not exist
timeout-minutes: 1
run: |
set -xe
rm -rf "${{ github.workspace }}/deb-src"
- name: Download source-only .deb to be built
timeout-minutes: 1
uses: actions/download-artifact@v5
with:
artifact-ids: ${{ inputs.deb-src-artifact-id }}
path: deb-src
- name: Unpack the downloaded tarball
- name: Check attestation of all incoming artifact archives
timeout-minutes: 1
if: github.event_name != 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-src"
tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
cd "${{ github.workspace }}/deb-src"
find . -type f -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Attestation check for {}' && \
( \
gh attestation verify \
{} \
--repo ${{ github.repository }} \
--signer-repo ${{ github.repository }} \
--source-digest ${{ github.sha }} \
--signer-digest ${{ github.sha }} \
|| \
( \
echo '::error file={}::NOT ATTESTED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Unpack the downloaded tarball
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "${{ github.workspace }}/deb-src"
tar -xf "${{ github.workspace }}/deb-src/artifact-src.tar"
rm "${{ github.workspace }}/deb-src/artifact-src.tar"
- name: Ensure that all incoming source artifacts are signed
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
echo 'Processing {}' \
&& ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \
) \
&& echo 'Processing {}: ok' \
cd "${{ github.workspace }}/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Signature check for {}' && \
( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
( \
echo '::error file={}::NOT SIGNED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Build the package
timeout-minutes: 10
timeout-minutes: 60
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-bin"
cd "${{ github.workspace }}/deb-bin"
if [ "${{ inputs.dist-name }}" = "ubuntu" ];
then
export DEB_BUILD_OPTIONS=noautodbgsym
fi
eatmydata sbuild --verbose --arch-any --arch-all "$GITHUB_WORKSPACE/deb-src/"*.dsc
echo '::group::Building the package'
sbuild \
--verbose \
--arch-any \
--arch-all \
"${{ github.workspace }}/deb-src/"*.dsc \
;
echo '::endgroup::'
- name: Ensure that all binary artifacts are signed, or sign them
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-bin"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
echo 'Processing {}' && ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|| gpg --verbose --detach-sign {} \
) \
cd "${{ github.workspace }}/deb-bin"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Signing {}' && \
( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
gpg --verbose --detach-sign {} \
) && \
echo '::endgroup::' \
"
- name: Archive build artifacts
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-bin"
tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar" *
cd "${{ github.workspace }}/deb-bin"
tar -cf "${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar" *
- name: Attest build artifact
timeout-minutes: 1
if: github.event_name != 'pull_request'
@ -292,8 +419,8 @@ jobs:
id: deb-bin-upload
uses: actions/upload-artifact@v4
with:
name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar
path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar'
name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar
path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar'
if-no-files-found: error
compression-level: 0
- name: Attest uploaded build artifact
@ -301,20 +428,45 @@ jobs:
if: github.event_name != 'pull_request'
uses: actions/attest-build-provenance@v3
with:
subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar.zip
subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.host-arch }}.tar.zip
subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }}
- name: Build Qemu image for autopkgtest
timeout-minutes: 2
id: qemu-image
if: inputs.dist-name == 'debian' && inputs.dist-version != 'trixie' && inputs.arch == 'amd64'
if: inputs.dist-name == 'debian' && inputs.dist-version != 'trixie' && inputs.machine-arch == 'amd64' && inputs.build-arch == inputs.machine-arch && inputs.host-arch == inputs.build-arch
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
. ~/.env
IMAGE="/tmp/autopkgtest-qemu-image.qcow2"
echo "IMAGE=$(echo ${IMAGE})" >> $GITHUB_ENV
eatmydata mmdebstrap-autopkgtest-build-qemu --boot=efi --mirror "${{ env.MIRROR }}" "${{ inputs.dist-version }}" "$IMAGE"
echo "IMAGE=$(echo ${IMAGE})" >> ~/.env
mmdebstrap-autopkgtest-build-qemu --boot=efi --mirror "$MIRROR" "${{ inputs.dist-version }}" "$IMAGE"
- name: Run autopkgtest
timeout-minutes: 10
if: steps.qemu-image.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
eatmydata autopkgtest --no-built-binaries --apt-upgrade "$GITHUB_WORKSPACE/deb-src"/*.dsc "${{ env.BUILD_DIR }}"/*.changes -- autopkgtest-virt-qemu --qemu-options="-smp $(nproc --all)" --boot=efi "${{ env.IMAGE }}"
. ~/.env
if [ "${{ inputs.machine-arch }}" = "amd64" ];
then
QEMU_OPTIONS="-enable-kvm -cpu host"
elif [ "${{ inputs.machine-arch }}" = "arm64" ];
then
QEMU_OPTIONS="-machine virt -cpu cortex-a710 -accel tcg"
else
exit 1
fi
autopkgtest \
--no-built-binaries \
--setup-commands "apt update && apt install openssl" \
--apt-upgrade \
"${{ github.workspace }}/deb-src"/*.dsc \
"$BUILD_DIR"/*.changes \
-- \
autopkgtest-virt-qemu \
--cpus=$(nproc --all) \
--qemu-options="$QEMU_OPTIONS" \
--boot=efi \
"$IMAGE" \
;

17
.github/workflows/deb-orchestrator.yml vendored
View File

@ -22,9 +22,7 @@ jobs:
attestations: write
uses: ./.github/workflows/deb-src.yml
with:
runs-on: ubuntu-latest
dist-name: debian
dist-version: unstable
runs-on: ubuntu-24.04
secrets:
GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
@ -38,8 +36,9 @@ jobs:
fail-fast: false
matrix:
stack:
- { runs-on: "ubuntu-latest", arch: "amd64" }
- { runs-on: "ubuntu-24.04-arm", arch: "arm64" }
- { runs-on: "ubuntu-24.04", machine-arch: "amd64", build-arch: "amd64", host-arch: "amd64" }
- { runs-on: "ubuntu-24.04", machine-arch: "amd64", build-arch: "ppc64el", host-arch: "ppc64el" }
- { runs-on: "ubuntu-24.04-arm", machine-arch: "arm64", build-arch: "arm64", host-arch: "arm64" }
dist:
- { name: debian, version: unstable }
- { name: debian, version: forky } # Debian 14
@ -50,7 +49,9 @@ jobs:
with:
deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
runs-on: ${{ matrix.stack.runs-on }}
arch: ${{ matrix.stack.arch }}
machine-arch: ${{ matrix.stack.machine-arch }}
build-arch: ${{ matrix.stack.build-arch }}
host-arch: ${{ matrix.stack.host-arch }}
dist-name: ${{ matrix.dist.name }}
dist-version: ${{ matrix.dist.version }}
secrets:
@ -61,7 +62,7 @@ jobs:
uses: ./.github/workflows/deb-reprotest.yml
with:
deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
runs-on: "ubuntu-latest"
runs-on: "ubuntu-24.04"
arch: amd64
dist-name: debian
dist-version: unstable
@ -72,6 +73,8 @@ jobs:
needs: [ source-only, buildd, reprotest ]
if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master'))
uses: ./.github/workflows/deb-publish.yml
with:
runs-on: ubuntu-24.04
secrets:
GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}

236
.github/workflows/deb-publish.yml vendored
View File

@ -1,5 +1,9 @@
on:
workflow_call:
inputs:
runs-on:
required: true
type: string
secrets:
GPG_SECRET_SUBKEYS:
required: true
@ -14,49 +18,98 @@ on:
jobs:
linux:
concurrency: apt.bcachefs.org
runs-on: ubuntu-latest
container:
image: debian:unstable-slim
options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --device /dev/fuse --tmpfs /tmp --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
runs-on: ${{ inputs.runs-on }}
env:
SUITE: ${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }}
permissions:
id-token: write
contents: read
attestations: write
steps:
- name: Install necessary packages
timeout-minutes: 2
- name: Configure baseline system
timeout-minutes: 1
shell: sudo sh "{0}"
run: |
set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
force-unsafe-io
EOT
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
Dir::Cache::Archives "/tmp/apt/archives";
mount -t tmpfs tmpfs ${{ github.workspace }}
echo "set man-db/auto-update false" | debconf-communicate
dpkg-reconfigure man-db
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
deb http://archive.ubuntu.com/ubuntu noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
deb http://deb.debian.org/debian unstable main
EOT
apt update
apt full-upgrade
apt install \
apt install eatmydata
eatmydata apt full-upgrade
eatmydata apt install \
devscripts \
gettext-base \
git \
@ -71,6 +124,7 @@ jobs:
apt clean
- name: Pre-Configure gpg-agent / ssh
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
mkdir -p ~/.gnupg ~/.ssh
@ -79,34 +133,35 @@ jobs:
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> $GITHUB_ENV
echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> ~/.env
echo "" >> /etc/ssh/ssh_known_hosts
echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts
- name: Import GPG key
- name: Import/Configure GPG
timeout-minutes: 1
id: gpg
if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Finish configuring gpg-agent / ssh
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye
- name: Configure GPG
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
run: |
set -xe
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
gpg --import <<EOT
${{ secrets.GPG_SECRET_SUBKEYS }}
EOT
gpg \
--output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
--armor \
--export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
EOT
tee -a ~/.gbp.conf > /dev/null <<EOT
[buildpackage]
@ -121,43 +176,83 @@ jobs:
uses: actions/checkout@v4
with:
path: 'bcachefs-tools'
- name: Ensure that the download directory does not exist
timeout-minutes: 1
run: |
set -xe
rm -rf "${{ github.workspace }}/packed-artifacts"
- name: Download all artifacts
timeout-minutes: 1
uses: actions/download-artifact@v5
with:
path: packed-artifacts
- name: Unpack all artifacts
timeout-minutes: 1
- name: Check attestation of all incoming artifact archives
timeout-minutes: 2
if: github.event_name != 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
run: |
set -xe
SRC_DIR="$GITHUB_WORKSPACE/incoming/src-artifacts"
cd "${{ github.workspace }}/packed-artifacts"
find . -type f -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Attestation check for {}' && \
( \
gh attestation verify \
{} \
--repo ${{ github.repository }} \
--signer-repo ${{ github.repository }} \
--source-digest ${{ github.sha }} \
--signer-digest ${{ github.sha }} \
|| \
( \
echo '::error file={}::NOT ATTESTED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Unpack all artifacts
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
SRC_DIR="${{ github.workspace }}/incoming/src-artifacts"
mkdir -p "$SRC_DIR"
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
BIN_DIR="$GITHUB_WORKSPACE/incoming/bin-artifacts"
find "${{ github.workspace }}/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
BIN_DIR="${{ github.workspace }}/incoming/bin-artifacts"
mkdir -p "$BIN_DIR"
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
rm -rf "$GITHUB_WORKSPACE/packed-artifacts"
find "${{ github.workspace }}/packed-artifacts" -type f -name 'artifact-bin-*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
rm -rf "${{ github.workspace }}/packed-artifacts"
- name: Ensure that all incoming artifacts are signed
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/incoming"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
echo 'Processing {}' \
&& ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \
) \
&& echo 'Processing {}: ok' \
cd "${{ github.workspace }}/incoming"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Signature check for {}' && \
( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
( \
echo '::error file={}::NOT SIGNED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Create and populate repos
timeout-minutes: 60
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
ls -lahR
MOUNTPOINT="$GITHUB_WORKSPACE/remotefs"
. ~/.env
MOUNTPOINT="${{ github.workspace }}/remotefs"
mkdir -p "$MOUNTPOINT"
if [ -n "${{ secrets.SSH_HOST }}" ]; then
sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT"
@ -169,18 +264,20 @@ jobs:
fi
if [ "${{ (github.event_name == 'push' && github.ref_type == 'branch' && github.ref_name == 'master') && 'true' || 'false' }}" = "true" ]; then
export GPG_SIGNING_SUBKEY_FINGERPRINT=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
envsubst < "$GITHUB_WORKSPACE/bcachefs-tools/doc/apt.bcachefs.org-README.md" | pandoc --from=markdown --to=html --output="$REPO_ROOT/.footer/README"
envsubst < "${{ github.workspace }}/bcachefs-tools/doc/apt.bcachefs.org-README.md" | \
pandoc --from=markdown --to=html --output="$REPO_ROOT/.footer/README"
fi
cd "$GITHUB_WORKSPACE/incoming/bin-artifacts"
cd "${{ github.workspace }}/incoming/bin-artifacts"
for DIST in *
do
SRCDIR="$GITHUB_WORKSPACE/incoming/bin-artifacts/$DIST"
echo "::group::Distribution $DIST"
SRCDIR="${{ github.workspace }}/incoming/bin-artifacts/$DIST"
cd "$SRCDIR"
REPO="$REPO_ROOT/$DIST"
mkdir -p "$REPO/conf/distributions"
tee "$REPO/conf/distributions/$SUITE.conf" > /dev/null <<EOT
Codename: bcachefs-tools-$SUITE
Architectures: source amd64 arm64
tee "$REPO/conf/distributions/${{ env.SUITE }}.conf" > /dev/null <<EOT
Codename: bcachefs-tools-${{ env.SUITE }}
Architectures: source amd64 arm64 ppc64el
Components: main
Contents:
Origin: apt.bcachefs.org
@ -197,12 +294,13 @@ jobs:
verbose
ignore longkeyid
EOT
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/incoming/src-artifacts/"*.changes
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-${{ env.SUITE }} "${{ github.workspace }}/incoming/src-artifacts/"*.changes
for f in "$SRCDIR"/*/*.changes
do
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-${{ env.SUITE }} $f
done
reprepro --basedir "$REPO" createsymlinks
reprepro --basedir "$REPO" export
echo '::endgroup::'
done
umount "$MOUNTPOINT" || /bin/true

205
.github/workflows/deb-reprotest.yml vendored
View File

@ -23,41 +23,89 @@ on:
jobs:
linux:
runs-on: ${{ inputs.runs-on }}
container:
image: debian:unstable-slim
options: --privileged --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /var/lib/schroot/unpack:exec --tmpfs /var/lib/schroot/union/overlay:exec --tmpfs /var/lib/schroot/session:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
permissions:
id-token: write
contents: read
attestations: write
steps:
- name: Install necessary packages
- name: Configure baseline system
timeout-minutes: 1
id: init
shell: sudo sh "{0}"
run: |
set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
force-unsafe-io
EOT
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
Dir::Cache::Archives "/tmp/apt/archives";
mount -t tmpfs tmpfs ${{ github.workspace }}
echo "set man-db/auto-update false" | debconf-communicate
dpkg-reconfigure man-db
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
deb http://archive.ubuntu.com/ubuntu noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--tmpfs=/var/lib/schroot/union/overlay \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--privileged \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
@ -82,57 +130,104 @@ jobs:
apt clean
USER=`whoami`
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
- name: Import GPG key
- name: Import/Configure GPG
timeout-minutes: 1
id: gpg
if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Configure GPG
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
gpg --import <<EOT
${{ secrets.GPG_SECRET_SUBKEYS }}
EOT
set -xe
gpg \
--output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
--armor \
--export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
- name: Ensure that the download directory does not exist
timeout-minutes: 1
run: |
set -xe
rm -rf "${{ github.workspace }}/deb-src"
- name: Download source-only .deb to be built
timeout-minutes: 1
uses: actions/download-artifact@v5
with:
artifact-ids: ${{ inputs.deb-src-artifact-id }}
path: deb-src
- name: Unpack the downloaded tarball
- name: Check attestation of all incoming artifact archives
timeout-minutes: 1
if: github.event_name != 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-src"
tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
cd "${{ github.workspace }}/deb-src"
find . -type f -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Attestation check for {}' && \
( \
gh attestation verify \
{} \
--repo ${{ github.repository }} \
--signer-repo ${{ github.repository }} \
--source-digest ${{ github.sha }} \
--signer-digest ${{ github.sha }} \
|| \
( \
echo '::error file={}::NOT ATTESTED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Unpack the downloaded tarball
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "${{ github.workspace }}/deb-src"
tar -xf "${{ github.workspace }}/deb-src/artifact-src.tar"
rm "${{ github.workspace }}/deb-src/artifact-src.tar"
- name: Ensure that all incoming source artifacts are signed
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
echo 'Processing {}' \
&& ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \
) \
&& echo 'Processing {}: ok' \
cd "${{ github.workspace }}/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Signature check for {}' && \
( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
( \
echo '::error file={}::NOT SIGNED!' && \
echo '::endgroup::' && \
exit 1 \
) \
) && \
echo 'ok.' && \
echo '::endgroup::' \
"
- name: Create container for reprotest
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
mkdir -p /tmp/chroot/unstable-amd64-sbuild
eatmydata mmdebstrap \
mmdebstrap \
--comp=main \
--variant=apt \
--skip=output/mknod \
@ -146,7 +241,10 @@ jobs:
--aptopt='APT::Get::Fix-Missing "true";' \
--dpkgopt='force-unsafe-io' \
--dpkgopt='force-confdef' \
unstable /tmp/chroot/unstable-amd64-sbuild http://deb.debian.org/debian
unstable \
/tmp/chroot/unstable-amd64-sbuild \
http://deb.debian.org/debian \
;
chroot /tmp/chroot/unstable-amd64-sbuild apt update
mkdir -p /etc/schroot/chroot.d
tee /etc/schroot/chroot.d/unstable-amd64-sbuild > /dev/null <<EOT
@ -158,10 +256,21 @@ jobs:
EOT
- name: Run reprotest
timeout-minutes: 10
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
useradd -U first-user
useradd -U second-user
cd "$GITHUB_WORKSPACE/deb-src"
cd "${{ github.workspace }}/deb-src"
# FIXME: not reproducible without --vary=-build_path
eatmydata reprotest --no-diffoscope --vary=-build_path --vary=user_group.available+=first-user:first-user --vary=user_group.available+=second-user:second-user --vary=domain_host.use_sudo=1 "$GITHUB_WORKSPACE/deb-src"/*.dsc -- schroot unstable-amd64-sbuild
reprotest \
--no-diffoscope \
--vary=-build_path \
--vary=user_group.available+=first-user:first-user \
--vary=user_group.available+=second-user:second-user \
--vary=domain_host.use_sudo=1 \
"${{ github.workspace }}/deb-src"/*.dsc \
-- \
schroot \
unstable-amd64-sbuild \
;

210
.github/workflows/deb-src.yml vendored
View File

@ -4,12 +4,6 @@ on:
runs-on:
required: true
type: string
dist-name:
required: true
type: string
dist-version:
required: true
type: string
outputs:
deb-src-artifact-id:
value: ${{ jobs.linux.outputs.deb-src-artifact-id }}
@ -20,43 +14,88 @@ on:
jobs:
linux:
runs-on: ${{ inputs.runs-on }}
container:
image: debian:unstable-slim
options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
env:
RUST_VERSION: 1.89.0
DEBFULLNAME: apt.bcachefs.org CI bot
DEBEMAIL: linux-bcachefs@vger.kernel.org
DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
DEBPKG_EPOCH: 1
steps:
- name: Install necessary packages
timeout-minutes: 2
- name: Configure baseline system
timeout-minutes: 1
id: init
shell: sudo sh "{0}"
run: |
set -xe
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
force-unsafe-io
EOT
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
Dir::Cache::Archives "/tmp/apt/archives";
mount -t tmpfs tmpfs ${{ github.workspace }}
echo "set man-db/auto-update false" | debconf-communicate
dpkg-reconfigure man-db
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
EOT
mkdir -p /tmp/apt/archives
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
Acquire::Retries "10";
EOT
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
APT::Install-Recommends "false";
EOT
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
APT::Install-Suggests "false";
EOT
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
APT::Get::Assume-Yes "true";
EOT
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
deb http://archive.ubuntu.com/ubuntu noble main universe
EOT
apt update
apt install eatmydata
eatmydata apt install \
podman \
;
apt clean
- name: Start the container
timeout-minutes: 1
shell: sudo eatmydata sh "{0}"
run: |
set -xe
export IMAGE=debian:unstable-slim
podman pull ${IMAGE}
podman run \
--name container \
--image-volume=tmpfs \
--tmpfs=/run \
--tmpfs=/tmp \
--tmpfs=/var/tmp \
--volume=/home/runner:/home/runner \
--volume=${{ github.workspace }}:${{ github.workspace }} \
--cap-add=SYS_ADMIN \
--security-opt=apparmor:unconfined \
--interactive \
--tty \
--detach \
${IMAGE} \
/usr/bin/sh \
;
- name: Install necessary packages
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container sh "{0}"
run: |
set -xe
mkdir -p /etc/apt/apt.conf.d
mkdir -p /etc/dpkg/dpkg.cfg.d
tee /etc/apt/apt.conf.d/99gh > /dev/null <<EOT
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
Acquire::Retries "10";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::Assume-Yes "true";
APT::Get::Fix-Missing "true";
EOT
tee /etc/dpkg/dpkg.cfg.d/99gh > /dev/null <<EOT
force-unsafe-io
force-confdef
EOT
rm -rf /var/lib/apt/lists/*
rm -rf /etc/apt/sources.list*
tee /etc/apt/sources.list > /dev/null <<EOT
@ -66,8 +105,8 @@ jobs:
apt install eatmydata
eatmydata apt full-upgrade
eatmydata apt install \
${{ inputs.dist-name }}-keyring \
curl \
debian-keyring \
devscripts \
git \
git-buildpackage \
@ -75,33 +114,40 @@ jobs:
iproute2 \
mmdebstrap \
sbuild \
sudo \
tar \
uidmap \
xz-utils \
zip
zip \
;
apt clean
USER=`whoami`
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
- name: Import GPG key
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
- name: Import/Configure GPG
timeout-minutes: 1
id: gpg
if: github.event_name != 'pull_request'
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
with:
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trust_level: 5
- name: Configure GPG
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
gpg --import <<EOT
${{ secrets.GPG_SECRET_SUBKEYS }}
EOT
gpg \
--output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
--armor \
--export \
${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} \
;
rm -f ~/.gnupg/trustedkeys.gpg
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
gpg \
--no-default-keyring \
--keyring ~/.gnupg/trustedkeys.gpg \
--import \
/etc/apt/trusted.gpg.d/apt.bcachefs.org.asc \
;
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
trusted-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
EOT
tee -a ~/.gbp.conf > /dev/null <<EOT
[buildpackage]
@ -113,13 +159,17 @@ jobs:
EOT
tee -a ~/.sbuildrc > /dev/null <<EOT
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
\$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
\$dpkg_buildpackage_user_options = [
'--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}',
'--force-sign'
];
EOT
- name: Configure sbuild
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
BUILD_DIR="$GITHUB_WORKSPACE/deb-src"
BUILD_DIR="${{ github.workspace }}/deb-src"
mkdir -p "$BUILD_DIR"
tee -a ~/.sbuildrc > /dev/null <<EOT
\$verbose = 1;
@ -131,12 +181,18 @@ jobs:
EOT
tee -a ~/.sbuildrc > /dev/null <<EOT
\$external_commands = {
'chroot-setup-commands' => [ "export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so" ]
'chroot-setup-commands' => [
"export LD_PRELOAD=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
]
};
\$build_environment = {
"LD_PRELOAD" => "/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
"LD_PRELOAD" =>
"/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE)/libeatmydata.so"
};
\$environment_filter = [Dpkg::BuildInfo::get_build_env_allowed(), '^LD_PRELOAD$'];
\$environment_filter = [
Dpkg::BuildInfo::get_build_env_allowed(),
'^LD_PRELOAD$'
];
push @{\$unshare_mmdebstrap_extra_args}, "*", [
'--include=eatmydata',
'--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata',
@ -148,10 +204,11 @@ jobs:
EOT
- name: Install Rust / cargo
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
eatmydata curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
eatmydata sh -s -- --default-toolchain $RUST_VERSION --profile minimal -y
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
sh -s -- --default-toolchain ${{ env.RUST_VERSION }} --profile minimal -y
. "$HOME/.cargo/env"
- name: Fetch our git repository
timeout-minutes: 1
@ -162,11 +219,15 @@ jobs:
fetch-tags: true
- name: Update package version/changelog
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
git config --global user.email "${{ env.DEBFULLNAME }}"
git config --global user.name "${{ env.DEBEMAIL }}"
cd "$GITHUB_WORKSPACE/bcachefs-tools"
export DEBFULLNAME="${{ env.DEBFULLNAME }}"
export DEBEMAIL="${{ env.DEBEMAIL }}"
git config --global user.email "${DEBFULLNAME}"
git config --global user.name "${DEBEMAIL}"
cd "${{ github.workspace }}/bcachefs-tools"
git config --global --add safe.directory .
CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))"
PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))"
NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')"
@ -179,32 +240,51 @@ jobs:
fi
- name: Build the source-only .deb package
timeout-minutes: 10
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
. "$HOME/.cargo/env"
cd "$GITHUB_WORKSPACE/bcachefs-tools"
mkdir -p "$GITHUB_WORKSPACE/deb-src"
export DEBFULLNAME="${{ env.DEBFULLNAME }}"
export DEBEMAIL="${{ env.DEBEMAIL }}"
cd "${{ github.workspace }}/bcachefs-tools"
mkdir -p "${{ github.workspace }}/deb-src"
# FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails
eatmydata gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ inputs.dist-version }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any
echo '::group::Building the package'
gbp buildpackage \
--git-verbose \
--git-ignore-branch \
--no-clean \
--git-dist=${{ inputs.dist-version }} \
--git-builder=sbuild \
--source \
--source-only-changes \
--no-arch-all \
--no-arch-any \
;
echo '::endgroup::'
- name: Ensure that all source artifacts are signed, or sign them
timeout-minutes: 1
if: steps.gpg.conclusion != 'skipped'
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
echo 'Processing {}' && ( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|| gpg --verbose --detach-sign {} \
) \
cd "${{ github.workspace }}/deb-src"
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c " \
echo '::group::Signing {}' && \
( \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} || \
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig || \
gpg --verbose --detach-sign {} \
) && \
echo '::endgroup::' \
"
- name: Archive source build artifacts
timeout-minutes: 1
shell: sudo podman exec --interactive --tty container eatmydata sh "{0}"
run: |
set -xe
cd "$GITHUB_WORKSPACE/deb-src"
tar -cf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" *
cd "${{ github.workspace }}/deb-src"
tar -cf "${{ github.workspace }}/deb-src/artifact-src.tar" *
- name: Attest the source-only .deb package artifact
timeout-minutes: 1
if: github.event_name != 'pull_request'

3
debian/control vendored
View File

@ -56,7 +56,8 @@ Depends: ${misc:Depends},
initramfs-tools | linux-initramfs-tool,
linux-headers-generic (>= 6.16) | pve-headers (>= 6.16) [amd64] |
linux-headers-amd64 (>= 6.16) [amd64] | linux-headers-cloud-amd64 (>= 6.16) [amd64] | linux-headers-rt-amd64 (>= 6.16) [amd64] |
linux-headers-arm64 (>= 6.16) [arm64] | linux-headers-cloud-arm64 (>= 6.16) [arm64] | linux-headers-rt-arm64 (>= 6.16) [arm64]
linux-headers-arm64 (>= 6.16) [arm64] | linux-headers-cloud-arm64 (>= 6.16) [arm64] | linux-headers-rt-arm64 (>= 6.16) [arm64] |
linux-headers-ppc64el (>= 6.16) [ppc64el] | linux-headers-cloud-ppc64el (>= 6.16) [ppc64el] | linux-headers-rt-ppc64el (>= 6.16) [ppc64el]
Pre-Depends: bcachefs-tools (= ${binary:Version}),
Provides: bcachefs-kernel
Description: bcachefs kernel module DKMS source