mirror of
https://github.com/koverstreet/bcachefs-tools.git
synced 2025-12-09 00:00:17 +03:00
More Debian / Ubuntu / PPA stuff
Signed-off-by: Roman Lebedev <lebedev.ri@gmail.com>
This commit is contained in:
Roman Lebedev
parent
8a61c2cb15
commit
9674212ba6
156
.github/workflows/deb-buildd.yml
vendored
156
.github/workflows/deb-buildd.yml
vendored
@ -10,7 +10,10 @@ on:
|
||||
arch:
|
||||
required: true
|
||||
type: string
|
||||
dist:
|
||||
dist-name:
|
||||
required: true
|
||||
type: string
|
||||
dist-version:
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
@ -67,8 +70,8 @@ jobs:
|
||||
apt update
|
||||
apt full-upgrade
|
||||
apt install \
|
||||
${{ inputs.dist-name }}-keyring \
|
||||
curl \
|
||||
debian-keyring \
|
||||
devscripts \
|
||||
gpg \
|
||||
iproute2 \
|
||||
@ -82,27 +85,6 @@ jobs:
|
||||
apt clean
|
||||
USER=`whoami`
|
||||
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
|
||||
BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist }}/${{ inputs.arch }}"
|
||||
mkdir -p "$BUILD_DIR"
|
||||
tee ~/.sbuildrc > /dev/null <<EOT
|
||||
\$verbose = 0;
|
||||
\$build_dir = '$BUILD_DIR';
|
||||
\$distribution = '${{ inputs.dist }}';
|
||||
#\$host_arch = '${{ inputs.arch }}';
|
||||
\$chroot_mode = 'unshare';
|
||||
\$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
|
||||
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
|
||||
EOT
|
||||
if [ "${{ inputs.dist }}" != "unstable" ] \
|
||||
&& [ "${{ inputs.dist }}" != "testing" ];
|
||||
then
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
\$extra_repositories = [
|
||||
'deb http://deb.debian.org/debian ${{ inputs.dist }}-updates main',
|
||||
'deb http://deb.debian.org/debian ${{ inputs.dist }}-backports main'
|
||||
];
|
||||
EOT
|
||||
fi
|
||||
- name: Import GPG key
|
||||
timeout-minutes: 1
|
||||
id: gpg
|
||||
@ -118,11 +100,12 @@ jobs:
|
||||
run: |
|
||||
set -xe
|
||||
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
rm -f ~/.gnupg/trustedkeys.gpg
|
||||
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
|
||||
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
|
||||
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
EOT
|
||||
tee -a ~/.gbp.conf > /dev/null <<EOT
|
||||
tee -a ~/.gbp.conf > /dev/null <<EOT
|
||||
[buildpackage]
|
||||
sign-tags = True
|
||||
keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
@ -131,9 +114,82 @@ jobs:
|
||||
DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
EOT
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
\$verbose = 1;
|
||||
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
|
||||
\$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
|
||||
EOT
|
||||
- name: Configure sbuild
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}"
|
||||
mkdir -p "$BUILD_DIR"
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
\$verbose = 1;
|
||||
\$build_dir = '$BUILD_DIR';
|
||||
\$distribution = '${{ inputs.dist-version }}';
|
||||
#\$host_arch = '${{ inputs.arch }}';
|
||||
\$chroot_mode = 'unshare';
|
||||
\$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
|
||||
EOT
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
push @{\$unshare_mmdebstrap_extra_args}, "*", [
|
||||
'--variant=apt'
|
||||
];
|
||||
EOT
|
||||
if [ "${{ inputs.dist-name }}" = "debian" ];
|
||||
then
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
push @{\$unshare_mmdebstrap_extra_args}, "*", [
|
||||
'http://deb.debian.org/debian',
|
||||
'--keyring=/usr/share/keyrings/debian-keyring.gpg',
|
||||
'--components=main'
|
||||
];
|
||||
EOT
|
||||
fi
|
||||
if [ "${{ inputs.dist-name }}" = "debian" ] && [ "${{ inputs.dist-version }}" != "unstable" ];
|
||||
then
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
\$extra_repositories = [
|
||||
'deb http://deb.debian.org/debian ${{ inputs.dist-version }}-updates main',
|
||||
'deb http://deb.debian.org/debian ${{ inputs.dist-version }}-backports main'
|
||||
];
|
||||
EOT
|
||||
fi
|
||||
if [ "${{ inputs.dist-name }}" = "ubuntu" ];
|
||||
then
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
push @{\$unshare_mmdebstrap_extra_args}, "*", [
|
||||
'--keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg',
|
||||
'--components=main,universe'
|
||||
];
|
||||
EOT
|
||||
fi
|
||||
if [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" = "amd64" ];
|
||||
then
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
push @{\$unshare_mmdebstrap_extra_args}, "*", [
|
||||
'http://archive.ubuntu.com/ubuntu',
|
||||
];
|
||||
\$extra_repositories = [
|
||||
'deb http://archive.ubuntu.com/ubuntu ${{ inputs.dist-version }}-updates main universe',
|
||||
'deb http://archive.ubuntu.com/ubuntu ${{ inputs.dist-version }}-security main universe',
|
||||
'deb http://archive.ubuntu.com/ubuntu ${{ inputs.dist-version }}-backports main universe',
|
||||
];
|
||||
EOT
|
||||
elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" != "amd64" ];
|
||||
then
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
push @{\$unshare_mmdebstrap_extra_args}, "*", [
|
||||
'http://ports.ubuntu.com/ubuntu-ports',
|
||||
];
|
||||
\$extra_repositories = [
|
||||
'deb http://ports.ubuntu.com/ubuntu-ports ${{ inputs.dist-version }}-updates main universe',
|
||||
'deb http://ports.ubuntu.com/ubuntu-ports ${{ inputs.dist-version }}-security main universe',
|
||||
'deb http://ports.ubuntu.com/ubuntu-ports ${{ inputs.dist-version }}-backports main universe',
|
||||
];
|
||||
EOT
|
||||
fi
|
||||
- name: Download source-only .deb to be built
|
||||
timeout-minutes: 1
|
||||
uses: actions/download-artifact@v5
|
||||
@ -146,37 +202,51 @@ jobs:
|
||||
set -xe
|
||||
cd "$GITHUB_WORKSPACE/deb-src"
|
||||
tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
|
||||
- name: Ensure that source package is signed
|
||||
rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
|
||||
- name: Ensure that all incoming source artifacts are signed
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes
|
||||
cd "$GITHUB_WORKSPACE/deb-src"
|
||||
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
|
||||
echo 'Processing {}' \
|
||||
&& ( \
|
||||
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|
||||
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|
||||
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \
|
||||
) \
|
||||
&& echo 'Processing {}: ok' \
|
||||
"
|
||||
- name: Build the package
|
||||
timeout-minutes: 10
|
||||
run: |
|
||||
set -xe
|
||||
cd "$GITHUB_WORKSPACE/deb-bin/"
|
||||
sbuild --verbose "$GITHUB_WORKSPACE/deb-src/"*.dsc
|
||||
- name: Sign the .deb's
|
||||
cd "$GITHUB_WORKSPACE/deb-bin"
|
||||
if [ "${{ inputs.dist-name }}" = "ubuntu" ];
|
||||
then
|
||||
export DEB_BUILD_OPTIONS=noautodbgsym
|
||||
fi
|
||||
sbuild --verbose --arch-any --arch-all "$GITHUB_WORKSPACE/deb-src/"*.dsc
|
||||
- name: Ensure that all binary artifacts are signed, or sign them
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
find "$GITHUB_WORKSPACE/deb-bin/" -type f -name '*.deb' -exec gpg --verbose --detach-sign {} ';'
|
||||
- name: Ensure that binary package is signed
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
cd "$GITHUB_WORKSPACE/deb-bin/"
|
||||
find -name '*.changes' -print0 | xargs -0 dscverify --verbose
|
||||
cd "$GITHUB_WORKSPACE/deb-bin"
|
||||
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
|
||||
echo 'Processing {}' && ( \
|
||||
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|
||||
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|
||||
|| gpg --verbose --detach-sign {} \
|
||||
) \
|
||||
"
|
||||
- name: Archive build artifacts
|
||||
timeout-minutes: 1
|
||||
run: |
|
||||
set -xe
|
||||
cd "$GITHUB_WORKSPACE/deb-bin/"
|
||||
tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar" *
|
||||
cd "$GITHUB_WORKSPACE/deb-bin"
|
||||
tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar" *
|
||||
- name: Attest build artifact
|
||||
timeout-minutes: 1
|
||||
if: github.event_name != 'pull_request'
|
||||
@ -188,8 +258,8 @@ jobs:
|
||||
id: deb-bin-upload
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar
|
||||
path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar'
|
||||
name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar
|
||||
path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar'
|
||||
if-no-files-found: error
|
||||
compression-level: 0
|
||||
- name: Attest uploaded build artifact
|
||||
@ -197,5 +267,5 @@ jobs:
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar.zip
|
||||
subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar.zip
|
||||
subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }}
|
||||
|
||||
15
.github/workflows/deb-orchestrator.yml
vendored
15
.github/workflows/deb-orchestrator.yml
vendored
@ -21,6 +21,10 @@ jobs:
|
||||
contents: read
|
||||
attestations: write
|
||||
uses: ./.github/workflows/deb-src.yml
|
||||
with:
|
||||
runs-on: ubuntu-latest
|
||||
dist-name: debian
|
||||
dist-version: unstable
|
||||
secrets:
|
||||
GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
|
||||
GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
@ -36,19 +40,24 @@ jobs:
|
||||
stack:
|
||||
- { runs-on: "ubuntu-latest", arch: "amd64" }
|
||||
- { runs-on: "ubuntu-24.04-arm", arch: "arm64" }
|
||||
dist: [ unstable, forky, trixie ]
|
||||
dist:
|
||||
- { name: debian, version: unstable }
|
||||
- { name: debian, version: forky } # Debian 14
|
||||
- { name: debian, version: trixie } # Debian 13
|
||||
- { name: ubuntu, version: questing } # Ubuntu 25.10 (Questing Quokka) Beta
|
||||
- { name: ubuntu, version: plucky } # Ubuntu 25.04 (Plucky Puffin)
|
||||
uses: ./.github/workflows/deb-buildd.yml
|
||||
with:
|
||||
deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }}
|
||||
runs-on: ${{ matrix.stack.runs-on }}
|
||||
arch: ${{ matrix.stack.arch }}
|
||||
dist: ${{ matrix.dist }}
|
||||
dist-name: ${{ matrix.dist.name }}
|
||||
dist-version: ${{ matrix.dist.version }}
|
||||
secrets:
|
||||
GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
|
||||
GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
publish:
|
||||
needs: [ source-only, buildd ]
|
||||
if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master'))
|
||||
uses: ./.github/workflows/deb-publish.yml
|
||||
secrets:
|
||||
GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }}
|
||||
|
||||
47
.github/workflows/deb-publish.yml
vendored
47
.github/workflows/deb-publish.yml
vendored
@ -67,7 +67,7 @@ jobs:
|
||||
xz-utils \
|
||||
zip
|
||||
apt clean
|
||||
- name: Configure gpg-agent / ssh
|
||||
- name: Pre-Configure gpg-agent / ssh
|
||||
timeout-minutes: 1
|
||||
run: |
|
||||
set -xe
|
||||
@ -82,23 +82,31 @@ jobs:
|
||||
echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts
|
||||
- name: Import GPG key
|
||||
timeout-minutes: 1
|
||||
id: gpg
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
|
||||
with:
|
||||
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
|
||||
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
trust_level: 5
|
||||
- name: Configure GPG
|
||||
- name: Finish configuring gpg-agent / ssh
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye
|
||||
- name: Configure GPG
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
rm -f ~/.gnupg/trustedkeys.gpg
|
||||
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
|
||||
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
|
||||
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
EOT
|
||||
tee -a ~/.gbp.conf > /dev/null <<EOT
|
||||
tee -a ~/.gbp.conf > /dev/null <<EOT
|
||||
[buildpackage]
|
||||
sign-tags = True
|
||||
keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
@ -106,10 +114,6 @@ jobs:
|
||||
tee -a ~/.devscripts > /dev/null <<EOT
|
||||
DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
EOT
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
\$verbose = 1;
|
||||
\$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
|
||||
EOT
|
||||
- name: Download all artifacts
|
||||
timeout-minutes: 1
|
||||
uses: actions/download-artifact@v5
|
||||
@ -119,13 +123,28 @@ jobs:
|
||||
timeout-minutes: 1
|
||||
run: |
|
||||
set -xe
|
||||
SRC_DIR="$GITHUB_WORKSPACE/src-artifacts"
|
||||
SRC_DIR="$GITHUB_WORKSPACE/incoming/src-artifacts"
|
||||
mkdir -p "$SRC_DIR"
|
||||
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
|
||||
BIN_DIR="$GITHUB_WORKSPACE/bin-artifacts"
|
||||
BIN_DIR="$GITHUB_WORKSPACE/incoming/bin-artifacts"
|
||||
mkdir -p "$BIN_DIR"
|
||||
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
|
||||
rm -rf "$GITHUB_WORKSPACE/packed-artifacts"
|
||||
- name: Ensure that all incoming artifacts are signed
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
cd "$GITHUB_WORKSPACE/incoming"
|
||||
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
|
||||
echo 'Processing {}' \
|
||||
&& ( \
|
||||
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|
||||
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|
||||
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \
|
||||
) \
|
||||
&& echo 'Processing {}: ok' \
|
||||
"
|
||||
- name: Create and populate repos
|
||||
timeout-minutes: 60
|
||||
run: |
|
||||
@ -133,7 +152,9 @@ jobs:
|
||||
ls -lahR
|
||||
MOUNTPOINT="$GITHUB_WORKSPACE/remotefs"
|
||||
mkdir -p "$MOUNTPOINT"
|
||||
if [ -n "${{ secrets.SSH_HOST }}" ]; then
|
||||
sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT"
|
||||
fi
|
||||
REPO_ROOT="$MOUNTPOINT/public_html"
|
||||
mkdir -p "$REPO_ROOT"
|
||||
cp -f /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc "$REPO_ROOT"
|
||||
@ -169,10 +190,10 @@ jobs:
|
||||
|
||||
Source, Debian tarballs and dsc files can be verified using https://github.com/sigstore/rekor.
|
||||
EOR
|
||||
cd "$GITHUB_WORKSPACE/bin-artifacts"
|
||||
cd "$GITHUB_WORKSPACE/incoming/bin-artifacts"
|
||||
for DIST in *
|
||||
do
|
||||
SRCDIR="$GITHUB_WORKSPACE/bin-artifacts/$DIST"
|
||||
SRCDIR="$GITHUB_WORKSPACE/incoming/bin-artifacts/$DIST"
|
||||
cd "$SRCDIR"
|
||||
REPO="$REPO_ROOT/$DIST"
|
||||
mkdir -p "$REPO/conf/distributions"
|
||||
@ -195,7 +216,7 @@ jobs:
|
||||
verbose
|
||||
ignore longkeyid
|
||||
EOT
|
||||
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/src-artifacts/"*.changes
|
||||
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/incoming/src-artifacts/"*.changes
|
||||
for f in "$SRCDIR"/*/*.changes
|
||||
do
|
||||
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f
|
||||
@ -203,4 +224,4 @@ jobs:
|
||||
reprepro --basedir "$REPO" createsymlinks
|
||||
reprepro --basedir "$REPO" export
|
||||
done
|
||||
umount "$MOUNTPOINT"
|
||||
umount "$MOUNTPOINT" || /bin/true
|
||||
|
||||
74
.github/workflows/deb-src.yml
vendored
74
.github/workflows/deb-src.yml
vendored
@ -1,5 +1,15 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
runs-on:
|
||||
required: true
|
||||
type: string
|
||||
dist-name:
|
||||
required: true
|
||||
type: string
|
||||
dist-version:
|
||||
required: true
|
||||
type: string
|
||||
outputs:
|
||||
deb-src-artifact-id:
|
||||
value: ${{ jobs.linux.outputs.deb-src-artifact-id }}
|
||||
@ -9,13 +19,11 @@ on:
|
||||
|
||||
jobs:
|
||||
linux:
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ${{ inputs.runs-on }}
|
||||
container:
|
||||
image: debian:unstable-slim
|
||||
options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec
|
||||
env:
|
||||
DIST: unstable
|
||||
ARCH: x86_64
|
||||
RUST_VERSION: 1.89.0
|
||||
DEBFULLNAME: apt.bcachefs.org CI bot
|
||||
DEBEMAIL: linux-bcachefs@vger.kernel.org
|
||||
@ -57,6 +65,7 @@ jobs:
|
||||
apt update
|
||||
apt full-upgrade
|
||||
apt install \
|
||||
${{ inputs.dist-name }}-keyring \
|
||||
curl \
|
||||
devscripts \
|
||||
git \
|
||||
@ -73,12 +82,6 @@ jobs:
|
||||
apt clean
|
||||
USER=`whoami`
|
||||
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
|
||||
tee ~/.sbuildrc > /dev/null <<EOT
|
||||
\$build_dir = '$GITHUB_WORKSPACE/deb-src';
|
||||
\$chroot_mode = 'unshare';
|
||||
\$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
|
||||
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
|
||||
EOT
|
||||
- name: Import GPG key
|
||||
timeout-minutes: 1
|
||||
id: gpg
|
||||
@ -94,11 +97,12 @@ jobs:
|
||||
run: |
|
||||
set -xe
|
||||
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
rm -f ~/.gnupg/trustedkeys.gpg
|
||||
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
|
||||
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
|
||||
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
EOT
|
||||
tee -a ~/.gbp.conf > /dev/null <<EOT
|
||||
tee -a ~/.gbp.conf > /dev/null <<EOT
|
||||
[buildpackage]
|
||||
sign-tags = True
|
||||
keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
@ -107,9 +111,32 @@ jobs:
|
||||
DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
||||
EOT
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
\$verbose = 1;
|
||||
\$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
|
||||
\$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
|
||||
EOT
|
||||
- name: Configure sbuild
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
BUILD_DIR="$GITHUB_WORKSPACE/deb-src"
|
||||
mkdir -p "$BUILD_DIR"
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
\$verbose = 1;
|
||||
\$build_dir = '$BUILD_DIR';
|
||||
\$distribution = '${{ inputs.dist-version }}';
|
||||
#\$host_arch = '${{ inputs.arch }}';
|
||||
\$chroot_mode = 'unshare';
|
||||
\$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
|
||||
EOT
|
||||
tee -a ~/.sbuildrc > /dev/null <<EOT
|
||||
push @{\$unshare_mmdebstrap_extra_args}, "*", [
|
||||
'http://deb.debian.org/debian',
|
||||
'--variant=apt',
|
||||
'--keyring=/usr/share/keyrings/debian-keyring.gpg',
|
||||
'--components=main'
|
||||
];
|
||||
EOT
|
||||
- name: Install Rust / cargo
|
||||
timeout-minutes: 1
|
||||
run: |
|
||||
@ -129,7 +156,7 @@ jobs:
|
||||
set -xe
|
||||
git config --global user.email "${{ env.DEBFULLNAME }}"
|
||||
git config --global user.name "${{ env.DEBEMAIL }}"
|
||||
cd "$GITHUB_WORKSPACE/bcachefs-tools/"
|
||||
cd "$GITHUB_WORKSPACE/bcachefs-tools"
|
||||
CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))"
|
||||
PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))"
|
||||
NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')"
|
||||
@ -145,27 +172,28 @@ jobs:
|
||||
run: |
|
||||
set -xe
|
||||
. "$HOME/.cargo/env"
|
||||
cd "$GITHUB_WORKSPACE/bcachefs-tools/"
|
||||
cd "$GITHUB_WORKSPACE/bcachefs-tools"
|
||||
mkdir -p "$GITHUB_WORKSPACE/deb-src"
|
||||
# FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails
|
||||
gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ env.DIST }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any
|
||||
- name: Sign the source tarball
|
||||
gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ inputs.dist-version }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any
|
||||
- name: Ensure that all source artifacts are signed, or sign them
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
find "$GITHUB_WORKSPACE/deb-src/" -type f -name '*.tar.*' -exec gpg --verbose --detach-sign {} ';'
|
||||
- name: Ensure that source package is signed
|
||||
timeout-minutes: 1
|
||||
if: steps.gpg.conclusion != 'skipped'
|
||||
run: |
|
||||
set -xe
|
||||
dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes
|
||||
cd "$GITHUB_WORKSPACE/deb-src"
|
||||
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
|
||||
echo 'Processing {}' && ( \
|
||||
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|
||||
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|
||||
|| gpg --verbose --detach-sign {} \
|
||||
) \
|
||||
"
|
||||
- name: Archive source build artifacts
|
||||
timeout-minutes: 1
|
||||
run: |
|
||||
set -xe
|
||||
cd "$GITHUB_WORKSPACE/deb-src/"
|
||||
cd "$GITHUB_WORKSPACE/deb-src"
|
||||
tar -cf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" *
|
||||
- name: Attest the source-only .deb package artifact
|
||||
timeout-minutes: 1
|
||||
|
||||
8
debian/control
vendored
8
debian/control
vendored
@ -5,8 +5,8 @@ Priority: optional
|
||||
Standards-Version: 4.7.0
|
||||
Rules-Requires-Root: no
|
||||
Build-Depends: debhelper-compat (= 13),
|
||||
dh-dkms,
|
||||
cargo,
|
||||
dh-dkms,
|
||||
jq,
|
||||
libaio-dev,
|
||||
libblkid-dev,
|
||||
@ -17,11 +17,12 @@ Build-Depends: debhelper-compat (= 13),
|
||||
libscrypt-dev,
|
||||
libsodium-dev,
|
||||
libudev-dev,
|
||||
liburcu-dev,
|
||||
liburcu-dev (>= 0.15),
|
||||
libzstd-dev,
|
||||
pkgconf,
|
||||
python3-docutils,
|
||||
python3:native,
|
||||
rustc (>= 1.77),
|
||||
systemd-dev,
|
||||
uuid-dev,
|
||||
zlib1g-dev,
|
||||
@ -46,7 +47,8 @@ Description: bcachefs userspace tools
|
||||
|
||||
Package: bcachefs-kernel-dkms
|
||||
Architecture: linux-any
|
||||
Depends: ${shlibs:Depends}, ${misc:Depends},
|
||||
Section: kernel
|
||||
Depends: ${misc:Depends},
|
||||
initramfs-tools | linux-initramfs-tool,
|
||||
linux-headers-amd64 [amd64],
|
||||
linux-headers-arm64 [arm64],
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user