mirror of
https://github.com/koverstreet/bcachefs-tools.git
synced 2025-12-08 00:00:12 +03:00
210 lines
8.2 KiB
YAML
210 lines
8.2 KiB
YAML
on:
|
|
workflow_call:
|
|
secrets:
|
|
GPG_SECRET_SUBKEYS:
|
|
required: true
|
|
GPG_SIGNING_SUBKEY_FINGERPRINT:
|
|
required: true
|
|
GPG_AUTH_SUBKEY_KEYGRIP:
|
|
required: true
|
|
SSH_HOST:
|
|
required: true
|
|
SSH_SERVER_KEYS:
|
|
required: true
|
|
|
|
jobs:
|
|
linux:
|
|
concurrency: apt.bcachefs.org
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: debian:unstable-slim
|
|
options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --device /dev/fuse --tmpfs /tmp --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
|
|
env:
|
|
SUITE: ${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }}
|
|
steps:
|
|
- name: Install necessary packages
|
|
timeout-minutes: 1
|
|
run: |
|
|
set -xe
|
|
tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
|
|
force-unsafe-io
|
|
EOT
|
|
tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
|
|
Dir::Cache::Archives "/tmp/apt/archives";
|
|
APT::ExtractTemplates::TempDir "/tmp/apt/temp";
|
|
EOT
|
|
mkdir -p /tmp/apt/archives
|
|
tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
|
|
Acquire::Retries "10";
|
|
EOT
|
|
tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
|
|
APT::Install-Recommends "false";
|
|
EOT
|
|
tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
|
|
APT::Install-Suggests "false";
|
|
EOT
|
|
tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
|
|
APT::Get::Assume-Yes "true";
|
|
EOT
|
|
tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
|
|
APT::Get::Fix-Missing "true";
|
|
EOT
|
|
rm -rf /var/lib/apt/lists/*
|
|
rm -rf /etc/apt/sources.list*
|
|
tee /etc/apt/sources.list > /dev/null <<EOT
|
|
deb http://deb.debian.org/debian unstable main
|
|
EOT
|
|
apt update
|
|
apt full-upgrade
|
|
apt install \
|
|
devscripts \
|
|
gettext-base \
|
|
git \
|
|
gnupg \
|
|
gpg-agent \
|
|
openssh-client \
|
|
pandoc \
|
|
reprepro \
|
|
sshfs \
|
|
tar \
|
|
xz-utils \
|
|
zip
|
|
apt clean
|
|
- name: Pre-Configure gpg-agent / ssh
|
|
timeout-minutes: 1
|
|
run: |
|
|
set -xe
|
|
mkdir -p ~/.gnupg ~/.ssh
|
|
echo "" >> ~/.gnupg/gpg-agent.conf
|
|
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
|
|
gpgconf --kill gpg-agent
|
|
gpgconf --launch gpg-agent
|
|
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
|
echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> $GITHUB_ENV
|
|
echo "" >> /etc/ssh/ssh_known_hosts
|
|
echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts
|
|
- name: Import GPG key
|
|
timeout-minutes: 1
|
|
id: gpg
|
|
if: github.event_name != 'pull_request'
|
|
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
|
|
with:
|
|
gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
|
|
fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
trust_level: 5
|
|
- name: Finish configuring gpg-agent / ssh
|
|
timeout-minutes: 1
|
|
if: steps.gpg.conclusion != 'skipped'
|
|
run: |
|
|
set -xe
|
|
gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye
|
|
- name: Configure GPG
|
|
timeout-minutes: 1
|
|
if: steps.gpg.conclusion != 'skipped'
|
|
run: |
|
|
set -xe
|
|
gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
rm -f ~/.gnupg/trustedkeys.gpg
|
|
gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
|
|
tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
|
|
default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
EOT
|
|
tee -a ~/.gbp.conf > /dev/null <<EOT
|
|
[buildpackage]
|
|
sign-tags = True
|
|
keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
EOT
|
|
tee -a ~/.devscripts > /dev/null <<EOT
|
|
DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
EOT
|
|
- name: Fetch our git repository
|
|
timeout-minutes: 1
|
|
uses: actions/checkout@v4
|
|
with:
|
|
path: 'bcachefs-tools'
|
|
- name: Download all artifacts
|
|
timeout-minutes: 1
|
|
uses: actions/download-artifact@v5
|
|
with:
|
|
path: packed-artifacts
|
|
- name: Unpack all artifacts
|
|
timeout-minutes: 1
|
|
run: |
|
|
set -xe
|
|
SRC_DIR="$GITHUB_WORKSPACE/incoming/src-artifacts"
|
|
mkdir -p "$SRC_DIR"
|
|
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete
|
|
BIN_DIR="$GITHUB_WORKSPACE/incoming/bin-artifacts"
|
|
mkdir -p "$BIN_DIR"
|
|
find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete
|
|
rm -rf "$GITHUB_WORKSPACE/packed-artifacts"
|
|
- name: Ensure that all incoming artifacts are signed
|
|
timeout-minutes: 1
|
|
if: steps.gpg.conclusion != 'skipped'
|
|
run: |
|
|
set -xe
|
|
cd "$GITHUB_WORKSPACE/incoming"
|
|
find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
|
|
echo 'Processing {}' \
|
|
&& ( \
|
|
gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \
|
|
|| gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
|
|
|| (echo 'Processing {}: NOT SIGNED!' && exit 1) \
|
|
) \
|
|
&& echo 'Processing {}: ok' \
|
|
"
|
|
- name: Create and populate repos
|
|
timeout-minutes: 60
|
|
run: |
|
|
set -xe
|
|
ls -lahR
|
|
MOUNTPOINT="$GITHUB_WORKSPACE/remotefs"
|
|
mkdir -p "$MOUNTPOINT"
|
|
if [ -n "${{ secrets.SSH_HOST }}" ]; then
|
|
sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT"
|
|
fi
|
|
REPO_ROOT="$MOUNTPOINT/public_html"
|
|
mkdir -p "$REPO_ROOT"
|
|
if [ "${{ steps.gpg.conclusion }}" != "skipped" ]; then
|
|
cp -f /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc "$REPO_ROOT"
|
|
fi
|
|
if [ "${{ (github.event_name == 'push' && github.ref_type == 'branch' && github.ref_name == 'master') && 'true' || 'false' }}" = "true" ]; then
|
|
export GPG_SIGNING_SUBKEY_FINGERPRINT=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
envsubst < "$GITHUB_WORKSPACE/bcachefs-tools/doc/apt.bcachefs.org-README.md" | pandoc --from=markdown --to=html --output="$REPO_ROOT/.footer/README"
|
|
fi
|
|
cd "$GITHUB_WORKSPACE/incoming/bin-artifacts"
|
|
for DIST in *
|
|
do
|
|
SRCDIR="$GITHUB_WORKSPACE/incoming/bin-artifacts/$DIST"
|
|
cd "$SRCDIR"
|
|
REPO="$REPO_ROOT/$DIST"
|
|
mkdir -p "$REPO/conf/distributions"
|
|
tee "$REPO/conf/distributions/$SUITE.conf" > /dev/null <<EOT
|
|
Codename: bcachefs-tools-$SUITE
|
|
Architectures: source amd64 arm64
|
|
Components: main
|
|
Contents:
|
|
Origin: apt.bcachefs.org
|
|
Label: apt.bcachefs.org Packages
|
|
Description: bcachefs APT repository
|
|
SignWith: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
Signed-By: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
Uploaders: uploaders
|
|
EOT
|
|
tee "$REPO/conf/uploaders" > /dev/null <<EOT
|
|
allow * by key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
|
|
EOT
|
|
tee "$REPO/conf/options" > /dev/null <<EOT
|
|
verbose
|
|
ignore longkeyid
|
|
EOT
|
|
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/incoming/src-artifacts/"*.changes
|
|
for f in "$SRCDIR"/*/*.changes
|
|
do
|
|
reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f
|
|
done
|
|
reprepro --basedir "$REPO" createsymlinks
|
|
reprepro --basedir "$REPO" export
|
|
done
|
|
umount "$MOUNTPOINT" || /bin/true
|