bcachefs-tools/.github/workflows/deb-buildd.yml

on:
  workflow_call:
    inputs:
      deb-src-artifact-id:
        required: true
        type: string
      runs-on:
        required: true
        type: string
      arch:
        required: true
        type: string
      dist-name:
        required: true
        type: string
      dist-version:
        required: true
        type: string
    secrets:
      GPG_SECRET_SUBKEYS:
      GPG_SIGNING_SUBKEY_FINGERPRINT:

jobs:
  linux:
    runs-on: ${{ inputs.runs-on }}
    container:
      image: debian:unstable-slim
      options: --privileged --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}
    env:
      DEBFULLNAME: apt.bcachefs.org CI bot
      DEBEMAIL: linux-bcachefs@vger.kernel.org
      DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}"
    permissions:
      id-token: write
      contents: read
      attestations: write
    steps:
      - name: Install necessary packages
        timeout-minutes: 1
        run: |
          set -xe
          tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT
          force-unsafe-io
          EOT
          tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT
          Dir::Cache::Archives "/tmp/apt/archives";
          APT::ExtractTemplates::TempDir "/tmp/apt/temp";
          EOT
          mkdir -p /tmp/apt/archives
          tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT
          Acquire::Retries "10";
          EOT
          tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT
          APT::Install-Recommends "false";
          EOT
          tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT
          APT::Install-Suggests "false";
          EOT
          tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT
          APT::Get::Assume-Yes "true";
          EOT
          tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT
          APT::Get::Fix-Missing "true";
          EOT
          rm -rf /var/lib/apt/lists/*
          rm -rf /etc/apt/sources.list*
          tee /etc/apt/sources.list > /dev/null <<EOT
          deb http://deb.debian.org/debian unstable main
          EOT
          apt update
          apt full-upgrade
          apt install \
            ${{ inputs.dist-name }}-keyring \
            autopkgtest \
            curl \
            devscripts \
            dosfstools \
            e2fsprogs \
            fakemachine \
            fdisk \
            gpg \
            iproute2 \
            libarchive13 \
            mmdebstrap \
            mtools \
            ovmf \
            qemu-efi-aarch64 \
            qemu-utils \
            sbuild \
            sudo \
            systemd-boot-efi \
            tar \
            uidmap \
            xz-utils \
            zerofree \
            zip \
          ;
          apt clean
          USER=`whoami`
          sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
      - name: Import GPG key
        timeout-minutes: 1
        id: gpg
        if: github.event_name != 'pull_request'
        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
        with:
          gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }}
          fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
          trust_level: 5
      - name: Configure GPG
        timeout-minutes: 1
        if: steps.gpg.conclusion != 'skipped'
        run: |
          set -xe
          gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
          rm -f ~/.gnupg/trustedkeys.gpg
          gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc
          tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT
          default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
          EOT
          tee -a ~/.gbp.conf > /dev/null <<EOT
          [buildpackage]
          sign-tags = True
          keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
          EOT
          tee -a ~/.devscripts > /dev/null <<EOT
          DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}
          EOT
          tee -a ~/.sbuildrc > /dev/null <<EOT
          \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}';
          \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign'];
          EOT
      - name: Configure sbuild
        timeout-minutes: 1
        run: |
          set -xe
          BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}"
          echo "BUILD_DIR=$(echo ${BUILD_DIR})" >> $GITHUB_ENV
          mkdir -p "$BUILD_DIR"
          tee -a ~/.sbuildrc > /dev/null <<EOT
          \$verbose = 1;
          \$build_dir = '$BUILD_DIR';
          \$distribution = '${{ inputs.dist-version }}';
          #\$host_arch = '${{ inputs.arch }}';
          \$chroot_mode = 'unshare';
          \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX';
          \$run_lintian = 1;
          \$run_piuparts = 0;
          \$run_autopkgtest = 0;
          push @{\$unshare_mmdebstrap_extra_args}, "*", [
            '--variant=apt'
          ];
          EOT
          if [ "${{ inputs.dist-name }}" = "debian" ];
          then
          MIRROR="http://deb.debian.org/debian"
          elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" = "amd64" ];
          then
          MIRROR="http://archive.ubuntu.com/ubuntu"
          elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" != "amd64" ];
          then
          MIRROR="http://ports.ubuntu.com/ubuntu-ports"
          else
          exit 1
          fi
          if [ "${{ inputs.dist-name }}" = "debian" ];
          then
          KEYRING="/usr/share/keyrings/debian-keyring.gpg"
          elif [ "${{ inputs.dist-name }}" = "ubuntu" ];
          then
          KEYRING="/usr/share/keyrings/ubuntu-archive-keyring.gpg"
          else
          exit 1
          fi
          echo "MIRROR=$(echo ${MIRROR})" >> $GITHUB_ENV
          if [ "${{ inputs.dist-name }}" = "debian" ];
          then
          tee -a ~/.sbuildrc > /dev/null <<EOT
          push @{\$unshare_mmdebstrap_extra_args}, "*", [
            '$MIRROR',
            '--keyring=$KEYRING',
            '--components=main'
          ];
          EOT
          fi
          if [ "${{ inputs.dist-name }}" = "debian" ] && [ "${{ inputs.dist-version }}" != "unstable" ];
          then
          tee -a ~/.sbuildrc > /dev/null <<EOT
          \$extra_repositories = [
            'deb $MIRROR ${{ inputs.dist-version }}-updates main',
            'deb $MIRROR ${{ inputs.dist-version }}-backports main'
          ];
          EOT
          fi
          if [ "${{ inputs.dist-name }}" = "ubuntu" ];
          then
          tee -a ~/.sbuildrc > /dev/null <<EOT
          push @{\$unshare_mmdebstrap_extra_args}, "*", [
            '$MIRROR',
            '--keyring=$KEYRING',
            '--components=main,universe'
          ];
          \$extra_repositories = [
            'deb $MIRROR ${{ inputs.dist-version }}-updates main universe',
            'deb $MIRROR ${{ inputs.dist-version }}-security main universe',
            'deb $MIRROR ${{ inputs.dist-version }}-backports main universe',
          ];
          EOT
          fi
      - name: Download source-only .deb to be built
        timeout-minutes: 1
        uses: actions/download-artifact@v5
        with:
          artifact-ids: ${{ inputs.deb-src-artifact-id }}
          path: deb-src
      - name: Unpack the downloaded tarball
        timeout-minutes: 1
        run: |
          set -xe
          cd "$GITHUB_WORKSPACE/deb-src"
          tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
          rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar"
      - name: Ensure that all incoming source artifacts are signed
        timeout-minutes: 1
        if: steps.gpg.conclusion != 'skipped'
        run: |
          set -xe
          cd "$GITHUB_WORKSPACE/deb-src"
          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
               echo 'Processing {}' \
            && ( \
                 gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     \
              || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
              || (echo 'Processing {}: NOT SIGNED!' && exit 1) \
            ) \
            && echo 'Processing {}: ok' \
          "
      - name: Build the package
        timeout-minutes: 10
        run: |
          set -xe
          cd "$GITHUB_WORKSPACE/deb-bin"
          if [ "${{ inputs.dist-name }}" = "ubuntu" ];
          then
          export DEB_BUILD_OPTIONS=noautodbgsym
          fi
          sbuild --verbose --arch-any --arch-all "$GITHUB_WORKSPACE/deb-src/"*.dsc
      - name: Ensure that all binary artifacts are signed, or sign them
        timeout-minutes: 1
        if: steps.gpg.conclusion != 'skipped'
        run: |
          set -xe
          cd "$GITHUB_WORKSPACE/deb-bin"
          find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\
            echo 'Processing {}' && ( \
                 gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}     \
              || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \
              || gpg --verbose --detach-sign {}                                                        \
            ) \
          "
      - name: Archive build artifacts
        timeout-minutes: 1
        run: |
          set -xe
          cd "$GITHUB_WORKSPACE/deb-bin"
          tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar" *
      - name: Attest build artifact
        timeout-minutes: 1
        if: github.event_name != 'pull_request'
        uses: actions/attest-build-provenance@v3
        with:
          subject-path: '${{ github.workspace }}/deb-bin'
      - name: Upload build artifact archive
        timeout-minutes: 1
        id: deb-bin-upload
        uses: actions/upload-artifact@v4
        with:
          name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar
          path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar'
          if-no-files-found: error
          compression-level: 0
      - name: Attest uploaded build artifact
        timeout-minutes: 1
        if: github.event_name != 'pull_request'
        uses: actions/attest-build-provenance@v3
        with:
          subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar.zip
          subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }}
      - name: Build Qemu image for autopkgtest
        timeout-minutes: 2
        id: qemu-image
        if: inputs.dist-name == 'debian' && inputs.dist-version != 'trixie' && inputs.arch == 'amd64'
        run: |
          set -xe
          IMAGE="/tmp/autopkgtest-qemu-image.qcow2"
          echo "IMAGE=$(echo ${IMAGE})" >> $GITHUB_ENV
          mmdebstrap-autopkgtest-build-qemu --boot=efi --mirror "${{ env.MIRROR }}" "${{ inputs.dist-version }}" "$IMAGE"
      - name: Run autopkgtest
        timeout-minutes: 10
        if: steps.qemu-image.conclusion != 'skipped'
        run: |
          set -xe
          autopkgtest --no-built-binaries --apt-upgrade "$GITHUB_WORKSPACE/deb-src"/*.dsc "${{ env.BUILD_DIR }}"/*.changes -- autopkgtest-virt-qemu --qemu-options="-smp $(nproc --all)" --boot=efi "${{ env.IMAGE }}"