Aptly Publish to S3 #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Aptly Publish to S3 | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| jobs: | |
| aptly-publish: | |
| runs-on: ubuntu-latest | |
| env: | |
| APTLY_CONFIG: /tmp/aptly.conf | |
| S3_BUCKET: magalu-apt | |
| S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY_ID }} | |
| S3_SECRET_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }} | |
| S3_ENDPOINT: br-se1.magaluobjects.com | |
| S3_REGION: us-east-1 # For S3-compatible storage, often a placeholder region like us-east-1 works | |
| APTLY_REPO_NAME: mgccli | |
| DIST_NAME: stable | |
| COMPONENT_NAME: main | |
| GPG_FINGERPRINT: ${{ secrets.MAGALUBOT_GPG_FINGERPRINT }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v3 | |
| - name: Setup Aptly | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y aptly | |
| # Create Aptly config | |
| cat > $APTLY_CONFIG << EOF | |
| { | |
| "rootDir": "/tmp/aptly", | |
| "downloadConcurrency": 4, | |
| "downloadSpeedLimit": 0, | |
| "architectures": ["amd64", "arm64"], | |
| "dependencyFollowSuggests": false, | |
| "dependencyFollowRecommends": false, | |
| "dependencyFollowAllVariants": false, | |
| "dependencyFollowSource": false, | |
| "dependencyVerboseResolve": false, | |
| "gpgDisableSign": false, | |
| "gpgDisableVerify": false, | |
| "downloadSourcePackages": false, | |
| "ppaDistributorID": "ubuntu", | |
| "ppaCodename": "", | |
| "S3PublishEndpoints": { | |
| "my-s3": { | |
| "region": "$S3_REGION", | |
| "bucket": "$S3_BUCKET", | |
| "awsAccessKeyID": "$S3_ACCESS_KEY", | |
| "awsSecretAccessKey": "$S3_SECRET_KEY", | |
| "endpoint": "$S3_ENDPOINT", | |
| "s3ForcePathStyle": true, | |
| "acl": "public-read", | |
| "storageClass": "STANDARD", | |
| "encryptionMethod": "", | |
| "plusWorkaround": false, | |
| "disableMultiDel": false, | |
| "forceSigV2": false, | |
| "debug": true | |
| } | |
| } | |
| } | |
| EOF | |
| - name: Download GitHub Release Assets | |
| run: | | |
| mkdir -p /tmp/debs/amd64 /tmp/debs/arm64 | |
| api_response=$(curl -s \ | |
| "https://api.github.com/repos/${{ github.repository }}/releases/latest") | |
| RELEASE_TAG=$(echo "$api_response" | jq -r .tag_name) | |
| assets_url=$(echo "$api_response" | jq -r .assets_url) | |
| echo "Processing release $RELEASE_TAG" | |
| echo "Assets URL: $assets_url" | |
| # Download amd64 .deb file | |
| amd64_asset=$(curl -s $assets_url | jq -r '.[] | select(.name | endswith("_linux_amd64.deb")) | .browser_download_url') | |
| if [ -n "$amd64_asset" ]; then | |
| echo "Downloading AMD64 package: $amd64_asset" | |
| curl -L -o "/tmp/debs/amd64/$(basename $amd64_asset)" "$amd64_asset" | |
| else | |
| echo "No AMD64 .deb package found in release" | |
| exit 1 | |
| fi | |
| # Download arm64 .deb file | |
| arm64_asset=$(curl -s $assets_url | jq -r '.[] | select(.name | endswith("_linux_arm64.deb")) | .browser_download_url') | |
| if [ -n "$arm64_asset" ]; then | |
| echo "Downloading ARM64 package: $arm64_asset" | |
| curl -L -o "/tmp/debs/arm64/$(basename $arm64_asset)" "$arm64_asset" | |
| else | |
| echo "No ARM64 .deb package found in release" | |
| exit 1 | |
| fi | |
| # Verify downloads | |
| echo "Downloaded packages:" | |
| find /tmp/debs -name "*.deb" | sort | |
| - name: Set up GPG | |
| run: | | |
| # Create .gnupg directory with appropriate permissions | |
| mkdir -p ~/.gnupg | |
| chmod 700 ~/.gnupg | |
| # Set stricter permissions on GPG home directory | |
| echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf | |
| echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf | |
| echo "batch" >> ~/.gnupg/gpg.conf | |
| echo "no-tty" >> ~/.gnupg/gpg.conf | |
| # Import public key first | |
| echo "${{ secrets.MAGALUBOT_GPG_PUBLIC_KEY }}" | gpg --import --batch | |
| # Import private key using temp file to avoid stdin issues | |
| GPG_PRIV_KEY_FILE=$(mktemp) | |
| echo "${{ secrets.MAGALUBOT_GPG_PRIVATE_KEY }}" > "$GPG_PRIV_KEY_FILE" | |
| chmod 600 "$GPG_PRIV_KEY_FILE" | |
| # Import private key with passphrase | |
| cat "$GPG_PRIV_KEY_FILE" | gpg --batch --import --passphrase "${{ secrets.MAGALUBOT_GPG_PASSPHRASE }}" 2>/dev/null | |
| # Clean up temp file | |
| rm -f "$GPG_PRIV_KEY_FILE" | |
| # Set key to ultimately trusted | |
| echo -e "5\ny\n" | gpg --command-fd 0 --batch --no-tty --edit-key "$GPG_FINGERPRINT" trust | |
| # List imported keys for verification | |
| gpg --list-secret-keys | |
| # Set GPG_KEY_ID for later use | |
| echo "GPG_KEY_ID=$GPG_FINGERPRINT" >> $GITHUB_ENV | |
| # Properly configure GPG agent | |
| gpgconf --kill gpg-agent || true | |
| gpg-connect-agent /bye | |
| # Test key signing to ensure functionality | |
| echo "Testing GPG signing capability..." | |
| echo "test" | gpg --batch --yes --passphrase "${{ secrets.MAGALUBOT_GPG_PASSPHRASE }}" --pinentry-mode loopback -s -o /dev/null | |
| # Verify the GPG agent is properly configured for aptly | |
| echo "export GPG_TTY=$(tty)" >> ~/.bashrc | |
| echo "export GPG_TTY=$(tty)" >> $GITHUB_ENV | |
| - name: Create and Update Aptly Repository | |
| run: | | |
| # Create repo if it doesn't exist | |
| aptly -config=$APTLY_CONFIG repo list | grep -q "^$APTLY_REPO_NAME\$" || aptly -config=$APTLY_CONFIG repo create -component=$COMPONENT_NAME -distribution=$DIST_NAME $APTLY_REPO_NAME | |
| # Add amd64 .deb files to repo | |
| if [ -n "$(ls -A /tmp/debs/amd64)" ]; then | |
| echo "Adding AMD64 packages to repository" | |
| aptly -config=$APTLY_CONFIG repo add -force-replace $APTLY_REPO_NAME /tmp/debs/amd64/ | |
| fi | |
| # Add arm64 .deb files to repo | |
| if [ -n "$(ls -A /tmp/debs/arm64)" ]; then | |
| echo "Adding ARM64 packages to repository" | |
| aptly -config=$APTLY_CONFIG repo add -force-replace $APTLY_REPO_NAME /tmp/debs/arm64/ | |
| fi | |
| # Create a snapshot with version tag | |
| RELEASE_TAG="${{ github.event.release.tag_name }}" | |
| SNAPSHOT_NAME="${APTLY_REPO_NAME}-${RELEASE_TAG}" | |
| echo "Creating snapshot: $SNAPSHOT_NAME" | |
| aptly -config=$APTLY_CONFIG snapshot create $SNAPSHOT_NAME from repo $APTLY_REPO_NAME | |
| # Check if already published | |
| ALREADY_PUBLISHED=$(aptly -config=$APTLY_CONFIG publish list | grep -q "s3:my-s3:" && echo "yes" || echo "no") | |
| if [ "$ALREADY_PUBLISHED" = "yes" ]; then | |
| echo "Repository already published, switching to new snapshot" | |
| if [ -n "$GPG_KEY_ID" ]; then | |
| aptly -config=$APTLY_CONFIG publish switch -batch=true -gpg-key="$GPG_KEY_ID" $DIST_NAME s3:my-s3: $SNAPSHOT_NAME | |
| else | |
| aptly -config=$APTLY_CONFIG publish switch -batch=true -skip-signing=true $DIST_NAME s3:my-s3: $SNAPSHOT_NAME | |
| fi | |
| else | |
| echo "First-time publishing repository" | |
| if [ -n "$GPG_KEY_ID" ]; then | |
| aptly -config=$APTLY_CONFIG publish snapshot -batch=true -gpg-key="$GPG_KEY_ID" -architectures="amd64,arm64" $SNAPSHOT_NAME s3:my-s3: | |
| else | |
| aptly -config=$APTLY_CONFIG publish snapshot -batch=true -skip-signing=true -architectures="amd64,arm64" $SNAPSHOT_NAME s3:my-s3: | |
| fi | |
| fi |