-
Notifications
You must be signed in to change notification settings - Fork 3
181 lines (153 loc) · 7.03 KB
/
apt.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: Aptly Publish to S3
on:
release:
types: [published]
workflow_dispatch:
jobs:
aptly-publish:
runs-on: ubuntu-latest
env:
APTLY_CONFIG: /tmp/aptly.conf
S3_BUCKET: magalu-apt
S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY_ID }}
S3_SECRET_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }}
S3_ENDPOINT: br-se1.magaluobjects.com
S3_REGION: us-east-1 # For S3-compatible storage, often a placeholder region like us-east-1 works
APTLY_REPO_NAME: mgccli
DIST_NAME: stable
COMPONENT_NAME: main
GPG_FINGERPRINT: ${{ secrets.MAGALUBOT_GPG_FINGERPRINT }}
steps:
- name: Checkout Repository
uses: actions/checkout@v3
- name: Setup Aptly
run: |
sudo apt-get update
sudo apt-get install -y aptly
# Create Aptly config
cat > $APTLY_CONFIG << EOF
{
"rootDir": "/tmp/aptly",
"downloadConcurrency": 4,
"downloadSpeedLimit": 0,
"architectures": ["amd64", "arm64"],
"dependencyFollowSuggests": false,
"dependencyFollowRecommends": false,
"dependencyFollowAllVariants": false,
"dependencyFollowSource": false,
"dependencyVerboseResolve": false,
"gpgDisableSign": false,
"gpgDisableVerify": false,
"downloadSourcePackages": false,
"ppaDistributorID": "ubuntu",
"ppaCodename": "",
"S3PublishEndpoints": {
"my-s3": {
"region": "$S3_REGION",
"bucket": "$S3_BUCKET",
"awsAccessKeyID": "$S3_ACCESS_KEY",
"awsSecretAccessKey": "$S3_SECRET_KEY",
"endpoint": "$S3_ENDPOINT",
"s3ForcePathStyle": true,
"acl": "public-read",
"storageClass": "STANDARD",
"encryptionMethod": "",
"plusWorkaround": false,
"disableMultiDel": false,
"forceSigV2": false,
"debug": true
}
}
}
EOF
- name: Download GitHub Release Assets
run: |
mkdir -p /tmp/debs/amd64 /tmp/debs/arm64
api_response=$(curl -s \
"https://api.github.com/repos/${{ github.repository }}/releases/latest")
RELEASE_TAG=$(echo "$api_response" | jq -r .tag_name)
assets_url=$(echo "$api_response" | jq -r .assets_url)
echo "Processing release $RELEASE_TAG"
echo "Assets URL: $assets_url"
# Download amd64 .deb file
amd64_asset=$(curl -s $assets_url | jq -r '.[] | select(.name | endswith("_linux_amd64.deb")) | .browser_download_url')
if [ -n "$amd64_asset" ]; then
echo "Downloading AMD64 package: $amd64_asset"
curl -L -o "/tmp/debs/amd64/$(basename $amd64_asset)" "$amd64_asset"
else
echo "No AMD64 .deb package found in release"
exit 1
fi
# Download arm64 .deb file
arm64_asset=$(curl -s $assets_url | jq -r '.[] | select(.name | endswith("_linux_arm64.deb")) | .browser_download_url')
if [ -n "$arm64_asset" ]; then
echo "Downloading ARM64 package: $arm64_asset"
curl -L -o "/tmp/debs/arm64/$(basename $arm64_asset)" "$arm64_asset"
else
echo "No ARM64 .deb package found in release"
exit 1
fi
# Verify downloads
echo "Downloaded packages:"
find /tmp/debs -name "*.deb" | sort
- name: Set up GPG
run: |
# Create .gnupg directory with appropriate permissions
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
# Set stricter permissions on GPG home directory
echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
echo "batch" >> ~/.gnupg/gpg.conf
echo "no-tty" >> ~/.gnupg/gpg.conf
# Import public key first
echo "${{ secrets.MAGALUBOT_GPG_PUBLIC_KEY }}" | gpg --import --batch
# Import private key using temp file to avoid stdin issues
GPG_PRIV_KEY_FILE=$(mktemp)
echo "${{ secrets.MAGALUBOT_GPG_PRIVATE_KEY }}" > "$GPG_PRIV_KEY_FILE"
chmod 600 "$GPG_PRIV_KEY_FILE"
# Import private key with passphrase
cat "$GPG_PRIV_KEY_FILE" | gpg --batch --import --passphrase "${{ secrets.MAGALUBOT_GPG_PASSPHRASE }}" 2>/dev/null
# Clean up temp file
rm -f "$GPG_PRIV_KEY_FILE"
# Set key to ultimately trusted
echo -e "5\ny\n" | gpg --command-fd 0 --batch --no-tty --edit-key "$GPG_FINGERPRINT" trust
# List imported keys for verification
gpg --list-secret-keys
# Properly configure GPG agent
gpgconf --kill gpg-agent || true
gpg-connect-agent /bye
# Test key signing to ensure functionality
echo "Testing GPG signing capability..."
echo "test" | gpg --batch --yes --passphrase "${{ secrets.MAGALUBOT_GPG_PASSPHRASE }}" --pinentry-mode loopback -s -o /dev/null
# Verify the GPG agent is properly configured for aptly
echo "export GPG_TTY=$(tty)" >> ~/.bashrc
echo "export GPG_TTY=$(tty)" >> $GITHUB_ENV
- name: Create and Update Aptly Repository
run: |
# Create repo if it doesn't exist
aptly -config=$APTLY_CONFIG repo list | grep -q "^$APTLY_REPO_NAME\$" || aptly -config=$APTLY_CONFIG repo create -component=$COMPONENT_NAME -distribution=$DIST_NAME $APTLY_REPO_NAME
# Add amd64 .deb files to repo
if [ -n "$(ls -A /tmp/debs/amd64)" ]; then
echo "Adding AMD64 packages to repository"
aptly -config=$APTLY_CONFIG repo add -force-replace $APTLY_REPO_NAME /tmp/debs/amd64/
fi
# Add arm64 .deb files to repo
if [ -n "$(ls -A /tmp/debs/arm64)" ]; then
echo "Adding ARM64 packages to repository"
aptly -config=$APTLY_CONFIG repo add -force-replace $APTLY_REPO_NAME /tmp/debs/arm64/
fi
# Create a snapshot with version tag
RELEASE_TAG="${{ github.event.release.tag_name }}"
SNAPSHOT_NAME="${APTLY_REPO_NAME}-${RELEASE_TAG}"
echo "Creating snapshot: $SNAPSHOT_NAME"
aptly -config=$APTLY_CONFIG snapshot create $SNAPSHOT_NAME from repo $APTLY_REPO_NAME
# Check if already published
ALREADY_PUBLISHED=$(aptly -config=$APTLY_CONFIG publish list | grep -q "s3:my-s3:" && echo "yes" || echo "no")
if [ "$ALREADY_PUBLISHED" = "yes" ]; then
echo "Repository already published, switching to new snapshot"
aptly -config=$APTLY_CONFIG publish switch -batch=true -gpg-key="$GPG_FINGERPRINT" $DIST_NAME s3:my-s3: $SNAPSHOT_NAME
else
echo "First-time publishing repository"
aptly -config=$APTLY_CONFIG publish snapshot -batch=true -gpg-key="$GPG_FINGERPRINT" -architectures="amd64,arm64" $SNAPSHOT_NAME s3:my-s3:
fi