Add repo publishing #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "Create apt repo" | |
"on": # TODO: This needs to also become a cron for the nightly function to make sense | |
push: | |
pull_request: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
name: Build debs | |
runs-on: ubuntu-24.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
category: | |
- name: stable | |
ref: 1.3.0 # Previous stable branch + backport | |
# ref: v1.4.0 # Future stables should probably use release tags | |
- name: nightly | |
ref: master | |
os: | |
- ubuntu-22.04 # Upstream LTS support ends 2027. | |
- ubuntu-24.04 # Upstream LTS support ends 2029. | |
- debian-12 # Upstream LTS support ends 2028. | |
target: | |
- name: x86_64-unknown-linux-gnu | |
debian-name: amd64 | |
- name: aarch64-unknown-linux-gnu | |
debian-name: arm64 | |
exclude: # Nightlies are only for latest versions | |
- category: {name: nightly} | |
os: ubuntu-22.04 | |
steps: | |
# Step 0. Pick up the stable or nightly source | |
- name: Checkout Kanidm | |
uses: actions/checkout@v4 | |
with: | |
repository: "kanidm/kanidm" | |
ref: "${{ matrix.category.ref }}" | |
submodules: false | |
# Overlay the latest packaging tools instead of using the submodule reference which is intended for human use. | |
- name: Checkout packaging tools | |
uses: actions/checkout@v4 | |
with: | |
path: platform/debian/kanidm_ppa_automation | |
- name: Amend PATH | |
run: | | |
mkdir "${HOME}/bin" | |
echo "${HOME}/bin" >> $GITHUB_PATH | |
# Step 0.5. Get a bunch of tools and dependencies | |
- name: Install UBI | |
shell: bash | |
run: | | |
curl --silent --location \ | |
https://raw.githubusercontent.com/houseabsolute/ubi/master/bootstrap/bootstrap-ubi.sh | | |
sh | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install cross with UBI | |
shell: bash | |
run: | | |
"ubi" --project cross-rs/cross --in "${HOME}/bin" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install deb build dependencies | |
run: | | |
sudo -E platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh \ | |
"${{ matrix.target.debian-name }}" | |
# Step 1. Crossbuild | |
- name: Build packages (cross bins & libs) | |
shell: bash | |
run: | | |
platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh \ | |
"${{ matrix.os }}-${{ matrix.target.name }}" | |
env: | |
VERBOSE: true | |
# Step 1.5. Strip binaries | |
# This significantly helps with storage limits. | |
# ~12 MiB packages vs ~82MiB packages as of 2024. | |
- name: Strip binaries | |
shell: bash | |
run: | | |
find "target/${{ matrix.target.name }}/release" -maxdepth 1 -not -name "*.d" -name "kanidm*" \ | |
| xargs llvm-strip --strip-all | |
# Step 2. deb build | |
- name: Build packages (debs) | |
run: | | |
platform/debian/kanidm_ppa_automation/scripts/build_debs.sh "${{ matrix.target.name }}" | |
- name: Upload debs | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "${{matrix.category.name}}-${{ matrix.os }}-${{ matrix.target.name }}" | |
path: | | |
target/${{ matrix.target.name }}/debian/*.deb | |
# Step 3. Create the APT repo from the debs | |
create-repo: | |
name: Create APT repo | |
needs: build | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Download previously built debs | |
uses: actions/download-artifact@v4 | |
with: | |
path: debs | |
merge-multiple: false # Preserve which debs are from which matrix item | |
- name: List packages | |
run: | | |
find $(pwd) -name '*.deb' | |
- name: Create Aptly repo | |
uses: jinnatar/[email protected] | |
with: | |
name: kanidm_ppa | |
repo_url: https://kanidm.github.io/kanidm_ppa | |
artifact_name: kanidm_ppa_snapshot | |
# TODO: Flip stable repo defs false -> true, _after_ we've done the first publish. | |
# This enables the "import & extend" model. | |
repos: | | |
noble,stable,\"amd64,arm64\",false,debs/stable-ubuntu-24.04-*-unknown-linux-gnu/*.deb | |
jammy,stable,\"amd64,arm64\",false,debs/stable-ubuntu-22.04-*-unknown-linux-gnu/*.deb | |
noble,nightly,\"amd64,arm64\",false,debs/nightly-ubuntu-24.04-*-unknown-linux-gnu/*.deb | |
bookworm,stable,\"amd64,arm64\",false,debs/stable-debian-12-*-unknown-linux-gnu/*.deb | |
bookworm,nightly,\"amd64,arm64\",false,debs/nightly-debian-12-*-unknown-linux-gnu/*.deb | |
# When GPG secrets are not available (say a PR), the repo WILL NOT be signed. | |
# Provide your own key material in a fork to test with signed repo snapshots. | |
gpg_private_key: "${{ secrets.GPG_PRIVATE_KEY }}" | |
gpg_passphrase: "${{ secrets.PASSPHRASE }}" | |
# Step 4. Publish the created repo if and only if it's a push to main. | |
publish: | |
name: Deploy to GitHub Pages | |
needs: create-repo | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Download repo snapshot | |
uses: actions/download-artifact@v4 | |
with: | |
name: kanidm_ppa_snapshot | |
path: snapshot | |
merge-multiple: true # Flatten artifact name out | |
- name: Add README.md # Pull in book chapter on PPA usage | |
shell: bash | |
run: | | |
curl https://raw.githubusercontent.com/kanidm/kanidm/refs/heads/master/book/src/packaging/ppa_packages.md > snapshot/README.md | |
- name: Import GPG key # So we can sign the repository commit | |
uses: crazy-max/ghaction-import-gpg@v6 | |
env: | |
# GitHub is a real ass about checking whether secrets are available or not. | |
private_key_check: ${{ secrets.GPG_PRIVATE_KEY }} | |
if: env.private_key_check != '' # Not present for PRs on purpose. | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.PASSPHRASE }} | |
git_commit_gpgsign: true | |
- name: Publish to PPA | |
uses: crazy-max/ghaction-github-pages@v4 | |
if: github.ref == 'refs/heads/main' | |
with: | |
repo: kanidm/kanidm_ppa | |
target_branch: main | |
keep_history: false | |
build_dir: snapshot | |
allow_empty_commit: false | |
env: | |
GH_PAT: ${{ secrets.DEPLOY_PAT }} |