Skip to content

Add repo publishing #18

Add repo publishing

Add repo publishing #18

Workflow file for this run

---
name: "Create apt repo"
"on": # TODO: This needs to also become a cron for the nightly function to make sense
push:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build debs
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
category:
- name: stable
ref: 1.3.0 # Previous stable branch + backport
# ref: v1.4.0 # Future stables should probably use release tags
- name: nightly
ref: master
os:
- ubuntu-22.04 # Upstream LTS support ends 2027.
- ubuntu-24.04 # Upstream LTS support ends 2029.
- debian-12 # Upstream LTS support ends 2028.
target:
- name: x86_64-unknown-linux-gnu
debian-name: amd64
- name: aarch64-unknown-linux-gnu
debian-name: arm64
exclude: # Nightlies are only for latest versions
- category: {name: nightly}
os: ubuntu-22.04
steps:
# Step 0. Pick up the stable or nightly source
- name: Checkout Kanidm
uses: actions/checkout@v4
with:
repository: "kanidm/kanidm"
ref: "${{ matrix.category.ref }}"
submodules: false
# Overlay the latest packaging tools instead of using the submodule reference which is intended for human use.
- name: Checkout packaging tools
uses: actions/checkout@v4
with:
path: platform/debian/kanidm_ppa_automation
- name: Amend PATH
run: |
mkdir "${HOME}/bin"
echo "${HOME}/bin" >> $GITHUB_PATH
# Step 0.5. Get a bunch of tools and dependencies
- name: Install UBI
shell: bash
run: |
curl --silent --location \
https://raw.githubusercontent.com/houseabsolute/ubi/master/bootstrap/bootstrap-ubi.sh |
sh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install cross with UBI
shell: bash
run: |
"ubi" --project cross-rs/cross --in "${HOME}/bin"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install deb build dependencies
run: |
sudo -E platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh \
"${{ matrix.target.debian-name }}"
# Step 1. Crossbuild
- name: Build packages (cross bins & libs)
shell: bash
run: |
platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh \
"${{ matrix.os }}-${{ matrix.target.name }}"
env:
VERBOSE: true
# Step 1.5. Strip binaries
# This significantly helps with storage limits.
# ~12 MiB packages vs ~82MiB packages as of 2024.
- name: Strip binaries
shell: bash
run: |
find "target/${{ matrix.target.name }}/release" -maxdepth 1 -not -name "*.d" -name "kanidm*" \
| xargs llvm-strip --strip-all
# Step 2. deb build
- name: Build packages (debs)
run: |
platform/debian/kanidm_ppa_automation/scripts/build_debs.sh "${{ matrix.target.name }}"
- name: Upload debs
uses: actions/upload-artifact@v4
with:
name: "${{matrix.category.name}}-${{ matrix.os }}-${{ matrix.target.name }}"
path: |
target/${{ matrix.target.name }}/debian/*.deb
# Step 3. Create the APT repo from the debs
create-repo:
name: Create APT repo
needs: build
runs-on: ubuntu-24.04
steps:
- name: Download previously built debs
uses: actions/download-artifact@v4
with:
path: debs
merge-multiple: false # Preserve which debs are from which matrix item
- name: List packages
run: |
find $(pwd) -name '*.deb'
- name: Create Aptly repo
uses: jinnatar/[email protected]
with:
name: kanidm_ppa
repo_url: https://kanidm.github.io/kanidm_ppa
artifact_name: kanidm_ppa_snapshot
# TODO: Flip stable repo defs false -> true, _after_ we've done the first publish.
# This enables the "import & extend" model.
repos: |
noble,stable,\"amd64,arm64\",false,debs/stable-ubuntu-24.04-*-unknown-linux-gnu/*.deb
jammy,stable,\"amd64,arm64\",false,debs/stable-ubuntu-22.04-*-unknown-linux-gnu/*.deb
noble,nightly,\"amd64,arm64\",false,debs/nightly-ubuntu-24.04-*-unknown-linux-gnu/*.deb
bookworm,stable,\"amd64,arm64\",false,debs/stable-debian-12-*-unknown-linux-gnu/*.deb
bookworm,nightly,\"amd64,arm64\",false,debs/nightly-debian-12-*-unknown-linux-gnu/*.deb
# When GPG secrets are not available (say a PR), the repo WILL NOT be signed.
# Provide your own key material in a fork to test with signed repo snapshots.
gpg_private_key: "${{ secrets.GPG_PRIVATE_KEY }}"
gpg_passphrase: "${{ secrets.PASSPHRASE }}"
# Step 4. Publish the created repo if and only if it's a push to main.
publish:
name: Deploy to GitHub Pages
needs: create-repo
runs-on: ubuntu-24.04
steps:
- name: Download repo snapshot
uses: actions/download-artifact@v4
with:
name: kanidm_ppa_snapshot
path: snapshot
merge-multiple: true # Flatten artifact name out
- name: Add README.md # Pull in book chapter on PPA usage
shell: bash
run: |
curl https://raw.githubusercontent.com/kanidm/kanidm/refs/heads/master/book/src/packaging/ppa_packages.md > snapshot/README.md
- name: Import GPG key # So we can sign the repository commit
uses: crazy-max/ghaction-import-gpg@v6
env:
# GitHub is a real ass about checking whether secrets are available or not.
private_key_check: ${{ secrets.GPG_PRIVATE_KEY }}
if: env.private_key_check != '' # Not present for PRs on purpose.
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
git_commit_gpgsign: true
- name: Publish to PPA
uses: crazy-max/ghaction-github-pages@v4
if: github.ref == 'refs/heads/main'
with:
repo: kanidm/kanidm_ppa
target_branch: main
keep_history: false
build_dir: snapshot
allow_empty_commit: false
env:
GH_PAT: ${{ secrets.DEPLOY_PAT }}