-
Notifications
You must be signed in to change notification settings - Fork 1
173 lines (168 loc) · 6.54 KB
/
create-apt-repo.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
---
name: "Create apt repo"
"on": # TODO: This needs to also become a cron for the nightly function to make sense
push:
pull_request:
schedule:
- cron: '45 6 * * *' # UTC 6:45
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build debs
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
category:
- name: stable
ref: 1.3.0 # Previous stable branch + backport
# ref: v1.4.0 # Future stables should probably use release tags
- name: nightly
ref: master
os:
- ubuntu-22.04 # Upstream LTS support ends 2027.
- ubuntu-24.04 # Upstream LTS support ends 2029.
- debian-12 # Upstream LTS support ends 2028.
target:
- name: x86_64-unknown-linux-gnu
debian-name: amd64
- name: aarch64-unknown-linux-gnu
debian-name: arm64
exclude:
# Nightlies are only for latest versions
- category: {name: nightly}
os: ubuntu-22.04
# Don't rebuild stable every nightly schedule
# TODO: revert the event_name to 'schedule' once done with testing
- category: {name: "${{ github.event_name == 'pull_request' && 'stable' }}"}
steps:
# Step 0. Pick up the stable or nightly source
- name: Checkout Kanidm
uses: actions/checkout@v4
with:
repository: "kanidm/kanidm"
ref: "${{ matrix.category.ref }}"
submodules: false
# Overlay the latest packaging tools instead of using the submodule reference which is intended for human use.
- name: Checkout packaging tools
uses: actions/checkout@v4
with:
path: platform/debian/kanidm_ppa_automation
- name: Amend PATH
run: |
mkdir "${HOME}/bin"
echo "${HOME}/bin" >> $GITHUB_PATH
# Step 0.5. Get a bunch of tools and dependencies
- name: Install UBI
shell: bash
run: |
curl --silent --location \
https://raw.githubusercontent.com/houseabsolute/ubi/master/bootstrap/bootstrap-ubi.sh |
sh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install cross with UBI
shell: bash
run: |
"ubi" --project cross-rs/cross --in "${HOME}/bin"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install deb build dependencies
run: |
sudo -E platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh \
"${{ matrix.target.debian-name }}"
# Step 1. Crossbuild
- name: Build packages (cross bins & libs)
shell: bash
run: |
platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh \
"${{ matrix.os }}-${{ matrix.target.name }}"
env:
VERBOSE: true
# Step 1.5. Strip binaries
# This significantly helps with storage limits.
# ~12 MiB packages vs ~82MiB packages as of 2024.
- name: Strip binaries
shell: bash
run: |
find "target/${{ matrix.target.name }}/release" -maxdepth 1 -not -name "*.d" -name "kanidm*" \
| xargs llvm-strip --strip-all
# Step 2. deb build
- name: Build packages (debs)
run: |
platform/debian/kanidm_ppa_automation/scripts/build_debs.sh "${{ matrix.target.name }}"
- name: Upload debs
uses: actions/upload-artifact@v4
with:
name: "${{matrix.category.name}}-${{ matrix.os }}-${{ matrix.target.name }}"
path: |
target/${{ matrix.target.name }}/debian/*.deb
# Step 3. Create the APT repo from the debs
create-repo:
name: Create APT repo
needs: build
runs-on: ubuntu-24.04
steps:
- name: Download previously built debs
uses: actions/download-artifact@v4
with:
path: debs
merge-multiple: false # Preserve which debs are from which matrix item
- name: List packages
run: |
find $(pwd) -name '*.deb'
- name: Create Aptly repo
uses: jinnatar/[email protected]
with:
name: kanidm_ppa
repo_url: https://kanidm.github.io/kanidm_ppa
artifact_name: kanidm_ppa_snapshot
repos: |
noble,stable,\"amd64,arm64\",true,debs/stable-ubuntu-24.04-*-unknown-linux-gnu/*.deb
jammy,stable,\"amd64,arm64\",true,debs/stable-ubuntu-22.04-*-unknown-linux-gnu/*.deb
noble,nightly,\"amd64,arm64\",false,debs/nightly-ubuntu-24.04-*-unknown-linux-gnu/*.deb
bookworm,stable,\"amd64,arm64\",true,debs/stable-debian-12-*-unknown-linux-gnu/*.deb
bookworm,nightly,\"amd64,arm64\",false,debs/nightly-debian-12-*-unknown-linux-gnu/*.deb
# When GPG secrets are not available (say a PR), the repo WILL NOT be signed.
# Provide your own key material in a fork to test with signed repo snapshots.
gpg_private_key: "${{ secrets.GPG_PRIVATE_KEY }}"
gpg_passphrase: "${{ secrets.PASSPHRASE }}"
# Step 4. Publish the created repo if and only if it's a push to main.
publish:
name: Deploy to GitHub Pages
needs: create-repo
runs-on: ubuntu-24.04
steps:
- name: Download repo snapshot
uses: actions/download-artifact@v4
with:
name: kanidm_ppa_snapshot
path: snapshot
merge-multiple: true # Flatten artifact name out
- name: Add README.md # Pull in book chapter on PPA usage
shell: bash
run: |
curl https://raw.githubusercontent.com/kanidm/kanidm/refs/heads/master/book/src/packaging/ppa_packages.md > snapshot/README.md
- name: Import GPG key # So we can sign the repository commit
uses: crazy-max/ghaction-import-gpg@v6
env:
# GitHub is a real ass about checking whether secrets are available or not.
private_key_check: ${{ secrets.GPG_PRIVATE_KEY }}
if: env.private_key_check != '' # Not present for PRs on purpose.
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
git_commit_gpgsign: true
- name: Publish to PPA
uses: crazy-max/ghaction-github-pages@v4
if: github.ref == 'refs/heads/main'
with:
repo: kanidm/kanidm_ppa
target_branch: main
keep_history: false
build_dir: snapshot
allow_empty_commit: false
env:
GH_PAT: ${{ secrets.DEPLOY_PAT }}