build: Verify the integrity of the ubuntu repo

vorausrobotik · Sep 4, 2024 · 9c8da3a · 9c8da3a
1 parent 0e1f9f8
commit 9c8da3a
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,9 @@
+name: CI
+'on':
+  push:
+    branches:
+      - main
+  pull_request: null
+jobs:
+  ubuntu_verify_repo:
+    uses: ./.github/workflows/ci_ubuntu_verify_repo.yml
diff --git a/.github/workflows/ci_ubuntu_verify_repo.yml b/.github/workflows/ci_ubuntu_verify_repo.yml
@@ -0,0 +1,38 @@
+name: CI ubuntu verify repo 
+'on':
+  workflow_call: null
+jobs:
+  regeneration_is_clean:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout (GitHub)
+        uses: actions/checkout@v4
+      - name: Regenerate Packages
+        run: dpkg-scanpackages --multiversion . > Packages
+        working-directory: ./ubuntu/
+      - name: Verify Packages is up to date
+        run: git diff --exit-code
+        working-directory: ./ubuntu/
+      - name: Regenerate Packages.gz
+        run: gzip -k -f Packages --no-name
+        working-directory: ./ubuntu/
+      - name: Verify Packages.gz is up to date
+        run: git diff --exit-code
+        working-directory: ./ubuntu/
+      - name: Verify sha512 sums in the Release file except for itself
+        run: |
+          awk '/^SHA512:/ {flag=1; next} /^$/ {flag=0} flag && $3 != "Release" {print}' Release | while read -r checksum size file; do
+            if [ "$(sha512sum "$file" | awk '{print $1}')" != "$checksum" ]; then
+              exit 1
+            fi
+          done
+        working-directory: ./ubuntu/
+      - name: Try to import the pubkey
+        run: gpg --import burfeind_jan-niklas.gpg
+        working-directory: ./ubuntu/
+      - name: Verify Release.gpg
+        run: gpg --verify Release.gpg Release
+        working-directory: ./ubuntu/
+      - name: Verify InRelease
+        run: gpg --verify InRelease
+        working-directory: ./ubuntu/