-
Notifications
You must be signed in to change notification settings - Fork 222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Autobuild: Create Debian repository on release #3013
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -445,3 +445,98 @@ jobs: | |
- name: Perform CodeQL Analysis | ||
if: matrix.config.run_codeql | ||
uses: github/codeql-action/analyze@v2 | ||
|
||
create_deb_repo: | ||
name: Create files for .deb repository (if requested) | ||
runs-on: ubuntu-22.04 | ||
needs: [create_release, release_assets] | ||
if: needs.create_release.outputs.publish_to_release == 'true' | ||
# Set permissions to allow uploading artifact, uploading to release | ||
permissions: | ||
checks: write | ||
contents: write | ||
steps: | ||
- name: Import GPG key | ||
env: | ||
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | ||
run: | | ||
set -eu | ||
|
||
[[ "${GPG_PRIVATE_KEY:-}" ]] || { | ||
echo "Missing Github secret GPG_PRIVATE_KEY. Please set it on GitHub to enable deb repository releases. Skipping step..." | ||
echo "GPG_REPO_KEY_MISSING=true" >> ${GITHUB_ENV} | ||
exit 0 | ||
} | ||
|
||
echo "GPG_REPO_KEY_MISSING=false" >> ${GITHUB_ENV} | ||
mkdir -p gpghome | ||
chmod 700 gpghome | ||
echo "${GPG_PRIVATE_KEY}" | gpg --homedir gpghome --import - | ||
# Unfortunately download-artifact action doesn't support wild card downloads. Thus downloading all artifacts | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. While this approach is not perfect, I think it's easier to download all artifacts instead of one step per deb file. In future wildcards for downloading only .deb files might be supported. Alternative: use gh command in CLI |
||
- name: Download all artifacts | ||
if: env.GPG_REPO_KEY_MISSING == 'false' | ||
uses: actions/download-artifact@v3 | ||
with: | ||
path: releasedl/ | ||
- name: Create Debian repository | ||
if: env.GPG_REPO_KEY_MISSING == 'false' | ||
run: | | ||
set -eu | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could be in a separate .sh file. Hoffie once said he's in favor of inlining. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's easier to review in context although it makes the |
||
|
||
# Create and cd into repo directory | ||
mkdir repo | ||
mv releasedl/*.deb/*.deb repo/ | ||
pushd repo | ||
|
||
# create repo files | ||
apt-ftparchive packages . > Packages | ||
apt-ftparchive release . > Release | ||
gpg --homedir "../gpghome" --armor --yes --clearsign --output InRelease --detach-sign Release | ||
gpg --homedir "../gpghome" --armor --export > "key.asc" | ||
|
||
popd | ||
|
||
- name: Upload Packages file to release | ||
if: env.GPG_REPO_KEY_MISSING == 'false' | ||
id: deb-upload-packagesfile | ||
uses: actions/upload-release-asset@v1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. release-asset is outdated. Changing to the other action might need some work. |
||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
upload_url: ${{ needs.create_release.outputs.upload_url }} | ||
asset_path: repo/Packages | ||
asset_name: Packages | ||
asset_content_type: text/plain | ||
- name: Upload Release file to release | ||
if: env.GPG_REPO_KEY_MISSING == 'false' | ||
id: deb-upload-releasefile | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
upload_url: ${{ needs.create_release.outputs.upload_url }} | ||
asset_path: repo/Release | ||
asset_name: Release | ||
asset_content_type: message/rfc822 | ||
- name: Upload InRelease file to release | ||
if: env.GPG_REPO_KEY_MISSING == 'false' | ||
id: deb-upload-inreleasefile | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
upload_url: ${{ needs.create_release.outputs.upload_url }} | ||
asset_path: repo/InRelease | ||
asset_name: InRelease | ||
asset_content_type: text/PGP | ||
- name: Upload Key file to release | ||
if: env.GPG_REPO_KEY_MISSING == 'false' | ||
id: deb-upload-keyascfile | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
upload_url: ${{ needs.create_release.outputs.upload_url }} | ||
asset_path: repo/key.asc | ||
asset_name: key.asc | ||
asset_content_type: application/pgp-keys |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/bin/bash | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Where should we host this file? Is this repo good or should it be on the website? |
||
|
||
# This script installs a Jamulus repository to Debian based systems | ||
|
||
if [[ ${EUID} -ne 0 ]]; then | ||
echo "Error: This script must be run as root." | ||
exit 1 | ||
fi | ||
|
||
REPO_FILE=/etc/apt/sources.list.d/jamulus.list | ||
KEY_FILE=/etc/apt/trusted.gpg.d/jamulus.asc | ||
GITHUB_REPOSITORY="jamulussoftware/jamulus" | ||
|
||
echo "Setting up Jamulus repo at ${REPO_FILE}..." | ||
echo "deb https://github.com/${GITHUB_REPOSITORY}/releases/latest/download/ ./" > ${REPO_FILE} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This uses a trick: latest points to the last release tagged as "stable" by GitHub. Thus, the link remains unchanged, but a redirect guarantees the correct source. |
||
echo "Installing Jamulus GPG key at ${KEY_FILE}..." | ||
curl --fail --show-error -sLo "${KEY_FILE}" https://github.com/${GITHUB_REPOSITORY}/releases/latest/download/key.asc | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just trying this script locally, and this step fails with a 404 for Is this script intended for use by a Github workflow, or by an end user? I can't see it referred to anywhere else in the tree. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Purely by our git build to create a repo for apt to auto update from. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You'd need to replace the variables. The release will generate a runnable script. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've currently checked out You can tell I'm a bit rusty! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. setup_repo.sh is a script which the user should run on his machine to install the repository. The logic to create the repository is in autobuild.yml. I believe the content in autobuild.yaml correctly replaces the content of the setup_repo.sh script and uploads the modified version to the release. |
||
|
||
CURL_EXITCODE=$? | ||
if [[ ${CURL_EXITCODE} -ne 0 ]]; then | ||
echo "Error: Download of gpg key failed. Please try again later." | ||
exit ${CURL_EXITCODE} | ||
fi | ||
|
||
echo "Running apt update..." | ||
apt -qq update | ||
echo "You should now be able to install a full Jamulus package via" | ||
echo " apt install jamulus" | ||
echo "or a server-only, dependency-reduced build via" | ||
echo " apt install jamulus-headless" | ||
echo | ||
echo "This package will automatically be updated when you perform system updates." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forks which don't have a GPG key set, will have a failed build.
I'm not sure if a silent failure would be better. Skipping the repo build should be possible.
There are multiple options:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will
needs.create_release.outputs.publish_to_release == 'true'
be true? Is that what you mean by "failed build"?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. If they publish a release it will be true and the job will fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Maybe my new approach works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to work: https://github.com/jamulussoftware/jamulus/actions/runs/4494259255/jobs/7906934988
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That run demonstrates that skipping the job works if the GPG_PRIVATE_KEY is not set. I can't see a run that demonstrates the action is working properly when the private key IS set.
I'm assuming that the main jamulus repo has a private key, but the ann0see repo does not. But to test this before merging, I guess either ann0see's repo needs a (temporary?) private key, or perhaps we need to merge these changes into a branch on the jamulus repo, so that it can use the jamulus repo secrets?
I don't profess to be an expert (or even moderately knowledgeable) in Debian packaging or repos. Most of my packaging experience is with RPMs on RH-based systems.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://github.com/ann0see/jamulus/releases/tag/r3_9_1devrepo
That's a working (?) repo