From 854c619a8ffd05320e372fc05af43a2cae0ab9a8 Mon Sep 17 00:00:00 2001 From: Dorian Stoll Date: Sat, 22 Jul 2023 22:12:00 +0200 Subject: [PATCH] pkg: arch: Move to script based workflow --- .github/scripts/package/arch.sh | 77 +++++++++++ .github/scripts/repository/arch.sh | 66 ++++++++++ .github/workflows/arch.yml | 200 +++++++++++++---------------- 3 files changed, 230 insertions(+), 113 deletions(-) create mode 100644 .github/scripts/package/arch.sh create mode 100644 .github/scripts/repository/arch.sh diff --git a/.github/scripts/package/arch.sh b/.github/scripts/package/arch.sh new file mode 100644 index 000000000..d7d44be8d --- /dev/null +++ b/.github/scripts/package/arch.sh @@ -0,0 +1,77 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [ -z "${1:-}" ]; then + $0 setup-builddeps + $0 setup-secureboot + $0 build-packages + $0 sign-packages + exit +fi + +pacman() +{ + command pacman --noconfirm "$@" +} + +case "${1:-}" in +setup-builddeps) + # Update the container + pacman -Syu + + # Install makepkg deps + pacman -S sudo binutils fakeroot base-devel git + + # Install tools for singing the kernel for secureboot + pacman -S sbsigntools + ;; +setup-secureboot) + if [ -z "${SB_KEY:-}" ]; then + echo "WARNING: No secureboot key configured, skipping signing." + exit + fi + + # Install the surface secureboot certificate + echo "${SB_KEY}" | base64 -d > pkg/arch/kernel/MOK.key + cp pkg/keys/surface.crt pkg/arch/kernel/MOK.crt + ;; +build-packages) + pushd pkg/arch/kernel || exit 1 + + # Fix permissions (can't makepkg as root) + echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers + chown -R nobody . + + # Package compression settings (Matches latest Arch) + export PKGEXT='.pkg.tar.zst' + export COMPRESSZST=(zstd -c -T0 --ultra -20 -) + export MAKEFLAGS="-j2" + + # Build + su nobody --pty -p -s /bin/bash -c 'makepkg -sf --skippgpcheck --noconfirm' + + # Prepare release + mkdir release + find . -name '*.pkg.tar.zst' -type f -exec mv {} release \; + + popd || exit 1 + ;; +sign-packages) + if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then + echo "WARNING: No GPG key configured, skipping signing." + exit + fi + + pushd pkg/arch/kernel/release || exit 1 + + # import GPG key + echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes + + # sign packages + find . -name '*.pkg.tar.zst' -type f -exec \ + gpg --detach-sign --batch --no-tty -u "${GPG_KEY_ID}" {} \; + + popd || exit 1 + ;; +esac diff --git a/.github/scripts/repository/arch.sh b/.github/scripts/repository/arch.sh new file mode 100644 index 000000000..63c301b70 --- /dev/null +++ b/.github/scripts/repository/arch.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +pacman() +{ + command pacman --noconfirm "$@" +} + +if [ -z "${GIT_REF:-}" ]; then + echo "GIT_REF is unset!" + exit 1 +fi + +if [ -z "${GITHUB_REPOSITORY:-}" ]; then + echo "GITHUB_REPOSITORY is unset!" + exit 1 +fi + +if [ -z "${SURFACEBOT_TOKEN:-}" ]; then + echo "SURFACEBOT_TOKEN is unset!" + exit 1 +fi + +if [ -z "${BRANCH_STAGING:-}" ]; then + echo "BRANCH_STAGING is unset!" + exit 1 +fi + +REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" +REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + +# parse git tag from ref +GIT_TAG="${GIT_REF#refs/tags/}" + +# Install dependencies +pacman -Syu +pacman -S base-devel git + +# clone package repository +git clone -b "${BRANCH_STAGING}" "${REPO}" repo + +# copy packages +find arch-latest -type f -exec cp {} repo/arch \; +pushd repo/arch || exit 1 + +# convert packages into references +while read -rd $'\n' FILE; do + echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob" + rm "${FILE}" +done <<< "$(find . -name '*.pkg.tar.zst')" + +RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)" +BRANCH="${BRANCH_STAGING}-${RAND}" + +# set git identity +git config --global user.name "surfacebot" +git config --global user.email "surfacebot@users.noreply.github.com" + +# commit and push +git checkout -b "${BRANCH}" +git add . +git commit -m "Update Arch Linux ${REPONAME} package" +git push --set-upstream origin "${BRANCH}" + +popd || exit 1 \ No newline at end of file diff --git a/.github/workflows/arch.yml b/.github/workflows/arch.yml index f5498db03..f1e54a24b 100644 --- a/.github/workflows/arch.yml +++ b/.github/workflows/arch.yml @@ -1,146 +1,120 @@ -on: - push: - tags: - - 'arch-*' - name: Arch env: GPG_KEY_ID: 56C464BAAC421453 +on: + push: + tags: + - 'arch-*' + jobs: build: name: Build Kernel runs-on: ubuntu-latest - container: archlinux steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Maximize disk space + uses: easimon/maximize-build-space@master + with: + root-reserve-mb: 5120 + remove-dotnet: true + remove-android: true + remove-docker-images: true - - name: Install build dependencies - run: | - # Install makepkg deps - pacman -Syu --noconfirm - pacman -S --noconfirm sudo binutils fakeroot grep base-devel git sbsigntools libffi python + - name: Checkout code + uses: actions/checkout@v3 - - name: Setup secureboot certificate - env: - SB_KEY: ${{ secrets.SURFACE_SB_KEY }} - run: | - cd pkg + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + archlinux - # Install the surface secureboot certificate - echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key - cp keys/surface.crt arch/kernel/MOK.crt + - name: Install build dependencies + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/arch.sh setup-builddeps - - name: Build - run: | - cd pkg/arch/kernel + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e SB_KEY \ + -- \ + bash ./.github/scripts/package/arch.sh setup-secureboot - # Fix permissions (can't makepkg as root) - echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers - chown -R nobody . + - name: Build packages + run: | + bash ./.github/scripts/container/exec.sh \ + -- \ + bash ./.github/scripts/package/arch.sh build-packages - # Package compression settings (Matches latest Arch) - export PKGEXT='.pkg.tar.zst' - export COMPRESSZST=(zstd -c -T0 --ultra -20 -) - export MAKEFLAGS="-j2" + - name: Sign packages + env: + GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} + run: | + bash ./.github/scripts/container/exec.sh \ + -e GPG_KEY \ + -e GPG_KEY_ID \ + -- \ + bash ./.github/scripts/package/arch.sh sign-packages - # Build - su nobody --pty -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm' - - - name: Prepare release - run: | - mkdir release - mv pkg/arch/kernel/*.pkg.tar.zst release - - - name: Sign packages - env: - GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} - run: | - cd release - - # import GPG key - echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes - export GPG_TTY=$(tty) - - # sign packages - ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: arch-latest - path: release + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: arch-latest + path: pkg/arch/kernel/release release: name: Publish release needs: [build] runs-on: ubuntu-latest steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: arch-latest - path: arch-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: arch-latest + path: arch-latest - - name: Upload assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - file: ./*-latest/* - tag: ${{ github.ref }} - overwrite: true - file_glob: true + - name: Upload assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + file: ./*-latest/* + tag: ${{ github.ref }} + overwrite: true + file_glob: true repo: name: Update package repository needs: [release] runs-on: ubuntu-latest - container: archlinux steps: - - name: Install dependencies - run: | - pacman -Syu --noconfirm - pacman -S --noconfirm base-devel git + - name: Checkout repository + uses: actions/checkout@v3 - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: arch-latest - path: arch-latest + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: arch-latest + path: arch-latest - - name: Update repository - env: - SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} - BRANCH_STAGING: u/staging - GIT_REF: ${{ github.ref }} - run: | - repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" + - name: Initialize containers + run: | + bash ./.github/scripts/container/create.sh \ + archlinux - # clone package repository - git clone -b "${BRANCH_STAGING}" "${repo}" repo - - # copy packages - cp arch-latest/* repo/arch/ - cd repo/arch - - # parse git tag from ref - GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') - - # convert packages into references - for pkg in $(find . -name '*.pkg.tar.zst'); do - echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob - rm $pkg - done - - # set git identity - git config --global user.email "surfacebot@users.noreply.github.com" - git config --global user.name "surfacebot" - - # commit and push - update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - git switch -c "${update_branch}" - git add . - git commit -m "Update Arch Linux kernel" - git push --set-upstream origin "${update_branch}" + - name: Update repository + env: + SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} + GIT_REF: ${{ github.ref }} + BRANCH_STAGING: u/staging + run: | + bash ./.github/scripts/container/exec.sh \ + -e SURFACEBOT_TOKEN \ + -e GIT_REF \ + -e BRANCH_STAGING \ + -e GITHUB_REPOSITORY \ + -- \ + bash ./.github/scripts/repository/arch.sh \ No newline at end of file