wayscriber/.github/workflows/build-packages.yml at 94fb80510060a8d72a47e8dc9d7a0533fd5c2d95 · devmobasa/wayscriber · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
name: Release
run-name: Release ${{ github.ref_name }}

on:
  push:
    tags:
      - "v*"

jobs:
  package:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      version: ${{ steps.meta.outputs.version }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install build dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            build-essential \
            pkg-config \
            libwayland-dev \
            libxkbcommon-dev \
            libcairo2-dev \
            libpango1.0-dev \
            libgtk-3-dev \
            libssl-dev \
            libxcb-shape0-dev \
            libxcb-xfixes0-dev \
            libxcb-render0-dev \
            libxcb1-dev \
            libx11-dev

      - name: Set up Rust
        uses: dtolnay/rust-toolchain@1.92.0

      - name: Install nfpm
        run: |
          NFPM_VERSION=2.43.4
          curl -sSfL "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz" \
            | tar -xz nfpm
          sudo mv nfpm /usr/local/bin/
          nfpm --version

      - name: Cache cargo
        uses: Swatinem/rust-cache@v2
        with:
          workspaces: |
            .
            configurator

      - name: Read crate version
        id: meta
        run: |
          VERSION=$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[] | select(.name=="wayscriber") | .version')
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"

      - name: Pre-fetch Cargo dependencies (locked)
        env:
          CARGO_TARGET_DIR: target
        run: |
          cargo fetch --locked --target x86_64-unknown-linux-gnu
          if [ -f configurator/Cargo.toml ]; then
            cargo fetch --locked --manifest-path configurator/Cargo.toml --target x86_64-unknown-linux-gnu
          fi

      - name: Build & package (tar/deb/rpm)
        env:
          VERSION: ${{ steps.meta.outputs.version }}
          FORMATS: tar,deb,rpm
          ARTIFACT_ROOT: dist
          CARGO_TARGET_DIR: target
        run: |
          ./tools/package.sh

      - name: Upload tarball
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-${{ steps.meta.outputs.version }}-tar
          path: dist/wayscriber-v${{ steps.meta.outputs.version }}-linux-x86_64.tar.gz

      - name: Upload configurator tarball
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-configurator-${{ steps.meta.outputs.version }}-tar
          path: dist/wayscriber-configurator-v${{ steps.meta.outputs.version }}-linux-x86_64.tar.gz

      - name: Upload deb
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-${{ steps.meta.outputs.version }}-deb
          path: dist/wayscriber-amd64.deb

      - name: Upload configurator deb
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-configurator-${{ steps.meta.outputs.version }}-deb
          path: dist/wayscriber-configurator-amd64.deb

      - name: Upload rpm
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-${{ steps.meta.outputs.version }}-rpm
          path: dist/wayscriber-x86_64.rpm

      - name: Upload configurator rpm
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-configurator-${{ steps.meta.outputs.version }}-rpm
          path: dist/wayscriber-configurator-x86_64.rpm

      - name: Upload manifests
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-${{ steps.meta.outputs.version }}-manifest
          path: |
            dist/checksums.txt
            dist/manifest.json

  package-repos:
    name: Build apt/dnf repositories
    needs: package
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      GPG_PRIVATE_KEY_B64: ${{ secrets.PACKAGE_REPO_GPG_PRIVATE_KEY_B64 }}
      GPG_PASSPHRASE: ${{ secrets.PACKAGE_REPO_GPG_PASSPHRASE }}
      GPG_KEY_ID: ${{ secrets.PACKAGE_REPO_GPG_KEY_ID }}
      PACKAGE_REPO_REMOTE_HOST: ${{ secrets.PACKAGE_REPO_REMOTE_HOST }}
      PACKAGE_REPO_REMOTE_PATH: ${{ secrets.PACKAGE_REPO_REMOTE_PATH }}
      PACKAGE_REPO_REMOTE_USER: ${{ secrets.PACKAGE_REPO_REMOTE_USER }}
      PACKAGE_REPO_SSH_KEY: ${{ secrets.PACKAGE_REPO_SSH_KEY }}
      PACKAGE_REPO_SSH_KNOWN_HOSTS: ${{ secrets.PACKAGE_REPO_SSH_KNOWN_HOSTS }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install repo tooling
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            apt-utils \
            dpkg-dev \
            rpm \
            createrepo-c \
            rsync \
            gnupg

      - name: Download packaged artifacts
        uses: actions/download-artifact@v4
        with:
          path: dist
          merge-multiple: true

      - name: Build apt + rpm repositories
        env:
          ARTIFACT_ROOT: dist
          OUTPUT_ROOT: repo-out
          DEB_SUITE: stable
          DEB_COMPONENT: main
          DEB_ARCH: amd64
          RPM_ARCH: x86_64
          REPO_ORIGIN: Wayscriber
          REPO_LABEL: Wayscriber
          SIGN_RPMS: 1
        run: |
          chmod +x tools/build-package-repos.sh
          tools/build-package-repos.sh

      - name: Upload repo bundle
        uses: actions/upload-artifact@v4
        with:
          name: wayscriber-${{ needs.package.outputs.version }}-repos
          path: |
            repo-out/apt
            repo-out/rpm
            repo-out/WAYSCRIBER-GPG-KEY.asc

      - name: Deploy to website host (rsync)
        if: ${{ env.PACKAGE_REPO_REMOTE_HOST != '' && env.PACKAGE_REPO_REMOTE_PATH != '' && env.PACKAGE_REPO_SSH_KEY != '' }}
        env:
          DEPLOY_HOST: ${{ env.PACKAGE_REPO_REMOTE_HOST }}
          DEPLOY_PATH: ${{ env.PACKAGE_REPO_REMOTE_PATH }}
          DEPLOY_USER: ${{ env.PACKAGE_REPO_REMOTE_USER }}
        run: |
          mkdir -p ~/.ssh
          echo "$PACKAGE_REPO_SSH_KEY" > ~/.ssh/repo_key
          chmod 600 ~/.ssh/repo_key
          if [ -n "$PACKAGE_REPO_SSH_KNOWN_HOSTS" ]; then
            echo "$PACKAGE_REPO_SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
          else
            ssh-keyscan -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts
          fi
          DEPLOY_USER="${DEPLOY_USER:-root}"
          ssh -i ~/.ssh/repo_key -o StrictHostKeyChecking=yes "${DEPLOY_USER}@${DEPLOY_HOST}" "mkdir -p '${DEPLOY_PATH}/apt' '${DEPLOY_PATH}/rpm'"
          rsync -av --delete -e "ssh -i ~/.ssh/repo_key -o StrictHostKeyChecking=yes" repo-out/apt/ "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}/apt/"
          rsync -av --delete -e "ssh -i ~/.ssh/repo_key -o StrictHostKeyChecking=yes" repo-out/rpm/ "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}/rpm/"
          if [ -f repo-out/WAYSCRIBER-GPG-KEY.asc ]; then
            rsync -av -e "ssh -i ~/.ssh/repo_key -o StrictHostKeyChecking=yes" repo-out/WAYSCRIBER-GPG-KEY.asc "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}/"
          fi

  release:
    needs: package
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    permissions:
      contents: write
    steps:
      - name: Download packaged artifacts
        uses: actions/download-artifact@v4
        with:
          path: dist
          merge-multiple: true

      - name: Publish GitHub release (auto notes)
        uses: softprops/action-gh-release@v2
        with:
          files: dist/**/*
          generate_release_notes: true

  aur:
    needs: package
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    env:
      AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
      AUR_SSH_KNOWN_HOSTS: ${{ secrets.AUR_SSH_KNOWN_HOSTS }}
      AUR_SSH_PASSPHRASE: ${{ secrets.AUR_SSH_PASSPHRASE }}
    steps:
      - name: Fail if AUR secret missing
        if: env.AUR_SSH_PRIVATE_KEY == ''
        run: |
          echo "AUR secrets not set; failing AUR job."
          exit 1

      - name: Configure SSH for AUR (and test)
        run: |
          mkdir -p ~/.ssh
          echo "$AUR_SSH_PRIVATE_KEY" > ~/.ssh/aur
          chmod 600 ~/.ssh/aur
          {
            echo "Host aur.archlinux.org"
            echo "  HostName aur.archlinux.org"
            echo "  User aur"
            echo "  IdentityFile ~/.ssh/aur"
            echo "  StrictHostKeyChecking yes"
          } >> ~/.ssh/config
          if [ -n "$AUR_SSH_KNOWN_HOSTS" ]; then
            echo "$AUR_SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
          else
            ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts
          fi
          SSH_CMD="ssh -i ~/.ssh/aur -o StrictHostKeyChecking=yes"
          if [ -n "$AUR_SSH_PASSPHRASE" ]; then
            cat <<'EOS' > /tmp/aur-askpass.sh
          #!/usr/bin/env bash
          printf '%s\n' "${AUR_SSH_PASSPHRASE:-}"
          EOS
            chmod +x /tmp/aur-askpass.sh
            export SSH_ASKPASS=/tmp/aur-askpass.sh
            export SSH_ASKPASS_REQUIRE=force
            export DISPLAY=:0
            eval "$(ssh-agent -s)"
            if ! setsid -w env SSH_ASKPASS=$SSH_ASKPASS SSH_ASKPASS_REQUIRE=$SSH_ASKPASS_REQUIRE DISPLAY=$DISPLAY ssh-add ~/.ssh/aur </dev/null; then
              echo "ssh-add failed; ensure AUR_SSH_PASSPHRASE is set correctly if the key is encrypted."
              exit 1
            fi
            SSH_CMD="ssh -o StrictHostKeyChecking=yes"
            {
              echo "SSH_ASKPASS=$SSH_ASKPASS"
              echo "SSH_ASKPASS_REQUIRE=$SSH_ASKPASS_REQUIRE"
              echo "DISPLAY=$DISPLAY"
              echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK"
              echo "SSH_AGENT_PID=$SSH_AGENT_PID"
            } >> "$GITHUB_ENV"
          else
            echo "No AUR_SSH_PASSPHRASE provided; using key directly with -i."
          fi
          echo "GIT_SSH_COMMAND=$SSH_CMD" >> "$GITHUB_ENV"
          ls -l ~/.ssh
          echo "ssh config:"
          cat ~/.ssh/config
          ssh-add -l || true
          echo "Key fingerprint:"
          ssh-keygen -lf ~/.ssh/aur || true
          echo "Testing SSH connectivity..."
          GIT_SSH_COMMAND="$SSH_CMD" git ls-remote ssh://aur@aur.archlinux.org/wayscriber.git HEAD

      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Install helpers
        run: |
          sudo apt-get update
          sudo apt-get install -y jq

      - name: Download packaged artifacts
        uses: actions/download-artifact@v4
        with:
          path: dist
          merge-multiple: true

      - name: Set git identity for AUR
        env:
          AUR_GIT_USERNAME: ${{ secrets.AUR_GIT_USERNAME }}
          AUR_GIT_EMAIL: ${{ secrets.AUR_GIT_EMAIL }}
        run: |
          if [ -z "$AUR_GIT_USERNAME" ] || [ -z "$AUR_GIT_EMAIL" ]; then
            echo "AUR_GIT_USERNAME and AUR_GIT_EMAIL secrets must be set."
            exit 1
          fi
          git config --global user.name "$AUR_GIT_USERNAME"
          git config --global user.email "$AUR_GIT_EMAIL"

      - name: Clone AUR repos
        run: |
          GIT_SSH_COMMAND="ssh -i ~/.ssh/aur -o StrictHostKeyChecking=yes" git clone ssh://aur@aur.archlinux.org/wayscriber.git aur-wayscriber
          GIT_SSH_COMMAND="ssh -i ~/.ssh/aur -o StrictHostKeyChecking=yes" git clone ssh://aur@aur.archlinux.org/wayscriber-bin.git aur-wayscriber-bin
          GIT_SSH_COMMAND="ssh -i ~/.ssh/aur -o StrictHostKeyChecking=yes" git clone ssh://aur@aur.archlinux.org/wayscriber-configurator.git aur-wayscriber-configurator || true

      - name: Update AUR from manifest
        env:
          PUSH: "1"
        run: |
          VERSION=$(jq -r '.version' dist/manifest.json)
          chmod +x tools/update-aur-from-manifest.sh
          ./tools/update-aur-from-manifest.sh \
            --version "$VERSION" \
            --manifest dist/manifest.json \
            --source-dir aur-wayscriber \
            --bin-dir aur-wayscriber-bin \
            --config-dir aur-wayscriber-configurator \
            --push