01-make-dist.yml

# Adapted from NUT codeql.yml with inspiration taken from
# https://javahelps.com/manage-github-artifact-storage-quota
# regarding uploads of artifacts and clearing the way for them.
# See also:
#   https://github.com/actions/upload-artifact
#   https://docs.github.com/en/actions/reference/workflows-and-actions/variables
#   https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
#name: "GHA-01: Make dist and docs tarballs, see workflow page for links"
name: "GHA-01: Tarballs"

on:
  push:
    branches: [ "master", "FTY", "fightwarn", "FTY-obs" ]
    tags:
      - v*
  pull_request_target:
    # The branches below must be a subset of the branches above
    # Note that for PRs this runs the copy of workflow in the
    # target branch (and only then gets some of the permissions
    # listed below), and identification/naming of PR source vs.
    # a pushed branch (e.g. master updated by a PR merge) is
    # tricky.
    branches: [ "master", "FTY", "fightwarn", "FTY-obs" ]
  schedule:
    - cron: '15 12 * * 0'
  workflow_dispatch:
    # Allow manually running the action, e.g. if disabled after some quietness in the source

permissions:
  checks: write
  contents: write
  issues: write
  pull-requests: write

jobs:
  make-dist-tarballs:
    name: "Make Dist and Docs Tarballs, see workflow page for links"
     # FIXME: Prepare/maintain a container image with pre-installed
     #  NUT build/tooling prereqs (save about 3 minutes per run!)
     #  Maybe https://aschmelyun.com/blog/using-docker-run-inside-of-github-actions/
     #  => https://github.com/addnab/docker-run-action can help
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false

    steps:
    - name: Checkout repository
      uses: actions/checkout@v5
      with:
        fetch-depth: 0
        fetch-tags: true
        # NOTE: pull_request_target protects us by using the workflow definition
        # from target branch (so trusted operations like artifact management can
        # be used), but it also uses the code from that branch too, so fix it back.
        # Maybe use "github.event.pull_request.merge_commit_sha" instead?.. though
        # it may be null if the PR is not mergeable or is still checked for that,
        # or may return the commit for PREVIOUS pushed iteration's merge to target.
        # See more ideas in https://github.com/actions/checkout/issues/518 :
        ref: "${{ github.event.pull_request.number > 0 && github.event.pull_request.head.sha || github.ref_name }}"
        persist-credentials: false

    # https://github.com/marketplace/actions/substitute-string
    # See also examples in https://github.com/dhimmel/dump-actions-context/
    # Note it warns about "unexpected input(s)" with replacement tokens below,
    # as they are by design not predefined, as far as actions API is concened.
    # They still work for substitutions though.
    - uses: bluwy/substitute-string-action@v3
      id: subst-github-ref-name
      with:
        _input-text: "${{ github.event.pull_request.number > 0 && format('PR-{0}', github.event.pull_request.number) || github.head_ref || github.ref_name }}"
        " ": _
        "/": _

    - name: Debug PR/branch identification
      run: |
        echo "steps.subst-github-ref-name.outputs.result='${{ steps.subst-github-ref-name.outputs.result }}'" || true
        echo "github.event.pull_request.number='${{ github.event.pull_request.number }}'" || true
        echo "format('PR-{0}', github.event.pull_request.number)='${{ format('PR-{0}', github.event.pull_request.number) }}'" || true
        echo "github.head_ref='${{ github.head_ref }}'" || true
        echo "github.ref='${{ github.ref }}'" || true
        echo "github.ref_name='${{ github.ref_name }}'" || true

    # Make build identification more useful (so we use no fallbacks in script)
    - name: Try to get more Git metadata
      run: |
        git describe || {
          git remote -v || true
          git branch -a || true
          for R in `git remote` ; do git fetch $R master ; done || true
          git fetch --tags
          pwd ; ls -la
          echo "=== Known commits in history:"
          git log --oneline | wc -l
          echo "=== Recent commits in history:"
          git log -2 || true
          echo "=== Known tags:"
          git tag || true
          echo "=== Try to ensure 'git describe' works:"
          git describe || {
            git fetch --all && for R in `git remote` ; do for T in `git tag` ; do git fetch $R $T ; done ; done
            git describe || {
              TEST_REF="`git symbolic-ref --short HEAD 2>/dev/null || cat .git/HEAD`" && [ -n "${TEST_REF}" ] && git checkout master && git pull --all && git checkout "${TEST_REF}"
              git describe || true
            }
          }
        }

    # Using hints from https://askubuntu.com/questions/272248/processing-triggers-for-man-db
    # and our own docs/config-prereqs.txt
    # NOTE: Currently installing the MAX prerequisite footprint,
    # which for building just the docs may be a bit of an overkill.
    - name: NUT CI Prerequisite packages (Ubuntu, GCC)
      run: |
        echo "set man-db/auto-update false" | sudo debconf-communicate
        sudo dpkg-reconfigure man-db
        sudo apt update
        sudo apt install \
            gcc g++ clang \
            ccache time \
            git perl curl \
            make autoconf automake libltdl-dev libtool binutils \
            valgrind \
            cppcheck \
            pkg-config \
            libtool-bin \
            python3 gettext python3-pyqt6 pyqt6-dev-tools \
            aspell aspell-en \
            asciidoc source-highlight python3-pygments dblatex \
            libgd-dev \
            systemd-dev \
            libsystemd-dev \
            libcppunit-dev \
            libssl-dev libnss3-dev \
            augeas-tools libaugeas-dev augeas-lenses \
            libusb-dev libusb-1.0-0-dev \
            libi2c-dev \
            libmodbus-dev \
            libsnmp-dev \
            libpowerman0-dev \
            libfreeipmi-dev libipmimonitoring-dev \
            libavahi-common-dev libavahi-core-dev libavahi-client-dev \
            libgpiod-dev \
            bash dash ksh busybox \
            libneon27-gnutls-dev \
            build-essential git-core libi2c-dev i2c-tools lm-sensors \
        || exit
        date > .timestamp-init

    - name: Prepare ccache
      # Based on https://docs.github.com/en/actions/reference/workflows-and-actions/dependency-caching#example-using-the-cache-action example
      id: cache-ccache
      uses: actions/cache@v4
      env:
        compiler: 'CC=gcc CXX=g++'
        cache-name: cache-ccache-${{ env.compiler }}
      with:
        path: |
            ~/.ccache
            ~/.cache/ccache
            ~/.config/ccache/ccache.conf
        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/.timestamp-init') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-

    - name: CCache stats before build
      run: |
        ccache -sv || ccache -s || echo "FAILED to read ccache info, oh well"
        rm -f .timestamp-init

    - name: Debug gitlog2version processing
      run: bash -x ./tools/gitlog2version.sh || true

    - name: NUT CI Build Configuration
      env:
        compiler: 'CC=gcc CXX=g++'
      run: |
        PATH="/usr/lib/ccache:$PATH" ; export PATH
        CCACHE_COMPRESS=true; export CCACHE_COMPRESS
        ccache --version || true
        ( ${{env.compiler}} ; echo "=== CC: $CC => `command -v $CC` =>" ; $CC --version ; echo "=== CXX: $CXX => `command -v $CXX` =>" ; $CXX --version ) || true
        ./autogen.sh && \
        ./configure --enable-warnings --enable-Werror --enable-Wcolor --with-all --with-dev --with-docs --enable-docs-changelog ${{env.compiler}}

    # NOTE: In this scenario we do not build actually NUT in the main
    # checkout directory, at least not explicitly (recipe may generate
    # some files like man pages to fulfill the "dist" requirements;
    # for now this may generate some libs to figure out their IDs).
    # We do `make docs` to provide them as a separate tarball just
    # in case, later.
    # DO NOT `make dist-files` here as it includes `dist-sig` and
    # needs a GPG keychain with maintainers' secrets deployed locally.
    - name: NUT CI Build to create "dist" tarball and related files
      env:
        compiler: 'CC=gcc CXX=g++'
      run: |
        PATH="/usr/lib/ccache:$PATH" ; export PATH
        CCACHE_COMPRESS=true; export CCACHE_COMPRESS
        ccache --version || true
        ( ${{env.compiler}} ; echo "=== CC: $CC => `command -v $CC` =>" ; $CC --version ; echo "=== CXX: $CXX => `command -v $CXX` =>" ; $CXX --version ) || true
        make -s -j 8 dist dist-hash

    - name: NUT CI Build to verify "dist" tarball build
      env:
        compiler: 'CC=gcc CXX=g++'
      run: |
        PATH="/usr/lib/ccache:$PATH" ; export PATH
        CCACHE_COMPRESS=true; export CCACHE_COMPRESS
        ccache --version || true
        ( ${{env.compiler}} ; echo "=== CC: $CC => `command -v $CC` =>" ; $CC --version ; echo "=== CXX: $CXX => `command -v $CXX` =>" ; $CXX --version ) || true
        make -s -j 8 distcheck

    - name: NUT CI Build to verify "dist" tarball build self-reproducibility
      env:
        compiler: 'CC=gcc CXX=g++'
      run: |
        PATH="/usr/lib/ccache:$PATH" ; export PATH
        CCACHE_COMPRESS=true; export CCACHE_COMPRESS
        ccache --version || true
        ( ${{env.compiler}} ; echo "=== CC: $CC => `command -v $CC` =>" ; $CC --version ; echo "=== CXX: $CXX => `command -v $CXX` =>" ; $CXX --version ) || true
        make -s -j 8 distcheck-completeness

    - name: CCache stats after distcheck
      run: ccache -sv || ccache -s || echo "FAILED to read ccache info, oh well"

    - name: NUT CI Build to package complex docs (not part of dist tarball)
      run: |
        make -s -j 8 dist-docs

    # Inspired by https://javahelps.com/manage-github-artifact-storage-quota
    # Note that the code below wipes everything matched by the filter!
    # We may want another script block (after this cleanup of obsolete data)
    # to iterate clearing the way build by build until there's X MB available
    # (at least 12MB as of Nov 2025).
    - if: env.GITHUB_REF_TYPE != 'tag' && steps.subst-github-ref-name.outputs.result != 'master'
      name: Delete Old Artifacts for this feature branch/PR
      uses: actions/github-script@v6
      id: delete_old_artifact_for_pr
      continue-on-error: true
      with:
        script: |
          const res = await github.rest.actions.listArtifactsForRepo({
            owner: context.repo.owner,
            repo: context.repo.repo,
          })

          res.data.artifacts
            .filter(({ name }) => name === 'NUT-tarballs-${{ steps.subst-github-ref-name.outputs.result }}')
            .forEach(({ id }) => {
              github.rest.actions.deleteArtifact({
                owner: context.repo.owner,
                repo: context.repo.repo,
                artifact_id: id,
              })
            })

    - name: Upload tarball and its checksum artifacts
      uses: actions/upload-artifact@v4
      id: upload_artifact
      with:
        name: NUT-tarballs-${{ steps.subst-github-ref-name.outputs.result }}
        path: |
          nut-*.tar*
        compression-level: 0
        overwrite: true

    # NOTE: Despite the docs examples, due to GH API changes in Mar 2025
    # this action can no longer update an existing check, only create a
    # new one. Also calls authenticated with "github-actions" GH App may
    # not set "details_url" freely...
    # https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28
    - name: "GHA-01: Create new GH Check report - shell/cURL"
      if: always()
      continue-on-error: true
      env:
        artifact_name: "NUT-tarballs-${{ steps.subst-github-ref-name.outputs.result }}.zip"
        artifact_url: ${{ steps.upload_artifact.outputs.artifact-url }}
        ref: ${{ github.event.pull_request.head.sha || github.sha }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        curl -L \
          -X POST \
          -H "Accept: application/vnd.github+json" \
          -H "Authorization: Bearer ${{ env.GITHUB_TOKEN }}" \
          -H "X-GitHub-Api-Version: 2022-11-28" \
          https://api.github.com/repos/${{ github.repository }}/check-runs \
          -d '{"head_sha": "${{ env.ref }}", "name": "URL for ${{ env.artifact_name }}", "details_url": "${{ env.artifact_url }}", "status": "completed", "conclusion": "${{ job.status }}", "output": {"title": "${{ env.artifact_url }}", "summary": "Dist and Docs [${{ env.artifact_name }}](${{ env.artifact_url }}) are available for commit ${{ env.ref }}"} }'

    ### This tends to use same "name" text on both sides of Checks list entry:
    #- name: "GHA-01: Add link as GH Check report"
    #  uses: LouisBrunner/checks-action@v2.0.0
    #  if: always()
    #  continue-on-error: true
    #  env:
    #    artifact_name: "NUT-tarballs-${{ steps.subst-github-ref-name.outputs.result }}.zip"
    #    artifact_url: ${{ steps.upload_artifact.outputs.artifact-url }}
    #    ref: ${{ github.event.pull_request.head.sha || github.sha }}
    #  with:
    #    token: ${{ secrets.GITHUB_TOKEN }}
    #    name: "[${{ env.artifact_name }}](${{ env.artifact_url }})"
    #    status: "completed"
    #    conclusion: ${{ job.status }}
    #    details_url: ${{ env.artifact_url }}
    #    output: '{ "text_description": "Dist and Docs [${{ env.artifact_name }}](${{ env.artifact_url }}) are available for commit ${{ env.ref }}", "summary": "${{ job.status }}" }'