Deploy Reprepro #1376
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy Reprepro | |
on: | |
workflow_call: | |
inputs: | |
incoming: | |
type: string | |
required: true | |
description: Name of incoming deb file | |
secrets: | |
GPG_PRIVATE_KEY: | |
required: false | |
GPG_PASSPHRASE: | |
required: false | |
CF_R2_ACCESS_KEY_ID: | |
required: false | |
CF_R2_TOKEN: | |
required: false | |
repository_dispatch: | |
types: [reprepro-incoming] | |
workflow_dispatch: | |
inputs: | |
incoming: | |
description: Name of incoming deb file | |
required: true | |
type: string | |
# Protect reprepro database using concurrency | |
concurrency: reprepro | |
jobs: | |
reprepro: | |
name: Deploy debian package | |
environment: packages.element.io | |
runs-on: ubuntu-24.04 | |
env: | |
R2_BUCKET: ${{ vars.R2_BUCKET }} | |
R2_DB_BUCKET: ${{ vars.R2_DB_BUCKET }} | |
R2_INCOMING_BUCKET: ${{ vars.R2_INCOMING_BUCKET }} | |
R2_URL: ${{ vars.CF_R2_S3_API }} | |
INCOMING_FILE: ${{ inputs.incoming || github.event.client_payload.incoming }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Fetch deb | |
run: | | |
mkdir dist | |
aws s3 cp "s3://$R2_INCOMING_BUCKET/$INCOMING_FILE" dist/ --endpoint-url $R2_URL --region auto | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} | |
- name: Load GPG key | |
uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
fingerprint: ${{ vars.GPG_FINGERPRINT }} | |
- name: Install reprepro | |
run: sudo apt-get install -y reprepro | |
- name: Fetch database | |
run: aws s3 cp --recursive "s3://$R2_DB_BUCKET" debian/db/ --endpoint-url "$R2_URL" --region auto | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} | |
- name: Run reprepro | |
id: reprepro | |
run: | | |
set -x | |
# Find all configured suites which can accept a deb for this architecture, "all" can match all non-source | |
ARCH=$(dpkg --info "dist/$INCOMING_FILE" | awk '/Architecture/ {print $2}') | |
echo "arch=$ARCH" >> $GITHUB_OUTPUT | |
DISTROS=$(reprepro -b debian _listconfidentifiers | grep -v source) | |
if [[ "$ARCH" != "all" ]]; then | |
DISTROS=$(echo "$DISTROS" | grep "$ARCH") | |
fi | |
echo "$DISTROS" | awk -F "|" '{print $1}' | uniq | while read -r target ; do | |
reprepro -b debian includedeb "$target" "dist/$INCOMING_FILE" | |
done | |
- name: Host repository for testing | |
uses: Eun/http-server-action@856e467dda36cd5d30e93bd7dd168cf3e1676301 # v1 | |
with: | |
directory: packages.element.io | |
port: 8000 | |
- name: Check repository works | |
run: | | |
set +x | |
# Add architecture so apt will download for it | |
sudo dpkg --add-architecture $ARCH || exit 0 | |
# Copy signing keyring | |
sudo cp debian/element-io-archive-keyring.gpg /usr/share/keyrings/element-io-archive-keyring.gpg | |
# Point apt at local apt repo overwriting all default sources | |
echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://localhost:8000/debian/ default main" | sudo tee /etc/apt/sources.list | |
# Later ubuntu versions use the `conf.d` approach so we need to remove the default sources | |
sudo rm -R /etc/apt/sources.list.d/* | |
sudo apt-get update --allow-insecure-repositories | |
# Validate the package in the repo quacks like the one we expect | |
info=$(dpkg --info ../dist/$INCOMING_FILE) | |
package=$(echo "$info" | grep "Package:" | sed -n 's/ Package: //p') | |
version=$(echo "$info" | grep "Version:" | sed -n 's/ Version: //p') | |
apt-cache show "$package" -o=APT::Architecture="$ARCH" | grep "Version: $version" | |
working-directory: ./packages.element.io | |
env: | |
ARCH: ${{ steps.reprepro.outputs.arch }} | |
- name: Deploy debian repo | |
run: | | |
aws s3 cp --recursive packages.element.io/debian/ "s3://$R2_BUCKET/debian" --endpoint-url "$R2_URL" --region auto | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} | |
- name: Store database | |
run: aws s3 cp --recursive debian/db/ "s3://$R2_DB_BUCKET" --endpoint-url "$R2_URL" --region auto | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} | |
- name: Cleanup incoming | |
run: aws s3 rm "s3://$R2_INCOMING_BUCKET/$INCOMING_FILE" --endpoint-url "$R2_URL" --region auto | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} |