-
-
Notifications
You must be signed in to change notification settings - Fork 3
308 lines (246 loc) · 12.8 KB
/
build-gcc-deb-packages.yml
File metadata and controls
308 lines (246 loc) · 12.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
name: Build and upload gcc deb packages
on:
workflow_dispatch:
inputs:
debug_tmate:
description: "Open tmate session on failure"
type: boolean
required: false
default: false
permissions:
contents: read
jobs:
build:
name: Build for ${{ matrix.arch }} PHP ${{ matrix.php-version }}
runs-on: ubuntu-24.04${{ matrix.arch == 'arm64' && '-arm' || '' }}
container:
image: debian:11
permissions:
contents: read
defaults:
run:
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BASH_ENV: /tmp/gha-bashenv
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
strategy:
fail-fast: false
matrix:
php-version: [ 8.4 ]
arch: [ amd64, arm64 ]
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Set architecture variables
run: |
if [[ "${{ matrix.arch }}" == "arm64" ]]; then
echo "RPM_ARCH=aarch64" >> $GITHUB_ENV
else
echo "RPM_ARCH=x86_64" >> $GITHUB_ENV
fi
- name: Bootstrap container
run: |
apt-get update
apt-get install -y ruby build-essential jq curl gzip sudo git gnupg tar zstd
apt-get upgrade -y
gem install --no-document fpm
- name: Install cmake
run: |
curl -o cmake.tar.gz -fsSL https://github.com/Kitware/CMake/releases/download/v3.31.4/cmake-3.31.4-linux-$(uname -m).tar.gz && \
sudo tar -xzf cmake.tar.gz -C /usr/local --strip-components=1 && \
rm cmake.tar.gz
- name: Install composer
run: |
sudo curl -L https://files.henderkes.com/${RPM_ARCH}-linux/php -o /usr/local/bin/php
sudo chmod +x /usr/local/bin/php
sudo curl -sS https://raw.githubusercontent.com/composer/getcomposer.org/f3108f64b4e1c1ce6eb462b159956461592b3e3e/web/installer | php -- --quiet
sudo mv composer.phar /usr/local/bin/composer
- name: Prepare cache directories
run: |
composer config -g cache-dir
- name: Cache Composer downloads
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: ~/.cache/composer
key: composer-${{ hashFiles('**/composer.lock') }}
restore-keys: |
composer-
- name: Install vendor
run: composer install --no-interaction --prefer-dist --no-progress
- name: Download artifact from spc-download.yml
uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
with:
workflow: spc-download.yml
name: downloads-tarball
- name: Extract with permissions
run: |
mkdir -p downloads
tar -xzf downloads.tar.gz -C downloads
rm downloads.tar.gz
- name: Build PHP
run: php bin/spp all --phpv=${{ matrix.php-version }} --prefix="-zts" --type=deb
- name: Inject deprecation notice into packages
run: |
shopt -s nullglob
for deb in dist/deb/*.deb; do
echo "Processing $deb..."
# Create a working directory
work_dir=$(mktemp -d)
extract_dir="$work_dir/extracted"
# Extract the .deb
dpkg-deb -R "$deb" "$extract_dir"
# Create or append to postinst script
postinst="$extract_dir/DEBIAN/postinst"
if [ -f "$postinst" ]; then
# If postinst exists, insert deprecation notice after shebang
temp_file=$(mktemp)
head -1 "$postinst" > "$temp_file"
cat >> "$temp_file" <<'EOF'
# Display deprecation notice
cat <<'NOTICE'
================================================================================
⚠️ DEPRECATION NOTICE
================================================================================
The single-version php-zts repository is deprecated and will no longer receive updates.
Please migrate to the new repository with different PHP versions available.
More information: https://pkgs.henderkes.com
================================================================================
NOTICE
EOF
tail -n +2 "$postinst" >> "$temp_file"
mv "$temp_file" "$postinst"
else
# Create new postinst script
cat > "$postinst" <<'EOF'
#!/bin/sh
set -e
# Display deprecation notice
cat <<'NOTICE'
================================================================================
⚠️ DEPRECATION NOTICE
================================================================================
This repository is deprecated and will no longer receive updates.
Please migrate to the new repository with different PHP versions available.
More information: https://pkgs.henderkes.com
================================================================================
NOTICE
#DEBHELPER#
exit 0
EOF
fi
chmod 755 "$postinst"
# Repackage the .deb
dpkg-deb -b "$extract_dir" "$deb"
# Cleanup
rm -rf "$work_dir"
echo "✓ Injected deprecation notice into $deb"
done
- name: Stage deb artifacts
run: |
mkdir -p "artifacts/${{ matrix.arch }}"
shopt -s nullglob
mv dist/deb/*.deb "artifacts/${{ matrix.arch }}/"
- name: Upload debs
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: "debs-${{ matrix.arch }}"
path: artifacts/**
if-no-files-found: error
retention-days: 2
- name: Upload logs
if: ${{ failure() }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: build-logs-${{ matrix.arch }}-php${{ matrix.php-version }}
path: log
- name: Setup tmate session
if: ${{ failure() && inputs.debug_tmate == true }}
uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
timeout-minutes: 10
assemble-repo:
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
env:
DEB_GPG_PRIVATE_KEY: ${{ secrets.DEB_GPG_PRIVATE_KEY }}
DEB_GPG_PASSWORD: ${{ secrets.DEB_GPG_PASSWORD }}
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Install repo tooling
run: |
sudo apt-get update
sudo apt-get install -y reprepro gnupg rsync
- name: Download all debs
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
pattern: debs-*
merge-multiple: true
path: collected
- name: Build signed APT repo (aggregate)
run: |
REPO_ROOT="$(pwd)/repo"
mkdir -p "${REPO_ROOT}/conf"
ORIGIN="Static PHP repository"
LABEL="static-php"
COMPONENT="main"
DESC="Static PHP repository"
export GNUPGHOME="${HOME}/.gnupg"
mkdir -p "${GNUPGHOME}"; chmod 700 "${GNUPGHOME}"
echo "allow-loopback-pinentry" > "${GNUPGHOME}/gpg-agent.conf"
gpgconf --kill gpg-agent
FPR=$(printf '%s' "${DEB_GPG_PRIVATE_KEY}" \
| gpg --batch --quiet --with-colons --import-options show-only --import 2>/dev/null \
| awk -F: '/^fpr:/ {print $10; exit}')
printf '%s' "${DEB_GPG_PRIVATE_KEY}" | gpg --batch --yes --import
{
echo "pinentry-mode loopback"
echo "default-key ${FPR}"
} > "${GNUPGHOME}/gpg.conf"
t=$(mktemp); echo warmup > "$t"
gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 \
--local-user "${FPR}" --sign --output /dev/null "$t" <<<"${DEB_GPG_PASSWORD}"
rm -f "$t"
cat > "${REPO_ROOT}/conf/distributions" <<EOF
Codename: stable
Suite: stable
Components: ${COMPONENT}
Architectures: amd64 arm64
Origin: ${ORIGIN}
Label: ${LABEL}
Description: ⚠️ DEPRECATED - This repository is deprecated. Please migrate to the new repository with different PHP versions at https://pkgs.henderkes.com.
NotAutomatic: yes
ButAutomaticUpgrades: yes
SignWith: ${FPR}
EOF
shopt -s nullglob globstar
debs=( collected/**/*.deb )
reprepro -b "${REPO_ROOT}" includedeb stable "${debs[@]}"
reprepro -b "${REPO_ROOT}" export
- name: Set up SSH key
uses: webfactory/ssh-agent@d4b9b8ff72958532804b70bbe600ad43b36d5f2e # v0.8.0
with:
ssh-private-key: ${{ secrets.GITHUBRPMHENDERKESPRIVATEKEY }}
- name: Add remote host to known_hosts
run: |
mkdir -p ~/.ssh
cat >> ~/.ssh/known_hosts <<'EOF'
${{ secrets.DEB_SERVER_IP }} ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPQq0y77dDEtxECVMhCxjcqiV369goMcbInsY/d+F1yXGwqOXQ6RqIEzgaVhgq0joMJT5BiGXNXQ+OI10/KtzGI=
${{ secrets.DEB_SERVER_IP }} ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2laCc5jifgjL/2zLzgP1E/X3kouXdaZv00KtAV1DOO5umThoWzb16cswnVtjtLUEMIuo9rPLB79xX2Asa+nN3uMgJDANnr/xnhRoI++yOGLga40/O69U88j5x+5FXODscH/k4n85mfcjzm/fZLXcHlb17ibCmU20I3v46sydn95Pp4/ShDvqsHVB4gWEKJ+jStkooUz2H1UZ8ZquNtaPTlmkOeClNj6gxag74P5b9VB6M5YNac2Emi3Nm0dYkc+BL0Qv+NEtFR1lR63DLa3O/NGTALGJYGmTUkjwiv8KygegaKhd2zxESmWhV7eYIPax8zL+GE9sX1Xwwh1huS0vsuwr2dXPP1/q5slz1AQV/lx85fGdiHc0F8RUXwqXbvGxZJheTuC/Mgu0cFzp5gqO4kTP28X+9fokzScBKBCIfObDXrl7rZgTXAA8IQ5gHk1tGchaEOIcDsjdISW5HVOiwocYSwUNMHzuZ08qAulatIywtOGcWVRdvOs7TcvSgfZ0=
${{ secrets.DEB_SERVER_IP }} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaB5IjokRHAH0Y9pzVe/Jx3s6cn0OADJ9uTxQQubBMu
EOF
chmod 600 ~/.ssh/known_hosts
- name: Upload APT repo to DEB_SERVER_IP
run: rsync -azv --delete repo/ github@${{ secrets.DEB_SERVER_IP }}:/mnt/data/deb/
- name: Fix permissions for Caddy file browser
run: ssh github@${{ secrets.DEB_SERVER_IP }} 'chmod -R o+rx /mnt/data/deb'
# - name: Setup tmate session
# if: ${{ failure() && github.event_name == 'workflow_dispatch' }}
# uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
# timeout-minutes: 10