Publish Package Managers #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Package Managers | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-manifests: | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| cli_version: ${{ steps.versions.outputs.cli_version }} | |
| icey_version: ${{ steps.versions.outputs.icey_version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Checkout icey | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: nilstate/icey | |
| path: icey | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| gcc-13 g++-13 \ | |
| cmake \ | |
| dpkg-dev \ | |
| gnupg \ | |
| libssl-dev \ | |
| libavcodec-dev libavformat-dev libavutil-dev libswscale-dev libswresample-dev \ | |
| unzip zip | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| cache-dependency-path: web/package-lock.json | |
| - name: Read versions | |
| id: versions | |
| run: | | |
| echo "cli_version=$(tr -d '[:space:]' < VERSION)" >> "$GITHUB_OUTPUT" | |
| echo "icey_version=$(tr -d '[:space:]' < icey/VERSION)" >> "$GITHUB_OUTPUT" | |
| - name: Check APT signing credentials | |
| id: apt-signing | |
| env: | |
| APT_GPG_PRIVATE_KEY: ${{ secrets.APT_GPG_PRIVATE_KEY }} | |
| run: | | |
| if [[ -n "${APT_GPG_PRIVATE_KEY:-}" ]]; then | |
| echo "sign=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "sign=false" >> "$GITHUB_OUTPUT" | |
| echo "Proceeding without APT repository signing." | |
| fi | |
| - name: Import APT signing key | |
| if: steps.apt-signing.outputs.sign == 'true' | |
| env: | |
| APT_GPG_PRIVATE_KEY: ${{ secrets.APT_GPG_PRIVATE_KEY }} | |
| APT_GPG_PASSPHRASE: ${{ secrets.APT_GPG_PASSPHRASE }} | |
| run: | | |
| export GNUPGHOME="$RUNNER_TEMP/apt-gnupg" | |
| mkdir -p "$GNUPGHOME" | |
| chmod 700 "$GNUPGHOME" | |
| printf '%s\n' "$APT_GPG_PRIVATE_KEY" | gpg --batch --import | |
| key_id="$(gpg --batch --with-colons --list-secret-keys | awk -F: '/^sec:/ { print $5; exit }')" | |
| if [[ -z "$key_id" ]]; then | |
| echo "Failed to discover imported APT signing key" >&2 | |
| exit 1 | |
| fi | |
| echo "GNUPGHOME=$GNUPGHOME" >> "$GITHUB_ENV" | |
| echo "APT_GPG_KEY_ID=$key_id" >> "$GITHUB_ENV" | |
| if [[ -n "${APT_GPG_PASSPHRASE:-}" ]]; then | |
| echo "APT_GPG_PASSPHRASE=$APT_GPG_PASSPHRASE" >> "$GITHUB_ENV" | |
| fi | |
| - name: Build and render package managers | |
| env: | |
| CC: gcc-13 | |
| CXX: g++-13 | |
| ICEY_SOURCE_DIR: ${{ github.workspace }}/icey | |
| BUILD_DIR: ${{ github.workspace }}/build-release | |
| APT_BASE_URL: https://apt.0state.com/icey | |
| run: ./scripts/package-manager-check.sh | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: package-managers-rendered | |
| path: .stage/package-managers/rendered | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: apt-repo | |
| path: | | |
| .stage/apt-repo | |
| .stage/apt-public | |
| publish-homebrew: | |
| runs-on: ubuntu-24.04 | |
| needs: build-manifests | |
| steps: | |
| - name: Check Homebrew publish credentials | |
| id: gate | |
| env: | |
| HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| run: | | |
| if [[ -n "${HOMEBREW_TAP_TOKEN:-}" ]]; then | |
| echo "publish=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "publish=false" >> "$GITHUB_OUTPUT" | |
| echo "Skipping Homebrew publish: HOMEBREW_TAP_TOKEN is not configured." | |
| fi | |
| - uses: actions/checkout@v4 | |
| if: steps.gate.outputs.publish == 'true' | |
| - uses: actions/download-artifact@v4 | |
| if: steps.gate.outputs.publish == 'true' | |
| with: | |
| name: package-managers-rendered | |
| path: .stage/package-managers/rendered | |
| - name: Checkout tap repo | |
| if: steps.gate.outputs.publish == 'true' | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: nilstate/homebrew-tap | |
| token: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| path: .stage/homebrew-tap | |
| - name: Publish formula | |
| if: steps.gate.outputs.publish == 'true' | |
| env: | |
| TAP_REPO_DIR: ${{ github.workspace }}/.stage/homebrew-tap | |
| run: ./scripts/publish-homebrew.sh | |
| - name: Commit formula update | |
| if: steps.gate.outputs.publish == 'true' | |
| run: | | |
| git -C .stage/homebrew-tap config user.name "github-actions[bot]" | |
| git -C .stage/homebrew-tap config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| if git -C .stage/homebrew-tap diff --quiet; then | |
| exit 0 | |
| fi | |
| git -C .stage/homebrew-tap add Formula/icey-server.rb | |
| git -C .stage/homebrew-tap commit -m "icey-server ${{ needs.build-manifests.outputs.cli_version }}" | |
| git -C .stage/homebrew-tap push | |
| publish-apt-repo: | |
| runs-on: ubuntu-24.04 | |
| needs: build-manifests | |
| steps: | |
| - name: Check package repo credentials | |
| id: gate | |
| env: | |
| PACKAGES_REPO_TOKEN: ${{ secrets.PACKAGES_REPO_TOKEN }} | |
| run: | | |
| if [[ -n "${PACKAGES_REPO_TOKEN:-}" ]]; then | |
| echo "publish=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "publish=false" >> "$GITHUB_OUTPUT" | |
| echo "Skipping APT publish: PACKAGES_REPO_TOKEN is not configured." | |
| fi | |
| - uses: actions/checkout@v4 | |
| if: steps.gate.outputs.publish == 'true' | |
| - uses: actions/download-artifact@v4 | |
| if: steps.gate.outputs.publish == 'true' | |
| with: | |
| name: apt-repo | |
| path: .stage/apt-repo | |
| - uses: actions/download-artifact@v4 | |
| if: steps.gate.outputs.publish == 'true' | |
| with: | |
| name: package-managers-rendered | |
| path: .stage/package-managers/rendered | |
| - name: Checkout package repo | |
| if: steps.gate.outputs.publish == 'true' | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: nilstate/0state-packages | |
| token: ${{ secrets.PACKAGES_REPO_TOKEN }} | |
| path: .stage/0state-packages | |
| - name: Publish APT repository | |
| if: steps.gate.outputs.publish == 'true' | |
| env: | |
| PACKAGES_REPO_DIR: ${{ github.workspace }}/.stage/0state-packages | |
| APT_REPO_ROOT: ${{ github.workspace }}/.stage/apt-repo/apt-repo | |
| APT_PUBLIC_DIR: ${{ github.workspace }}/.stage/apt-repo/apt-public | |
| APT_LIST_SOURCE: ${{ github.workspace }}/.stage/package-managers/rendered/apt/icey-server.list | |
| APT_REPO_PATH: icey | |
| APT_BASE_URL: https://apt.0state.com/icey | |
| run: ./scripts/publish-apt-repo.sh | |
| - name: Commit package repo update | |
| if: steps.gate.outputs.publish == 'true' | |
| run: | | |
| git -C .stage/0state-packages config user.name "github-actions[bot]" | |
| git -C .stage/0state-packages config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| if git -C .stage/0state-packages diff --quiet; then | |
| exit 0 | |
| fi | |
| git -C .stage/0state-packages add .nojekyll index.html icey | |
| git -C .stage/0state-packages commit -m "icey-server ${{ needs.build-manifests.outputs.cli_version }}" | |
| git -C .stage/0state-packages push | |
| publish-aur: | |
| runs-on: ubuntu-24.04 | |
| needs: build-manifests | |
| steps: | |
| - name: Check AUR publish credentials | |
| id: gate | |
| env: | |
| AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
| run: | | |
| if [[ -n "${AUR_SSH_PRIVATE_KEY:-}" ]]; then | |
| echo "publish=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "publish=false" >> "$GITHUB_OUTPUT" | |
| echo "Skipping AUR publish: AUR_SSH_PRIVATE_KEY is not configured." | |
| fi | |
| - uses: actions/checkout@v4 | |
| if: steps.gate.outputs.publish == 'true' | |
| - uses: actions/download-artifact@v4 | |
| if: steps.gate.outputs.publish == 'true' | |
| with: | |
| name: package-managers-rendered | |
| path: .stage/package-managers/rendered | |
| - name: Configure SSH | |
| if: steps.gate.outputs.publish == 'true' | |
| run: | | |
| install -m 700 -d ~/.ssh | |
| printf '%s\n' "${AUR_SSH_PRIVATE_KEY}" > ~/.ssh/aur | |
| chmod 600 ~/.ssh/aur | |
| ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts | |
| env: | |
| AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
| - name: Checkout AUR package | |
| if: steps.gate.outputs.publish == 'true' | |
| run: git clone ssh://aur@aur.archlinux.org/icey-server.git .stage/aur-repo | |
| env: | |
| GIT_SSH_COMMAND: ssh -i ~/.ssh/aur -o IdentitiesOnly=yes | |
| - name: Publish AUR package | |
| if: steps.gate.outputs.publish == 'true' | |
| env: | |
| AUR_REPO_DIR: ${{ github.workspace }}/.stage/aur-repo | |
| run: ./scripts/publish-aur.sh | |
| - name: Commit AUR update | |
| if: steps.gate.outputs.publish == 'true' | |
| run: | | |
| git -C .stage/aur-repo config user.name "github-actions[bot]" | |
| git -C .stage/aur-repo config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| if git -C .stage/aur-repo diff --quiet; then | |
| exit 0 | |
| fi | |
| git -C .stage/aur-repo add PKGBUILD .SRCINFO | |
| git -C .stage/aur-repo commit -m "icey-server ${{ needs.build-manifests.outputs.cli_version }}" | |
| GIT_SSH_COMMAND='ssh -i ~/.ssh/aur -o IdentitiesOnly=yes' \ | |
| git -C .stage/aur-repo push |