Build and upload gcc deb packages #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and upload gcc deb packages | |
| on: | |
| workflow_run: | |
| workflows: [ "spc-download" ] | |
| types: | |
| - completed | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: Build on ubuntu-${{ matrix.os }} for ${{ matrix.arch }} PHP ${{ matrix.php-version }} | |
| runs-on: ${{ matrix.arch == 'amd64' && format('ubuntu-{0}', matrix.os) || format('ubuntu-{0}-arm', matrix.os) }} | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| php-version: [ 8.4 ] | |
| arch: [ amd64, arm64 ] | |
| os: [ 22.04, 24.04 ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Map codename | |
| id: map | |
| run: | | |
| case "${{ matrix.os }}" in | |
| 22.04) echo "codename=jammy" >> $GITHUB_OUTPUT ;; | |
| 24.04) echo "codename=noble" >> $GITHUB_OUTPUT ;; | |
| *) echo "Unsupported OS version: ${{ matrix.os }}" >&2; exit 1 ;; | |
| esac | |
| - name: Set up PHP for composer | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.4' | |
| tools: composer:v2 | |
| - name: Install build tooling | |
| run: | | |
| set -euo pipefail | |
| sudo apt-get update | |
| sudo apt-get install -y ruby build-essential jq curl gzip | |
| sudo gem install --no-document fpm | |
| composer install | |
| - name: Download artifact from spc-download.yml | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: spc-download.yml | |
| name: downloads-tarball | |
| - name: Extract with permissions | |
| run: | | |
| mkdir -p vendor/crazywhalecc/static-php-cli/downloads | |
| tar -xzf downloads.tar.gz -C vendor/crazywhalecc/static-php-cli/downloads | |
| rm downloads.tar.gz | |
| - name: Build PHP and packages (deb) | |
| run: | | |
| set -euo pipefail | |
| php bin/spp all --target=native-native-gnu --type=deb --phpv=${{ matrix.php-version }} | |
| - name: Stage deb artifacts | |
| run: | | |
| set -euo pipefail | |
| mkdir -p "artifacts/${{ steps.map.outputs.codename }}/${{ matrix.arch }}" | |
| shopt -s nullglob | |
| mv dist/deb/*.deb "artifacts/${{ steps.map.outputs.codename }}/${{ matrix.arch }}/" | |
| - name: Upload debs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: "debs-${{ steps.map.outputs.codename }}-${{ matrix.arch }}" | |
| path: artifacts/** | |
| if-no-files-found: error | |
| retention-days: 7 | |
| - name: Upload logs | |
| if: ${{ failure() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-logs-${{ matrix.arch }}-ubuntu-${{ matrix.os }}-php${{ matrix.php-version }} | |
| path: vendor/crazywhalecc/static-php-cli/log | |
| - name: Setup tmate session | |
| if: ${{ failure() }} | |
| uses: mxschmitt/action-tmate@v3 | |
| assemble-repo: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| DEB_GPG_PRIVATE_KEY: ${{ secrets.DEB_GPG_PRIVATE_KEY }} | |
| DEB_GPG_PASSWORD: ${{ secrets.DEB_GPG_PASSWORD }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install repo tooling | |
| run: | | |
| set -euo pipefail | |
| sudo apt-get update | |
| sudo apt-get install -y reprepro gnupg rsync | |
| - name: Download all debs | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: debs-* | |
| merge-multiple: true | |
| path: collected | |
| - name: Build signed APT repo (aggregate) | |
| run: | | |
| REPO_ROOT="$(pwd)/repo" | |
| mkdir -p "${REPO_ROOT}/conf" | |
| ORIGIN="Static PHP repository" | |
| LABEL="static-php" | |
| COMPONENT="main" | |
| DESC="Static PHP repository" | |
| export GNUPGHOME="${HOME}/.gnupg" | |
| mkdir -p "${GNUPGHOME}"; chmod 700 "${GNUPGHOME}" | |
| echo "allow-loopback-pinentry" > "${GNUPGHOME}/gpg-agent.conf" | |
| gpgconf --kill gpg-agent | |
| FPR=$(printf '%s' "${DEB_GPG_PRIVATE_KEY}" \ | |
| | gpg --batch --quiet --with-colons --import-options show-only --import 2>/dev/null \ | |
| | awk -F: '/^fpr:/ {print $10; exit}') | |
| printf '%s' "${DEB_GPG_PRIVATE_KEY}" | gpg --batch --yes --import | |
| gpg --output "${REPO_ROOT}/static-php.gpg" --export "${FPR}" | |
| { | |
| echo "pinentry-mode loopback" | |
| echo "default-key ${FPR}" | |
| } > "${GNUPGHOME}/gpg.conf" | |
| t=$(mktemp); echo warmup > "$t" | |
| gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 \ | |
| --local-user "${FPR}" --sign --output /dev/null "$t" <<<"${DEB_GPG_PASSWORD}" | |
| rm -f "$t" | |
| cat > "${REPO_ROOT}/conf/distributions" <<EOF | |
| Codename: jammy | |
| Suite: stable | |
| Components: ${COMPONENT} | |
| Architectures: amd64 arm64 | |
| Origin: ${ORIGIN} | |
| Label: ${LABEL} | |
| Description: ${DESC} | |
| SignWith: ${FPR} | |
| Codename: noble | |
| Suite: stable | |
| Components: ${COMPONENT} | |
| Architectures: amd64 arm64 | |
| Origin: ${ORIGIN} | |
| Label: ${LABEL} | |
| Description: ${DESC} | |
| SignWith: ${FPR} | |
| EOF | |
| shopt -s nullglob globstar | |
| jammy_debs=( collected/jammy/**/*.deb ) | |
| noble_debs=( collected/noble/**/*.deb ) | |
| if [ ${#jammy_debs[@]} -gt 0 ]; then | |
| reprepro -b "${REPO_ROOT}" includedeb jammy "${jammy_debs[@]}" | |
| fi | |
| if [ ${#noble_debs[@]} -gt 0 ]; then | |
| reprepro -b "${REPO_ROOT}" includedeb noble "${noble_debs[@]}" | |
| fi | |
| reprepro -b "${REPO_ROOT}" export | |
| - name: Set up SSH key | |
| uses: webfactory/ssh-agent@v0.8.0 | |
| with: | |
| ssh-private-key: ${{ secrets.GITHUBRPMHENDERKESPRIVATEKEY }} | |
| - name: Add remote host to known_hosts | |
| run: | | |
| mkdir -p ~/.ssh | |
| cat >> ~/.ssh/known_hosts <<'EOF' | |
| deb.henderkes.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPQq0y77dDEtxECVMhCxjcqiV369goMcbInsY/d+F1yXGwqOXQ6RqIEzgaVhgq0joMJT5BiGXNXQ+OI10/KtzGI= | |
| deb.henderkes.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2laCc5jifgjL/2zLzgP1E/X3kouXdaZv00KtAV1DOO5umThoWzb16cswnVtjtLUEMIuo9rPLB79xX2Asa+nN3uMgJDANnr/xnhRoI++yOGLga40/O69U88j5x+5FXODscH/k4n85mfcjzm/fZLXcHlb17ibCmU20I3v46sydn95Pp4/ShDvqsHVB4gWEKJ+jStkooUz2H1UZ8ZquNtaPTlmkOeClNj6gxag74P5b9VB6M5YNac2Emi3Nm0dYkc+BL0Qv+NEtFR1lR63DLa3O/NGTALGJYGmTUkjwiv8KygegaKhd2zxESmWhV7eYIPax8zL+GE9sX1Xwwh1huS0vsuwr2dXPP1/q5slz1AQV/lx85fGdiHc0F8RUXwqXbvGxZJheTuC/Mgu0cFzp5gqO4kTP28X+9fokzScBKBCIfObDXrl7rZgTXAA8IQ5gHk1tGchaEOIcDsjdISW5HVOiwocYSwUNMHzuZ08qAulatIywtOGcWVRdvOs7TcvSgfZ0= | |
| deb.henderkes.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaB5IjokRHAH0Y9pzVe/Jx3s6cn0OADJ9uTxQQubBMu | |
| EOF | |
| - name: Upload APT repo to deb.henderkes.com | |
| run: rsync -azv --delete repo/ github@deb.henderkes.com:/home/github/deb/ | |
| - name: Fix permissions for Caddy file browser | |
| run: ssh github@deb.henderkes.com 'chmod -R o+rx /home/github/deb' | |
| # - name: Setup tmate session | |
| # if: ${{ failure() && github.event_name == 'workflow_dispatch' }} | |
| # uses: mxschmitt/action-tmate@v3 |