.github/workflows: Update actions #60
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| tags: | |
| - '**' | |
| name: Build Packages | |
| env: | |
| GPG_KEY_ID: 56C464BAAC421453 | |
| jobs: | |
| build-deb: | |
| name: Build Debian package | |
| runs-on: ubuntu-latest | |
| container: ubuntu:20.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install build dependencies | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| run: | | |
| apt-get -y update | |
| apt-get -y upgrade | |
| apt-get -y install build-essential debhelper dpkg-sig fakeroot wget | |
| - name: Build package | |
| run: | | |
| ./debian/makedeb | |
| - name: Sign package | |
| env: | |
| GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} | |
| run: | | |
| # import GPG key | |
| echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes | |
| export GPG_TTY=$(tty) | |
| # sign package | |
| dpkg-sig -g "--batch --no-tty" --sign builder -k $GPG_KEY_ID ./*.deb | |
| - name: Prepare release | |
| run: | | |
| mkdir release | |
| mv ./*.deb release | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: debian-latest | |
| path: release | |
| build-arch: | |
| name: Build Arch Linux package | |
| runs-on: ubuntu-latest | |
| container: archlinux | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install build dependencies | |
| run: | | |
| pacman -Sy --noconfirm base-devel sudo fakeroot git | |
| - name: Build package | |
| run: | | |
| cd arch | |
| # Fix permissions (can't makepkg as root) | |
| echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers | |
| chown -R nobody . | |
| # Package compression settings (Matches latest Arch) | |
| export PKGEXT='.pkg.tar.zst' | |
| export COMPRESSZST=(zstd -c -T0 --ultra -20 -) | |
| # Build | |
| su nobody --pty -p -s /bin/bash -c 'makepkg -f --noconfirm --nodeps' | |
| - name: Sign package | |
| env: | |
| GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} | |
| run: | | |
| cd arch | |
| # import GPG key | |
| echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes | |
| export GPG_TTY=$(tty) | |
| # sign packages | |
| ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID | |
| - name: Prepare release | |
| run: | | |
| mkdir release | |
| mv arch/*pkg.tar.zst{,.sig} release | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: arch-latest | |
| path: release | |
| build-f39: | |
| name: Build Fedora 39 package | |
| runs-on: ubuntu-latest | |
| container: registry.fedoraproject.org/fedora:39 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install build dependencies | |
| run: | | |
| dnf distro-sync -y | |
| dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' | |
| dnf builddep -y fedora/surface-secureboot.spec | |
| - name: Build package | |
| run: | | |
| cd fedora | |
| # Build the .rpm packages | |
| ./makerpm | |
| - name: Sign packages | |
| env: | |
| GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} | |
| run: | | |
| cd fedora/out/noarch | |
| # import GPG key | |
| echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes | |
| # sign packages | |
| rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fedora-39-latest | |
| path: fedora/out/noarch | |
| build-f40: | |
| name: Build Fedora 40 package | |
| runs-on: ubuntu-latest | |
| container: registry.fedoraproject.org/fedora:40 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install build dependencies | |
| run: | | |
| dnf distro-sync -y | |
| dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' | |
| dnf builddep -y fedora/surface-secureboot.spec | |
| - name: Build package | |
| run: | | |
| cd fedora | |
| # Build the .rpm packages | |
| ./makerpm | |
| - name: Sign packages | |
| env: | |
| GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} | |
| run: | | |
| cd fedora/out/noarch | |
| # import GPG key | |
| echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes | |
| # sign packages | |
| rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fedora-40-latest | |
| path: fedora/out/noarch | |
| build-f41: | |
| name: Build Fedora 41 package | |
| runs-on: ubuntu-latest | |
| container: registry.fedoraproject.org/fedora:41 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install build dependencies | |
| run: | | |
| dnf distro-sync -y | |
| dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)' | |
| dnf builddep -y fedora/surface-secureboot.spec | |
| - name: Build package | |
| run: | | |
| cd fedora | |
| # Build the .rpm packages | |
| ./makerpm | |
| - name: Sign packages | |
| env: | |
| GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }} | |
| run: | | |
| cd fedora/out/noarch | |
| # import GPG key | |
| echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes | |
| # sign packages | |
| rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fedora-41-latest | |
| path: fedora/out/noarch | |
| release: | |
| name: Publish release | |
| needs: [build-deb, build-arch, build-f39, build-f40, build-f41] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download Debian artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: debian-latest | |
| path: debian-latest | |
| - name: Download Arch Linux artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: arch-latest | |
| path: arch-latest | |
| - name: Download Fedora 39 artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fedora-39-latest | |
| path: fedora-39-latest | |
| - name: Download Fedora 40 artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fedora-40-latest | |
| path: fedora-40-latest | |
| - name: Download Fedora 41 artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fedora-41-latest | |
| path: fedora-41-latest | |
| - name: Upload assets | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: ./*-latest/* | |
| tag: ${{ github.ref }} | |
| overwrite: true | |
| file_glob: true | |
| repo-deb: | |
| name: Update Debian package repository | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| container: debian:sid | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| apt-get update | |
| apt-get install -y git | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: debian-latest | |
| path: debian-latest | |
| - name: Update repository | |
| env: | |
| SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} | |
| BRANCH_STAGING: u/staging | |
| GIT_REF: ${{ github.ref }} | |
| run: | | |
| repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" | |
| # clone package repository | |
| git clone -b "${BRANCH_STAGING}" "${repo}" repo | |
| # copy packages | |
| cp debian-latest/* repo/debian/ | |
| cd repo/debian | |
| # parse git tag from ref | |
| GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') | |
| # convert packages into references | |
| for pkg in $(find . -name '*.deb'); do | |
| echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob | |
| rm $pkg | |
| done | |
| # set git identity | |
| git config --global user.email "surfacebot@users.noreply.github.com" | |
| git config --global user.name "surfacebot" | |
| # commit and push | |
| update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | |
| git switch -c "${update_branch}" | |
| git add . | |
| git commit -m "Update Debian secure-boot MOK" | |
| git push --set-upstream origin "${update_branch}" | |
| repo-arch: | |
| name: Update Arch Linux package repository | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| container: archlinux | |
| steps: | |
| - name: Install dependencies | |
| run: pacman -Sy --noconfirm git | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: arch-latest | |
| path: arch-latest | |
| - name: Update repository | |
| env: | |
| SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} | |
| BRANCH_STAGING: u/staging | |
| GIT_REF: ${{ github.ref }} | |
| run: | | |
| repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" | |
| # clone package repository | |
| git clone -b "${BRANCH_STAGING}" "${repo}" repo | |
| # copy packages | |
| cp arch-latest/* repo/arch/ | |
| cd repo/arch | |
| # parse git tag from ref | |
| GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') | |
| # convert packages into references | |
| for pkg in $(find . -name '*.pkg.tar.zst'); do | |
| echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob | |
| rm $pkg | |
| done | |
| # set git identity | |
| git config --global user.email "surfacebot@users.noreply.github.com" | |
| git config --global user.name "surfacebot" | |
| # commit and push | |
| update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | |
| git switch -c "${update_branch}" | |
| git add . | |
| git commit -m "Update Arch Linux secure-boot MOK" | |
| git push --set-upstream origin "${update_branch}" | |
| repo-f39: | |
| name: Update Fedora 39 package repository | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| container: registry.fedoraproject.org/fedora:39 | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| dnf install -y git findutils | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fedora-39-latest | |
| path: fedora-39-latest | |
| - name: Update repository | |
| env: | |
| SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} | |
| BRANCH_STAGING: u/staging | |
| GIT_REF: ${{ github.ref }} | |
| run: | | |
| repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" | |
| # clone package repository | |
| git clone -b "${BRANCH_STAGING}" "${repo}" repo | |
| # copy packages | |
| cp fedora-39-latest/* repo/fedora/f39 | |
| cd repo/fedora/f39 | |
| # parse git tag from ref | |
| GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') | |
| # convert packages into references | |
| for pkg in $(find . -name '*.rpm'); do | |
| echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob | |
| rm $pkg | |
| done | |
| # set git identity | |
| git config --global user.email "surfacebot@users.noreply.github.com" | |
| git config --global user.name "surfacebot" | |
| # commit and push | |
| update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | |
| git checkout -b "${update_branch}" | |
| git add . | |
| git commit -m "Update Fedora 39 secure-boot MOK" | |
| git push --set-upstream origin "${update_branch}" | |
| repo-f40: | |
| name: Update Fedora 40 package repository | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| container: registry.fedoraproject.org/fedora:40 | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| dnf install -y git findutils | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fedora-40-latest | |
| path: fedora-40-latest | |
| - name: Update repository | |
| env: | |
| SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} | |
| BRANCH_STAGING: u/staging | |
| GIT_REF: ${{ github.ref }} | |
| run: | | |
| repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" | |
| # clone package repository | |
| git clone -b "${BRANCH_STAGING}" "${repo}" repo | |
| # copy packages | |
| cp fedora-40-latest/* repo/fedora/f40 | |
| cd repo/fedora/f40 | |
| # parse git tag from ref | |
| GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') | |
| # convert packages into references | |
| for pkg in $(find . -name '*.rpm'); do | |
| echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob | |
| rm $pkg | |
| done | |
| # set git identity | |
| git config --global user.email "surfacebot@users.noreply.github.com" | |
| git config --global user.name "surfacebot" | |
| # commit and push | |
| update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | |
| git checkout -b "${update_branch}" | |
| git add . | |
| git commit -m "Update Fedora 40 secure-boot MOK" | |
| git push --set-upstream origin "${update_branch}" | |
| repo-f41: | |
| name: Update Fedora 41 package repository | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| container: registry.fedoraproject.org/fedora:41 | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| dnf install -y git findutils | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fedora-41-latest | |
| path: fedora-41-latest | |
| - name: Update repository | |
| env: | |
| SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }} | |
| BRANCH_STAGING: u/staging | |
| GIT_REF: ${{ github.ref }} | |
| run: | | |
| repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git" | |
| # clone package repository | |
| git clone -b "${BRANCH_STAGING}" "${repo}" repo | |
| # copy packages | |
| cp fedora-41-latest/* repo/fedora/f41 | |
| cd repo/fedora/f41 | |
| # parse git tag from ref | |
| GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g') | |
| # convert packages into references | |
| for pkg in $(find . -name '*.rpm'); do | |
| echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob | |
| rm $pkg | |
| done | |
| # set git identity | |
| git config --global user.email "surfacebot@users.noreply.github.com" | |
| git config --global user.name "surfacebot" | |
| # commit and push | |
| update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | |
| git checkout -b "${update_branch}" | |
| git add . | |
| git commit -m "Update Fedora 41 secure-boot MOK" | |
| git push --set-upstream origin "${update_branch}" |