pkg: Bump release to build for Fedora 39 #55

Workflow file for this run

.github/workflows/package.yml at 632af17

	on:
	push:
	tags:
	- '**'

	name: Build Packages

	env:
	GPG_KEY_ID: 56C464BAAC421453

	jobs:
	build-deb:
	name: Build Debian package
	runs-on: ubuntu-latest
	container: debian:sid

	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Install build dependencies
	run: \|
	sed 's/^deb /deb-src /' /etc/apt/sources.list >> /etc/apt/sources.list
	apt-get -y update
	apt-get -y install build-essential debhelper dpkg-sig fakeroot wget

	- name: Build package
	run: \|
	./debian/makedeb

	- name: Sign package
	env:
	GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
	run: \|
	# import GPG key
	echo "$GPG_KEY" \| base64 -d \| gpg --import --no-tty --batch --yes
	export GPG_TTY=$(tty)

	# sign package
	dpkg-sig -g "--batch --no-tty" --sign builder -k $GPG_KEY_ID ./*.deb

	- name: Prepare release
	run: \|
	mkdir release
	mv ./*.deb release

	- name: Upload artifacts
	uses: actions/upload-artifact@v3
	with:
	name: debian-latest
	path: release

	build-arch:
	name: Build Arch Linux package
	runs-on: ubuntu-latest
	container: archlinux

	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Install build dependencies
	run: \|
	pacman -Sy --noconfirm base-devel sudo fakeroot git

	- name: Build package
	run: \|
	cd arch

	# Fix permissions (can't makepkg as root)
	echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
	chown -R nobody .

	# Package compression settings (Matches latest Arch)
	export PKGEXT='.pkg.tar.zst'
	export COMPRESSZST=(zstd -c -T0 --ultra -20 -)

	# Build
	su nobody --pty -p -s /bin/bash -c 'makepkg -f --noconfirm --nodeps'

	- name: Sign package
	env:
	GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
	run: \|
	cd arch

	# import GPG key
	echo "$GPG_KEY" \| base64 -d \| gpg --import --no-tty --batch --yes
	export GPG_TTY=$(tty)

	# sign packages
	ls *.pkg.tar.zst \| xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID

	- name: Prepare release
	run: \|
	mkdir release
	mv arch/*pkg.tar.zst{,.sig} release

	- name: Upload artifacts
	uses: actions/upload-artifact@v3
	with:
	name: arch-latest
	path: release

	build-f37:
	name: Build Fedora 37 package
	runs-on: ubuntu-latest
	container: registry.fedoraproject.org/fedora:37
	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Install build dependencies
	run: \|
	dnf distro-sync -y
	dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
	dnf builddep -y fedora/surface-secureboot.spec

	- name: Build package
	run: \|
	cd fedora

	# Build the .rpm packages
	./makerpm

	- name: Sign packages
	env:
	GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
	run: \|
	cd fedora/out/noarch

	# import GPG key
	echo "$GPG_KEY" \| base64 -d \| gpg --import --no-tty --batch --yes

	# sign packages
	rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"

	- name: Upload artifacts
	uses: actions/upload-artifact@v3
	with:
	name: fedora-37-latest
	path: fedora/out/noarch

	build-f38:
	name: Build Fedora 38 package
	runs-on: ubuntu-latest
	container: registry.fedoraproject.org/fedora:38
	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Install build dependencies
	run: \|
	dnf distro-sync -y
	dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
	dnf builddep -y fedora/surface-secureboot.spec

	- name: Build package
	run: \|
	cd fedora

	# Build the .rpm packages
	./makerpm

	- name: Sign packages
	env:
	GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
	run: \|
	cd fedora/out/noarch

	# import GPG key
	echo "$GPG_KEY" \| base64 -d \| gpg --import --no-tty --batch --yes

	# sign packages
	rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"

	- name: Upload artifacts
	uses: actions/upload-artifact@v3
	with:
	name: fedora-38-latest
	path: fedora/out/noarch

	build-f39:
	name: Build Fedora 39 package
	runs-on: ubuntu-latest
	container: registry.fedoraproject.org/fedora:39
	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Install build dependencies
	run: \|
	dnf distro-sync -y
	dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
	dnf builddep -y fedora/surface-secureboot.spec

	- name: Build package
	run: \|
	cd fedora

	# Build the .rpm packages
	./makerpm

	- name: Sign packages
	env:
	GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
	run: \|
	cd fedora/out/noarch

	# import GPG key
	echo "$GPG_KEY" \| base64 -d \| gpg --import --no-tty --batch --yes

	# sign packages
	rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"

	- name: Upload artifacts
	uses: actions/upload-artifact@v3
	with:
	name: fedora-39-latest
	path: fedora/out/noarch

	release:
	name: Publish release
	needs: [build-deb, build-arch, build-f37, build-f38, build-f39]
	runs-on: ubuntu-latest
	steps:
	- name: Download Debian artifacts
	uses: actions/download-artifact@v3
	with:
	name: debian-latest
	path: debian-latest

	- name: Download Arch Linux artifacts
	uses: actions/download-artifact@v3
	with:
	name: arch-latest
	path: arch-latest

	- name: Download Fedora 37 artifacts
	uses: actions/download-artifact@v3
	with:
	name: fedora-37-latest
	path: fedora-37-latest

	- name: Download Fedora 38 artifacts
	uses: actions/download-artifact@v3
	with:
	name: fedora-38-latest
	path: fedora-38-latest

	- name: Download Fedora 39 artifacts
	uses: actions/download-artifact@v3
	with:
	name: fedora-39-latest
	path: fedora-39-latest

	- name: Upload assets
	uses: svenstaro/upload-release-action@v2
	with:
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	file: ./-latest/
	tag: ${{ github.ref }}
	overwrite: true
	file_glob: true

	repo-deb:
	name: Update Debian package repository
	needs: [release]
	runs-on: ubuntu-latest
	container: debian:sid
	steps:
	- name: Install dependencies
	run: \|
	apt-get update
	apt-get install -y git

	- name: Download artifacts
	uses: actions/download-artifact@v3
	with:
	name: debian-latest
	path: debian-latest

	- name: Update repository
	env:
	SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
	BRANCH_STAGING: u/staging
	GIT_REF: ${{ github.ref }}
	run: \|
	repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"

	# clone package repository
	git clone -b "${BRANCH_STAGING}" "${repo}" repo

	# copy packages
	cp debian-latest/* repo/debian/
	cd repo/debian

	# parse git tag from ref
	GIT_TAG=$(echo $GIT_REF \| sed 's\|^refs/tags/\|\|g')

	# convert packages into references
	for pkg in $(find . -name '*.deb'); do
	echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob
	rm $pkg
	done

	# set git identity
	git config --global user.email "surfacebot@users.noreply.github.com"
	git config --global user.name "surfacebot"

	# commit and push
	update_branch="${BRANCH_STAGING}-$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1)"
	git switch -c "${update_branch}"
	git add .
	git commit -m "Update Debian secure-boot MOK"
	git push --set-upstream origin "${update_branch}"

	repo-arch:
	name: Update Arch Linux package repository
	needs: [release]
	runs-on: ubuntu-latest
	container: archlinux
	steps:
	- name: Install dependencies
	run: pacman -Sy --noconfirm git

	- name: Download artifacts
	uses: actions/download-artifact@v3
	with:
	name: arch-latest
	path: arch-latest

	- name: Update repository
	env:
	SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
	BRANCH_STAGING: u/staging
	GIT_REF: ${{ github.ref }}
	run: \|
	repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"

	# clone package repository
	git clone -b "${BRANCH_STAGING}" "${repo}" repo

	# copy packages
	cp arch-latest/* repo/arch/
	cd repo/arch

	# parse git tag from ref
	GIT_TAG=$(echo $GIT_REF \| sed 's\|^refs/tags/\|\|g')

	# convert packages into references
	for pkg in $(find . -name '*.pkg.tar.zst'); do
	echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob
	rm $pkg
	done

	# set git identity
	git config --global user.email "surfacebot@users.noreply.github.com"
	git config --global user.name "surfacebot"

	# commit and push
	update_branch="${BRANCH_STAGING}-$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1)"
	git switch -c "${update_branch}"
	git add .
	git commit -m "Update Arch Linux secure-boot MOK"
	git push --set-upstream origin "${update_branch}"

	repo-f37:
	name: Update Fedora 37 package repository
	needs: [release]
	runs-on: ubuntu-latest
	container: registry.fedoraproject.org/fedora:37
	steps:
	- name: Install dependencies
	run: \|
	dnf install -y git findutils

	- name: Download artifacts
	uses: actions/download-artifact@v3
	with:
	name: fedora-37-latest
	path: fedora-37-latest

	- name: Update repository
	env:
	SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
	BRANCH_STAGING: u/staging
	GIT_REF: ${{ github.ref }}
	run: \|
	repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"

	# clone package repository
	git clone -b "${BRANCH_STAGING}" "${repo}" repo

	# copy packages
	cp fedora-37-latest/* repo/fedora/f37
	cd repo/fedora/f37

	# parse git tag from ref
	GIT_TAG=$(echo $GIT_REF \| sed 's\|^refs/tags/\|\|g')

	# convert packages into references
	for pkg in $(find . -name '*.rpm'); do
	echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob
	rm $pkg
	done

	# set git identity
	git config --global user.email "surfacebot@users.noreply.github.com"
	git config --global user.name "surfacebot"

	# commit and push
	update_branch="${BRANCH_STAGING}-$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1)"
	git checkout -b "${update_branch}"
	git add .
	git commit -m "Update Fedora 37 secure-boot MOK"
	git push --set-upstream origin "${update_branch}"

	repo-f38:
	name: Update Fedora 38 package repository
	needs: [release]
	runs-on: ubuntu-latest
	container: registry.fedoraproject.org/fedora:38
	steps:
	- name: Install dependencies
	run: \|
	dnf install -y git findutils

	- name: Download artifacts
	uses: actions/download-artifact@v3
	with:
	name: fedora-38-latest
	path: fedora-38-latest

	- name: Update repository
	env:
	SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
	BRANCH_STAGING: u/staging
	GIT_REF: ${{ github.ref }}
	run: \|
	repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"

	# clone package repository
	git clone -b "${BRANCH_STAGING}" "${repo}" repo

	# copy packages
	cp fedora-38-latest/* repo/fedora/f38
	cd repo/fedora/f38

	# parse git tag from ref
	GIT_TAG=$(echo $GIT_REF \| sed 's\|^refs/tags/\|\|g')

	# convert packages into references
	for pkg in $(find . -name '*.rpm'); do
	echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob
	rm $pkg
	done

	# set git identity
	git config --global user.email "surfacebot@users.noreply.github.com"
	git config --global user.name "surfacebot"

	# commit and push
	update_branch="${BRANCH_STAGING}-$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1)"
	git checkout -b "${update_branch}"
	git add .
	git commit -m "Update Fedora 38 secure-boot MOK"
	git push --set-upstream origin "${update_branch}"

	repo-f39:
	name: Update Fedora 39 package repository
	needs: [release]
	runs-on: ubuntu-latest
	container: registry.fedoraproject.org/fedora:39
	steps:
	- name: Install dependencies
	run: \|
	dnf install -y git findutils

	- name: Download artifacts
	uses: actions/download-artifact@v3
	with:
	name: fedora-39-latest
	path: fedora-39-latest

	- name: Update repository
	env:
	SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
	BRANCH_STAGING: u/staging
	GIT_REF: ${{ github.ref }}
	run: \|
	repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"

	# clone package repository
	git clone -b "${BRANCH_STAGING}" "${repo}" repo

	# copy packages
	cp fedora-39-latest/* repo/fedora/f39
	cd repo/fedora/f39

	# parse git tag from ref
	GIT_TAG=$(echo $GIT_REF \| sed 's\|^refs/tags/\|\|g')

	# convert packages into references
	for pkg in $(find . -name '*.rpm'); do
	echo "secureboot-mok:$GIT_TAG/$(basename $pkg)" > $pkg.blob
	rm $pkg
	done

	# set git identity
	git config --global user.email "surfacebot@users.noreply.github.com"
	git config --global user.name "surfacebot"

	# commit and push
	update_branch="${BRANCH_STAGING}-$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1)"
	git checkout -b "${update_branch}"
	git add .
	git commit -m "Update Fedora 39 secure-boot MOK"
	git push --set-upstream origin "${update_branch}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pkg: Bump release to build for Fedora 39 #55

Workflow file

pkg: Bump release to build for Fedora 39 #55

Jobs

Run details

Workflow file for this run