Build and upload gcc deb packages #42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and upload gcc deb packages | |
| on: | |
| workflow_run: | |
| workflows: [ "spc-download" ] | |
| types: | |
| - completed | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: Build for ${{ matrix.os }} ${{ matrix.arch }} PHP ${{ matrix.php-version }} | |
| runs-on: ubuntu-${{ matrix.arch == 'amd64' && '24.04' || '24.04-arm' }} | |
| container: | |
| image: ${{ (matrix.os == 'bookworm' || matrix.os == 'trixie') && format('debian:{0}', matrix.os) || format('ubuntu:{0}', matrix.os) }} | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| BASH_ENV: /tmp/gha-bashenv | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| php-version: [ 8.4 ] | |
| arch: [ amd64, arm64 ] | |
| os: [ 'jammy', 'noble', 'bookworm', 'trixie' ] | |
| steps: | |
| - name: Set architecture variables | |
| run: | | |
| if [[ "${{ matrix.arch }}" == "arm64" ]]; then | |
| echo "RPM_ARCH=aarch64" >> $GITHUB_ENV | |
| else | |
| echo "RPM_ARCH=x86_64" >> $GITHUB_ENV | |
| fi | |
| - name: Bootstrap container | |
| run: | | |
| apt-get update | |
| apt-get install -y ruby build-essential jq curl gzip sudo git wget gnupg | |
| gem install --no-document fpm | |
| curl -#fSL https://dl.static-php.dev/static-php-cli/common/php-8.4.12-cli-linux-${{ env.RPM_ARCH }}.tar.gz | tar -xz -C /usr/local/bin | |
| chmod +x /usr/local/bin/php | |
| sudo apt install -y locales | |
| echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen | |
| sudo locale-gen en_US.UTF-8 | |
| sudo update-locale LANG=en_US.UTF-8 | |
| - name: Install composer | |
| run: | | |
| wget https://raw.githubusercontent.com/composer/getcomposer.org/f3108f64b4e1c1ce6eb462b159956461592b3e3e/web/installer -O - -q | php -- --quiet | |
| mv composer.phar /usr/bin/composer | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install build tooling | |
| run: composer install | |
| - name: Download artifact from spc-download.yml | |
| uses: dawidd6/action-download-artifact@v11 | |
| with: | |
| workflow: spc-download.yml | |
| name: downloads-tarball | |
| - name: Extract with permissions | |
| run: | | |
| mkdir -p vendor/crazywhalecc/static-php-cli/downloads | |
| tar -xzf downloads.tar.gz -C vendor/crazywhalecc/static-php-cli/downloads | |
| rm downloads.tar.gz | |
| - name: Build PHP and packages (deb) | |
| run: php bin/spp all --target=native-native-gnu --type=deb --phpv=${{ matrix.php-version }} | |
| - name: Stage deb artifacts | |
| run: | | |
| mkdir -p "artifacts/${{ matrix.os }}/${{ matrix.arch }}" | |
| shopt -s nullglob | |
| mv dist/deb/*.deb "artifacts/${{ matrix.os }}/${{ matrix.arch }}/" | |
| - name: Upload debs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: "debs-${{ matrix.os }}-${{ matrix.arch }}" | |
| path: artifacts/** | |
| if-no-files-found: error | |
| retention-days: 2 | |
| - name: Upload logs | |
| if: ${{ failure() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-logs-${{ matrix.arch }}-${{ matrix.os }}-php${{ matrix.php-version }} | |
| path: vendor/crazywhalecc/static-php-cli/log | |
| # - name: Setup tmate session | |
| # if: ${{ failure() }} | |
| # uses: mxschmitt/action-tmate@v3 | |
| # timeout-minutes: 10 | |
| assemble-repo: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| DEB_GPG_PRIVATE_KEY: ${{ secrets.DEB_GPG_PRIVATE_KEY }} | |
| DEB_GPG_PASSWORD: ${{ secrets.DEB_GPG_PASSWORD }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install repo tooling | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y reprepro gnupg rsync | |
| - name: Download all debs | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: debs-* | |
| merge-multiple: true | |
| path: collected | |
| - name: Build signed APT repo (aggregate) | |
| run: | | |
| REPO_ROOT="$(pwd)/repo" | |
| mkdir -p "${REPO_ROOT}/conf" | |
| ORIGIN="Static PHP repository" | |
| LABEL="static-php" | |
| COMPONENT="main" | |
| DESC="Static PHP repository" | |
| export GNUPGHOME="${HOME}/.gnupg" | |
| mkdir -p "${GNUPGHOME}"; chmod 700 "${GNUPGHOME}" | |
| echo "allow-loopback-pinentry" > "${GNUPGHOME}/gpg-agent.conf" | |
| gpgconf --kill gpg-agent | |
| FPR=$(printf '%s' "${DEB_GPG_PRIVATE_KEY}" \ | |
| | gpg --batch --quiet --with-colons --import-options show-only --import 2>/dev/null \ | |
| | awk -F: '/^fpr:/ {print $10; exit}') | |
| printf '%s' "${DEB_GPG_PRIVATE_KEY}" | gpg --batch --yes --import | |
| { | |
| echo "pinentry-mode loopback" | |
| echo "default-key ${FPR}" | |
| } > "${GNUPGHOME}/gpg.conf" | |
| t=$(mktemp); echo warmup > "$t" | |
| gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 \ | |
| --local-user "${FPR}" --sign --output /dev/null "$t" <<<"${DEB_GPG_PASSWORD}" | |
| rm -f "$t" | |
| cat > "${REPO_ROOT}/conf/distributions" <<EOF | |
| Codename: jammy | |
| Suite: stable | |
| Components: ${COMPONENT} | |
| Architectures: amd64 arm64 | |
| Origin: ${ORIGIN} | |
| Label: ${LABEL} | |
| Description: ${DESC} | |
| SignWith: ${FPR} | |
| Codename: noble | |
| Suite: stable | |
| Components: ${COMPONENT} | |
| Architectures: amd64 arm64 | |
| Origin: ${ORIGIN} | |
| Label: ${LABEL} | |
| Description: ${DESC} | |
| SignWith: ${FPR} | |
| Codename: bookworm | |
| Suite: stable | |
| Components: ${COMPONENT} | |
| Architectures: amd64 arm64 | |
| Origin: ${ORIGIN} | |
| Label: ${LABEL} | |
| Description: ${DESC} | |
| SignWith: ${FPR} | |
| Codename: trixie | |
| Suite: stable | |
| Components: ${COMPONENT} | |
| Architectures: amd64 arm64 | |
| Origin: ${ORIGIN} | |
| Label: ${LABEL} | |
| Description: ${DESC} | |
| SignWith: ${FPR} | |
| EOF | |
| shopt -s nullglob globstar | |
| jammy_debs=( collected/jammy/**/*.deb ) | |
| noble_debs=( collected/noble/**/*.deb ) | |
| bookworm_debs=( collected/bookworm/**/*.deb ) | |
| trixie_debs=( collected/trixie/**/*.deb ) | |
| reprepro -b "${REPO_ROOT}" includedeb jammy "${jammy_debs[@]}" | |
| reprepro -b "${REPO_ROOT}" includedeb noble "${noble_debs[@]}" | |
| reprepro -b "${REPO_ROOT}" includedeb bookworm "${bookworm_debs[@]}" | |
| reprepro -b "${REPO_ROOT}" includedeb trixie "${trixie_debs[@]}" | |
| reprepro -b "${REPO_ROOT}" export | |
| - name: Set up SSH key | |
| uses: webfactory/ssh-agent@v0.8.0 | |
| with: | |
| ssh-private-key: ${{ secrets.GITHUBRPMHENDERKESPRIVATEKEY }} | |
| - name: Add remote host to known_hosts | |
| run: | | |
| mkdir -p ~/.ssh | |
| cat >> ~/.ssh/known_hosts <<'EOF' | |
| deb.henderkes.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPQq0y77dDEtxECVMhCxjcqiV369goMcbInsY/d+F1yXGwqOXQ6RqIEzgaVhgq0joMJT5BiGXNXQ+OI10/KtzGI= | |
| deb.henderkes.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2laCc5jifgjL/2zLzgP1E/X3kouXdaZv00KtAV1DOO5umThoWzb16cswnVtjtLUEMIuo9rPLB79xX2Asa+nN3uMgJDANnr/xnhRoI++yOGLga40/O69U88j5x+5FXODscH/k4n85mfcjzm/fZLXcHlb17ibCmU20I3v46sydn95Pp4/ShDvqsHVB4gWEKJ+jStkooUz2H1UZ8ZquNtaPTlmkOeClNj6gxag74P5b9VB6M5YNac2Emi3Nm0dYkc+BL0Qv+NEtFR1lR63DLa3O/NGTALGJYGmTUkjwiv8KygegaKhd2zxESmWhV7eYIPax8zL+GE9sX1Xwwh1huS0vsuwr2dXPP1/q5slz1AQV/lx85fGdiHc0F8RUXwqXbvGxZJheTuC/Mgu0cFzp5gqO4kTP28X+9fokzScBKBCIfObDXrl7rZgTXAA8IQ5gHk1tGchaEOIcDsjdISW5HVOiwocYSwUNMHzuZ08qAulatIywtOGcWVRdvOs7TcvSgfZ0= | |
| deb.henderkes.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaB5IjokRHAH0Y9pzVe/Jx3s6cn0OADJ9uTxQQubBMu | |
| EOF | |
| chmod 600 ~/.ssh/known_hosts | |
| - name: Upload APT repo to deb.henderkes.com | |
| run: rsync -azv --delete repo/ github@deb.henderkes.com:/home/github/deb/ | |
| - name: Fix permissions for Caddy file browser | |
| run: ssh github@deb.henderkes.com 'chmod -R o+rx /home/github/deb' | |
| # - name: Setup tmate session | |
| # if: ${{ failure() && github.event_name == 'workflow_dispatch' }} | |
| # uses: mxschmitt/action-tmate@v3 | |
| # timeout-minutes: 10 |