Publish v1.5.0 #117
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "Create apt repo" | |
| "on": # TODO: This needs to also become a cron for the nightly function to make sense | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: Build debs | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| category: | |
| # While the repo is in "dirty hack" mode, we only publish the latest patch of every minor version. | |
| - name: stable | |
| ref: v1.4.6 | |
| variant: true # Enables old variant based cargo-deb, being phased out | |
| - name: stable | |
| ref: v1.5.0 | |
| variant: true | |
| - name: nightly | |
| ref: master | |
| os: | |
| # Runner defaults to ubuntu-24.04 | |
| - name: ubuntu-22.04 # Upstream LTS support ends 2027. | |
| image: ubuntu:22.04 | |
| - name: ubuntu-24.04 # Upstream LTS support ends 2029. | |
| image: ubuntu:24.04 | |
| - name: ubuntu-24.10 # Upstream support ends April 2029. | |
| image: ubuntu:24.10 | |
| - name: debian-12 # Upstream LTS support ends 2028. | |
| image: debian:12 | |
| target: | |
| - name: x86_64-unknown-linux-gnu | |
| runner-postfix: "" | |
| - name: aarch64-unknown-linux-gnu | |
| runner-postfix: "-arm" | |
| exclude: # Nightlies are only for latest LTS versions | |
| - category: {name: nightly} | |
| os: {name: ubuntu-22.04} | |
| - category: {name: nightly} | |
| os: {name: ubuntu-24.10} | |
| runs-on: "ubuntu-24.04${{ matrix.target.runner-postfix }}" | |
| container: "${{ matrix.os.image }}" | |
| steps: | |
| # Needed because we're not running directly on the runner, | |
| # and if we checkout before having git, it's done through the REST API and missing .git | |
| - name: Get git | |
| shell: bash | |
| run: | |
| apt update && apt install -y git | |
| # Step 0. Pick up the stable or nightly source | |
| - name: Checkout Kanidm | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: "kanidm/kanidm" | |
| ref: "${{ matrix.category.ref }}" | |
| submodules: false | |
| # Overlay the latest packaging tools instead of using the submodule reference which is intended for human use. | |
| - name: Checkout packaging tools | |
| uses: actions/checkout@v4 | |
| with: | |
| path: platform/debian/kanidm_ppa_automation | |
| # Step 0.5. Get a bunch of dependencies | |
| - name: Install build dependencies | |
| run: | | |
| platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh | |
| # We need to grab Rust manually since we're on vanilla images, not GHA runners | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@v1 | |
| with: | |
| toolchain: stable | |
| - name: Setup mold | |
| uses: rui314/setup-mold@v1 | |
| - name: Configure sccache | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || ''); | |
| core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); | |
| - name: Run sccache-cache | |
| uses: mozilla-actions/[email protected] | |
| # Step 1. Build | |
| - name: Build packages (bins & libs) | |
| shell: bash | |
| run: | | |
| platform/debian/kanidm_ppa_automation/scripts/build_native.sh \ | |
| "${{ matrix.target.name }}" | |
| env: | |
| VERBOSE: true | |
| SCCACHE_GHA_ENABLED: "true" | |
| RUSTC_WRAPPER: "sccache" | |
| # Step 1.5. Strip binaries | |
| # This significantly helps with storage limits. | |
| # ~12 MiB packages vs ~82MiB packages as of 2024. | |
| - name: Strip binaries | |
| shell: bash | |
| run: | | |
| find "target/${{ matrix.target.name }}/release" -maxdepth 1 -not -name "*.d" -name "kanidm*" \ | |
| | xargs llvm-strip --strip-all | |
| # Step 2. deb build | |
| - name: Build packages (debs) | |
| env: | |
| VARIANT: "${{ matrix.category.variant }}" | |
| run: | | |
| platform/debian/kanidm_ppa_automation/scripts/build_debs.sh "${{ matrix.target.name }}" | |
| - name: Upload debs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: "${{matrix.category.name}}-${{matrix.category.ref}}-${{ matrix.os.name }}-${{ matrix.target.name }}" | |
| path: | | |
| target/${{ matrix.target.name }}/debian/*.deb | |
| # Step 3. Create the APT repo from the debs | |
| create-repo: | |
| name: Create APT repo | |
| needs: build | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Download previously built debs | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: debs | |
| merge-multiple: false # Preserve which debs are from which matrix item | |
| - name: List packages | |
| run: | | |
| find $(pwd) -name '*.deb' | |
| - name: Create Aptly repo | |
| uses: jinnatar/[email protected] | |
| with: | |
| name: kanidm_ppa | |
| repo_url: https://kanidm.github.io/kanidm_ppa | |
| artifact_name: kanidm_ppa_snapshot | |
| # TODO: Flip stable repo defs false -> true, _after_ we've done the first publish. | |
| # This enables the "import & extend" model. | |
| repos: | | |
| noble,stable,\"amd64,arm64\",false,debs/stable-*-ubuntu-24.04-*-unknown-linux-gnu/*.deb | |
| jammy,stable,\"amd64,arm64\",false,debs/stable-*-ubuntu-22.04-*-unknown-linux-gnu/*.deb | |
| noble,nightly,\"amd64,arm64\",false,debs/nightly-master-ubuntu-24.04-*-unknown-linux-gnu/*.deb | |
| bookworm,stable,\"amd64,arm64\",false,debs/stable-*-debian-12-*-unknown-linux-gnu/*.deb | |
| bookworm,nightly,\"amd64,arm64\",false,debs/nightly-master-debian-12-*-unknown-linux-gnu/*.deb | |
| # When GPG secrets are not available (say a PR), the repo WILL NOT be signed. | |
| # Provide your own key material in a fork to test with signed repo snapshots. | |
| gpg_private_key: "${{ secrets.GPG_PRIVATE_KEY }}" | |
| gpg_passphrase: "${{ secrets.PASSPHRASE }}" | |
| # Step 4. Publish the created repo if and only if it's a push to main. | |
| publish: | |
| name: Deploy to GitHub Pages | |
| needs: create-repo | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Download repo snapshot | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: kanidm_ppa_snapshot | |
| path: snapshot | |
| merge-multiple: true # Flatten artifact name out | |
| - name: Add README.md # Pull in book chapter on PPA usage | |
| shell: bash | |
| run: | | |
| curl https://raw.githubusercontent.com/kanidm/kanidm/refs/heads/master/book/src/packaging/ppa_packages.md > snapshot/README.md | |
| - name: Import GPG key # So we can sign the repository commit | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| env: | |
| # GitHub is a real ass about checking whether secrets are available or not. | |
| private_key_check: ${{ secrets.GPG_PRIVATE_KEY }} | |
| if: env.private_key_check != '' # Not present for PRs on purpose. | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| git_commit_gpgsign: true | |
| - name: Publish to PPA | |
| uses: crazy-max/ghaction-github-pages@v4 | |
| if: github.ref == 'refs/heads/main' | |
| with: | |
| repo: kanidm/kanidm_ppa | |
| target_branch: main | |
| keep_history: false | |
| build_dir: snapshot | |
| allow_empty_commit: false | |
| env: | |
| GH_PAT: ${{ secrets.DEPLOY_PAT }} |