From 31df2edf727420c1290db6b0edc1b47d60f1a754 Mon Sep 17 00:00:00 2001 From: Jinna Kiisuo Date: Fri, 18 Oct 2024 01:17:38 +0300 Subject: [PATCH 1/2] feat: Enable import & extend, nightly schedule --- .github/workflows/create-apt-repo.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/create-apt-repo.yml b/.github/workflows/create-apt-repo.yml index 03cfb5b..4cfe3d9 100644 --- a/.github/workflows/create-apt-repo.yml +++ b/.github/workflows/create-apt-repo.yml @@ -4,6 +4,8 @@ name: "Create apt repo" "on": # TODO: This needs to also become a cron for the nightly function to make sense push: pull_request: + schedule: + - cron: '45 6 * * *' # UTC 6:45 concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -36,9 +38,13 @@ jobs: debian-name: amd64 - name: aarch64-unknown-linux-gnu debian-name: arm64 - exclude: # Nightlies are only for latest versions + exclude: + # Nightlies are only for latest versions - category: {name: nightly} os: ubuntu-22.04 + # Don't rebuild stable every nightly schedule + # TODO: revert the event_name to 'schedule' once done with testing + - category: {name: "${{ github.event_name == 'pull_request' && 'stable' }}"} steps: # Step 0. Pick up the stable or nightly source - name: Checkout Kanidm @@ -123,13 +129,11 @@ jobs: name: kanidm_ppa repo_url: https://kanidm.github.io/kanidm_ppa artifact_name: kanidm_ppa_snapshot - # TODO: Flip stable repo defs false -> true, _after_ we've done the first publish. - # This enables the "import & extend" model. repos: | - noble,stable,\"amd64,arm64\",false,debs/stable-*-ubuntu-24.04-*-unknown-linux-gnu/*.deb - jammy,stable,\"amd64,arm64\",false,debs/stable-*-ubuntu-22.04-*-unknown-linux-gnu/*.deb + noble,stable,\"amd64,arm64\",true,debs/stable-*-ubuntu-24.04-*-unknown-linux-gnu/*.deb + jammy,stable,\"amd64,arm64\",true,debs/stable-*-ubuntu-22.04-*-unknown-linux-gnu/*.deb noble,nightly,\"amd64,arm64\",false,debs/nightly-master-ubuntu-24.04-*-unknown-linux-gnu/*.deb - bookworm,stable,\"amd64,arm64\",false,debs/stable-*-debian-12-*-unknown-linux-gnu/*.deb + bookworm,stable,\"amd64,arm64\",true,debs/stable-*-debian-12-*-unknown-linux-gnu/*.deb bookworm,nightly,\"amd64,arm64\",false,debs/nightly-master-debian-12-*-unknown-linux-gnu/*.deb # When GPG secrets are not available (say a PR), the repo WILL NOT be signed. # Provide your own key material in a fork to test with signed repo snapshots. From f77a4ca7612da58bba70129b3d1902153dea70da Mon Sep 17 00:00:00 2001 From: Jinna Kiisuo Date: Fri, 18 Oct 2024 01:50:02 +0300 Subject: [PATCH 2/2] fix: Ensure public key is available for imports in PRs --- .github/workflows/create-apt-repo.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/create-apt-repo.yml b/.github/workflows/create-apt-repo.yml index 4cfe3d9..ec3cf05 100644 --- a/.github/workflows/create-apt-repo.yml +++ b/.github/workflows/create-apt-repo.yml @@ -123,6 +123,15 @@ jobs: - name: List packages run: | find $(pwd) -name '*.deb' + # This step isn't strictly necessary for push & schedule runs, + # but is required for imports to work when the main repo + # key material isn't available, say in a PR. + - name: Get import GPG key + id: get_import_key + run: | + echo 'gpg_public_key<> $GITHUB_OUTPUT + curl -s https://kanidm.github.io/kanidm_ppa/kanidm_ppa.asc >> $GITHUB_OUTPUT + echo 'EOF' >> $GITHUB_OUTPUT - name: Create Aptly repo uses: jinnatar/actions-aptly-repo@v2.0.2 with: @@ -139,6 +148,7 @@ jobs: # Provide your own key material in a fork to test with signed repo snapshots. gpg_private_key: "${{ secrets.GPG_PRIVATE_KEY }}" gpg_passphrase: "${{ secrets.PASSPHRASE }}" + import_gpg_key: "${{ steps.get_import_key.outputs.gpg_public_key }}" # Step 4. Publish the created repo if and only if it's a push to main. publish: