ci: add job to build the changed package

shyim · Mar 26, 2024 · 1886921 · 1886921
1 parent ad41935
commit 1886921
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 3 deletions.
diff --git a/.github/workflows/build-all.yaml b/.github/workflows/build-all.yaml
@@ -5,6 +5,9 @@ on:
 
 jobs:
     build:
+        concurrency:
+            group: build-${{ matrix.os }}
+            cancel-in-progress: false
         strategy:
           matrix:
             include:
@@ -55,7 +58,7 @@ jobs:
                 AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
                 AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
               run: |
-                rclone mount Packages:wolfi-php packages --allow-other --write-back-cache --vfs-cache-mode full -vvv &
+                rclone mount Packages:wolfi-php packages --allow-other --write-back-cache --vfs-cache-mode full -v &
                 sleep 5
                 pid=$!
 
@@ -68,4 +71,10 @@ jobs:
                         $file
                 done
 
+                melange sign-index \
+                    --signing-key php-signing.rsa \
+                    packages/${{ matrix.arch }}/APKINDEX.tar.gz
+
+                sleep 60
+
                 kill $pid
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,106 @@
+name: Build packages
+
+on:
+    push:
+      # branches:
+      #   - main
+      paths:
+        - '*.yaml'
+
+jobs:
+    build:
+        concurrency:
+          group: build-${{ matrix.os }}
+          cancel-in-progress: false
+        strategy:
+          matrix:
+            include:
+              - os: ubuntu-latest
+                arch: x86_64
+                deb: amd64
+              - os: nscloud-ubuntu-22.04-arm64-2x8
+                arch: aarch64
+                deb: arm64
+        runs-on: ${{ matrix.os }}
+        container:
+            image: ghcr.io/wolfi-dev/sdk:latest
+            options: |
+                --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                fetch-depth: 0
+
+            - name: 'Trust the github workspace'
+              run: |
+                # This is to avoid fatal errors about "dubious ownership" because we are
+                # running inside of a container action with the workspace mounted in.
+                git config --global --add safe.directory "$(pwd)"
+
+            - name: Look for changed files
+              id: changes
+              uses: tj-actions/changed-files@v43
+              with:
+                files_yaml: |
+                  melange:
+                    - ./*.yaml
+            
+            - name: Install rclone
+              run: |
+                cd /tmp
+                curl -o rclone.zip -L https://downloads.rclone.org/rclone-current-linux-${{ matrix.deb }}.zip
+                unzip rclone.zip
+                cp rclone*/rclone /usr/bin/
+                rm -rf rclone*
+            
+            - name: Rclone Setup
+              run: |
+                mkdir -p $HOME/.config/rclone
+                cat <<EOF > $HOME/.config/rclone/rclone.conf
+                [Packages]
+                type = s3
+                provider = Cloudflare
+                env_auth = true
+                region = auto
+                endpoint = https://963ff7fb9c523564b5f3a398ab39d488.r2.cloudflarestorage.com
+                EOF
+
+            - name: Create packages directory
+              run: mkdir -p packages
+
+            - name: Get signing key
+              run: |
+                echo "${{ secrets.SIGNING_KEY }}" | base64 -d > php-signing.rsa
+
+            - name: Build packages
+              run: |
+                for file in ${{ steps.changes.outputs.melange_all_changed_files }}; do
+                    if [[ $file == ".yam.yaml" ]]; then
+                        continue
+                    fi
+
+                    melange build \
+                        --arch ${{ matrix.arch }} \
+                        --generate-index=false \
+                        -r https://packages.wolfi.dev/os \
+                        -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \
+                        --signing-key php-signing.rsa \
+                        $file
+                done
+
+            - name: Upload to registry
+              env:
+                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              run: |
+                rclone copy packages Packages:wolfi-php
+                rclone copy Packages:wolfi-php/${{ matrix.arch }}/APKINDEX.tar.gz .
+
+                melange index \
+                  --arch ${{ matrix.arch }} \
+                  -m \
+                  --signing-key php-signing.rsa \
+                  packages/${{ matrix.arch }}/*.apk
+
+                rclone copy APKINDEX.tar.gz Packages:wolfi-php/${{ matrix.arch }}/
diff --git a/php-8.1-excimer.yaml b/php-8.1-excimer.yaml
@@ -1,6 +1,6 @@
 package:
   name: php-8.1-excimer
-  version: 1.2.0
+  version: 1.2.1
   epoch: 0
   description: "Excimer is a PHP extension that provides an interrupting timer and a low-overhead sampling profiler."
   copyright:
@@ -24,7 +24,7 @@ pipeline:
     with:
       repository: https://github.com/wikimedia/mediawiki-php-excimer
       tag: "${{package.version}}"
-      expected-commit: 4cc649be12183c672867e9184d09d7cd9c604d91
+      expected-commit: 986209d032a1cc53ac930e44f50acb74ecee8816
 
   - name: Prepare build
     runs: phpize