Build and upload gcc deb packages #220
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and upload gcc deb packages | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| debug_tmate: | |
| description: "Open tmate session on failure" | |
| type: boolean | |
| required: false | |
| default: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build for ${{ matrix.arch }} PHP ${{ matrix.php-version }} | |
| runs-on: ubuntu-24.04${{ matrix.arch == 'arm64' && '-arm' || '' }} | |
| container: | |
| image: debian:11 | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| BASH_ENV: /tmp/gha-bashenv | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| php-version: [ 8.4 ] | |
| arch: [ amd64, arm64 ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| persist-credentials: false | |
| - name: Set architecture variables | |
| run: | | |
| if [[ "${{ matrix.arch }}" == "arm64" ]]; then | |
| echo "RPM_ARCH=aarch64" >> $GITHUB_ENV | |
| else | |
| echo "RPM_ARCH=x86_64" >> $GITHUB_ENV | |
| fi | |
| - name: Bootstrap container | |
| run: | | |
| apt-get update | |
| apt-get install -y ruby build-essential jq curl gzip sudo git gnupg tar zstd | |
| apt-get upgrade -y | |
| gem install --no-document fpm | |
| - name: Install cmake | |
| run: | | |
| curl -o cmake.tar.gz -fsSL https://github.com/Kitware/CMake/releases/download/v3.31.4/cmake-3.31.4-linux-$(uname -m).tar.gz && \ | |
| sudo tar -xzf cmake.tar.gz -C /usr/local --strip-components=1 && \ | |
| rm cmake.tar.gz | |
| - name: Install composer | |
| run: | | |
| sudo curl -L https://files.henderkes.com/${RPM_ARCH}-linux/php -o /usr/local/bin/php | |
| sudo chmod +x /usr/local/bin/php | |
| sudo curl -sS https://raw.githubusercontent.com/composer/getcomposer.org/f3108f64b4e1c1ce6eb462b159956461592b3e3e/web/installer | php -- --quiet | |
| sudo mv composer.phar /usr/local/bin/composer | |
| - name: Prepare cache directories | |
| run: | | |
| composer config -g cache-dir | |
| - name: Cache Composer downloads | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | |
| with: | |
| path: ~/.cache/composer | |
| key: composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: | | |
| composer- | |
| - name: Install vendor | |
| run: composer install --no-interaction --prefer-dist --no-progress | |
| - name: Download artifact from spc-download.yml | |
| uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11 | |
| with: | |
| workflow: spc-download.yml | |
| name: downloads-tarball | |
| - name: Extract with permissions | |
| run: | | |
| mkdir -p downloads | |
| tar -xzf downloads.tar.gz -C downloads | |
| rm downloads.tar.gz | |
| - name: Build PHP | |
| run: php bin/spp all --phpv=${{ matrix.php-version }} --prefix="-zts" --type=deb | |
| - name: Inject deprecation notice into packages | |
| run: | | |
| shopt -s nullglob | |
| for deb in dist/deb/*.deb; do | |
| echo "Processing $deb..." | |
| # Create a working directory | |
| work_dir=$(mktemp -d) | |
| extract_dir="$work_dir/extracted" | |
| # Extract the .deb | |
| dpkg-deb -R "$deb" "$extract_dir" | |
| # Create or append to postinst script | |
| postinst="$extract_dir/DEBIAN/postinst" | |
| if [ -f "$postinst" ]; then | |
| # If postinst exists, insert deprecation notice after shebang | |
| temp_file=$(mktemp) | |
| head -1 "$postinst" > "$temp_file" | |
| cat >> "$temp_file" <<'EOF' | |
| # Display deprecation notice | |
| cat <<'NOTICE' | |
| ================================================================================ | |
| ⚠️ DEPRECATION NOTICE | |
| ================================================================================ | |
| The single-version php-zts repository is deprecated and will no longer receive updates. | |
| Please migrate to the new repository with different PHP versions available. | |
| More information: https://pkgs.henderkes.com | |
| ================================================================================ | |
| NOTICE | |
| EOF | |
| tail -n +2 "$postinst" >> "$temp_file" | |
| mv "$temp_file" "$postinst" | |
| else | |
| # Create new postinst script | |
| cat > "$postinst" <<'EOF' | |
| #!/bin/sh | |
| set -e | |
| # Display deprecation notice | |
| cat <<'NOTICE' | |
| ================================================================================ | |
| ⚠️ DEPRECATION NOTICE | |
| ================================================================================ | |
| This repository is deprecated and will no longer receive updates. | |
| Please migrate to the new repository with different PHP versions available. | |
| More information: https://pkgs.henderkes.com | |
| ================================================================================ | |
| NOTICE | |
| #DEBHELPER# | |
| exit 0 | |
| EOF | |
| fi | |
| chmod 755 "$postinst" | |
| # Repackage the .deb | |
| dpkg-deb -b "$extract_dir" "$deb" | |
| # Cleanup | |
| rm -rf "$work_dir" | |
| echo "✓ Injected deprecation notice into $deb" | |
| done | |
| - name: Stage deb artifacts | |
| run: | | |
| mkdir -p "artifacts/${{ matrix.arch }}" | |
| shopt -s nullglob | |
| mv dist/deb/*.deb "artifacts/${{ matrix.arch }}/" | |
| - name: Upload debs | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: "debs-${{ matrix.arch }}" | |
| path: artifacts/** | |
| if-no-files-found: error | |
| retention-days: 2 | |
| - name: Upload logs | |
| if: ${{ failure() }} | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: build-logs-${{ matrix.arch }}-php${{ matrix.php-version }} | |
| path: log | |
| - name: Setup tmate session | |
| if: ${{ failure() && inputs.debug_tmate == true }} | |
| uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3 | |
| timeout-minutes: 10 | |
| assemble-repo: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| env: | |
| DEB_GPG_PRIVATE_KEY: ${{ secrets.DEB_GPG_PRIVATE_KEY }} | |
| DEB_GPG_PASSWORD: ${{ secrets.DEB_GPG_PASSWORD }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| persist-credentials: false | |
| - name: Install repo tooling | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y reprepro gnupg rsync | |
| - name: Download all debs | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| pattern: debs-* | |
| merge-multiple: true | |
| path: collected | |
| - name: Build signed APT repo (aggregate) | |
| run: | | |
| REPO_ROOT="$(pwd)/repo" | |
| mkdir -p "${REPO_ROOT}/conf" | |
| ORIGIN="Static PHP repository" | |
| LABEL="static-php" | |
| COMPONENT="main" | |
| DESC="Static PHP repository" | |
| export GNUPGHOME="${HOME}/.gnupg" | |
| mkdir -p "${GNUPGHOME}"; chmod 700 "${GNUPGHOME}" | |
| echo "allow-loopback-pinentry" > "${GNUPGHOME}/gpg-agent.conf" | |
| gpgconf --kill gpg-agent | |
| FPR=$(printf '%s' "${DEB_GPG_PRIVATE_KEY}" \ | |
| | gpg --batch --quiet --with-colons --import-options show-only --import 2>/dev/null \ | |
| | awk -F: '/^fpr:/ {print $10; exit}') | |
| printf '%s' "${DEB_GPG_PRIVATE_KEY}" | gpg --batch --yes --import | |
| { | |
| echo "pinentry-mode loopback" | |
| echo "default-key ${FPR}" | |
| } > "${GNUPGHOME}/gpg.conf" | |
| t=$(mktemp); echo warmup > "$t" | |
| gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 \ | |
| --local-user "${FPR}" --sign --output /dev/null "$t" <<<"${DEB_GPG_PASSWORD}" | |
| rm -f "$t" | |
| cat > "${REPO_ROOT}/conf/distributions" <<EOF | |
| Codename: stable | |
| Suite: stable | |
| Components: ${COMPONENT} | |
| Architectures: amd64 arm64 | |
| Origin: ${ORIGIN} | |
| Label: ${LABEL} | |
| Description: ⚠️ DEPRECATED - This repository is deprecated. Please migrate to the new repository with different PHP versions at https://pkgs.henderkes.com. | |
| NotAutomatic: yes | |
| ButAutomaticUpgrades: yes | |
| SignWith: ${FPR} | |
| EOF | |
| shopt -s nullglob globstar | |
| debs=( collected/**/*.deb ) | |
| reprepro -b "${REPO_ROOT}" includedeb stable "${debs[@]}" | |
| reprepro -b "${REPO_ROOT}" export | |
| - name: Set up SSH key | |
| uses: webfactory/ssh-agent@d4b9b8ff72958532804b70bbe600ad43b36d5f2e # v0.8.0 | |
| with: | |
| ssh-private-key: ${{ secrets.GITHUBRPMHENDERKESPRIVATEKEY }} | |
| - name: Add remote host to known_hosts | |
| run: | | |
| mkdir -p ~/.ssh | |
| cat >> ~/.ssh/known_hosts <<'EOF' | |
| ${{ secrets.DEB_SERVER_IP }} ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPQq0y77dDEtxECVMhCxjcqiV369goMcbInsY/d+F1yXGwqOXQ6RqIEzgaVhgq0joMJT5BiGXNXQ+OI10/KtzGI= | |
| ${{ secrets.DEB_SERVER_IP }} ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2laCc5jifgjL/2zLzgP1E/X3kouXdaZv00KtAV1DOO5umThoWzb16cswnVtjtLUEMIuo9rPLB79xX2Asa+nN3uMgJDANnr/xnhRoI++yOGLga40/O69U88j5x+5FXODscH/k4n85mfcjzm/fZLXcHlb17ibCmU20I3v46sydn95Pp4/ShDvqsHVB4gWEKJ+jStkooUz2H1UZ8ZquNtaPTlmkOeClNj6gxag74P5b9VB6M5YNac2Emi3Nm0dYkc+BL0Qv+NEtFR1lR63DLa3O/NGTALGJYGmTUkjwiv8KygegaKhd2zxESmWhV7eYIPax8zL+GE9sX1Xwwh1huS0vsuwr2dXPP1/q5slz1AQV/lx85fGdiHc0F8RUXwqXbvGxZJheTuC/Mgu0cFzp5gqO4kTP28X+9fokzScBKBCIfObDXrl7rZgTXAA8IQ5gHk1tGchaEOIcDsjdISW5HVOiwocYSwUNMHzuZ08qAulatIywtOGcWVRdvOs7TcvSgfZ0= | |
| ${{ secrets.DEB_SERVER_IP }} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaB5IjokRHAH0Y9pzVe/Jx3s6cn0OADJ9uTxQQubBMu | |
| EOF | |
| chmod 600 ~/.ssh/known_hosts | |
| - name: Upload APT repo to DEB_SERVER_IP | |
| run: rsync -azv --delete repo/ github@${{ secrets.DEB_SERVER_IP }}:/mnt/data/deb/ | |
| - name: Fix permissions for Caddy file browser | |
| run: ssh github@${{ secrets.DEB_SERVER_IP }} 'chmod -R o+rx /mnt/data/deb' | |
| # - name: Setup tmate session | |
| # if: ${{ failure() && github.event_name == 'workflow_dispatch' }} | |
| # uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3 | |
| # timeout-minutes: 10 |