diff --git a/.forgejo/workflows/build-fedora.yml b/.forgejo/workflows/build-fedora.yml index 60404896..c101ed04 100644 --- a/.forgejo/workflows/build-fedora.yml +++ b/.forgejo/workflows/build-fedora.yml @@ -81,7 +81,7 @@ jobs: # Aggressive GC since cache restores don't increment counter echo "CARGO_INCREMENTAL_GC_TRIGGER=5" >> $GITHUB_ENV - - name: Install build dependencies + - name: Install base RPM tools run: | dnf install -y --setopt=keepcache=1 \ wget \ @@ -91,25 +91,14 @@ jobs: rpkg \ cargo-rpm-macros \ systemd-rpm-macros \ - clang \ - liburing-devel \ - rust \ - cargo \ - gcc \ - gcc-c++ \ - make \ - openssl-devel \ - pkg-config \ python3-pip - name: Setup build environment and build SRPM run: | - # Configure git for rpkg git config --global --add safe.directory "$GITHUB_WORKSPACE" git config --global user.email "ci@continuwuity.org" git config --global user.name "Continuwuity" - # Setup RPM build tree rpmdev-setuptree cd "$GITHUB_WORKSPACE" @@ -143,10 +132,8 @@ jobs: fedora/continuwuity.spec.rpkg > continuwuity.spec.rpkg fi - # Build the SRPM rpkg srpm --outdir "$HOME/rpmbuild/SRPMS" - # Show SRPM info ls -la $HOME/rpmbuild/SRPMS/ - name: Setup GPG for RPM signing @@ -157,23 +144,32 @@ jobs: exit 0 fi - # Import the signing key echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import # Get the key ID (look for the sec line, not the uid line) KEY_ID=$(gpg --list-secret-keys --keyid-format=long | grep "^sec" | head -1 | awk '{print $2}' | cut -d'/' -f2) echo "Using GPG key: $KEY_ID" - # Configure RPM macros for signing cat > ~/.rpmmacros << EOF %_signature gpg %_gpg_name $KEY_ID %__gpg /usr/bin/gpg EOF + - name: Install build dependencies from SRPM + run: | + SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1) + + if [ -z "$SRPM" ]; then + echo "Error: No SRPM file found" + exit 1 + fi + + echo "Installing build dependencies from: $(basename $SRPM)" + dnf builddep -y "$SRPM" + - name: Build RPM from SRPM run: | - # Find the SRPM file SRPM=$(find "$HOME/rpmbuild/SRPMS" -name "*.src.rpm" | head -1) if [ -z "$SRPM" ]; then @@ -183,7 +179,6 @@ jobs: echo "Building from SRPM: $SRPM" - # Build the binary RPM rpmbuild --rebuild "$SRPM" \ --define "_topdir $HOME/rpmbuild" \ --define "_sourcedir $GITHUB_WORKSPACE" \ @@ -197,32 +192,20 @@ jobs: exit 0 fi - # Track signing failures - FAILED_COUNT=0 - TOTAL_COUNT=0 - # Export GPG_TTY to avoid terminal warnings export GPG_TTY=/dev/null - # Sign all RPMs (binary and source) for rpm in $(find "$HOME/rpmbuild" -name "*.rpm" -type f); do echo "Signing: $(basename $rpm)" - TOTAL_COUNT=$((TOTAL_COUNT + 1)) # Use expect or provide empty passphrase via stdin for batch signing if ! echo "" | rpmsign --addsign "$rpm" 2>&1; then echo "ERROR: Failed to sign $rpm" - FAILED_COUNT=$((FAILED_COUNT + 1)) + exit 1 fi done - # Fail if any RPMs failed to sign - if [ "$FAILED_COUNT" -gt 0 ]; then - echo "ERROR: Failed to sign $FAILED_COUNT out of $TOTAL_COUNT RPMs" - exit 1 - fi - - echo "Successfully signed all $TOTAL_COUNT RPMs" + echo "Successfully signed all RPMs" - name: Verify RPM signatures run: | @@ -232,15 +215,12 @@ jobs: exit 0 fi - # Import our public key for verification echo "Importing GPG public key for verification..." rpm --import fedora/RPM-GPG-KEY-continuwuity.asc - # Track verification failures FAILED_COUNT=0 TOTAL_COUNT=0 - # Verify all RPMs for rpm in $(find "$HOME/rpmbuild" -name "*.rpm" -type f); do echo -n "Verifying $(basename $rpm): " TOTAL_COUNT=$((TOTAL_COUNT + 1)) @@ -281,8 +261,8 @@ jobs: echo "" rpm -qpl "$RPM" - # Actually install it (would need --nodeps if dependencies aren't met) - dnf install -y "$RPM" || rpm -ivh --nodeps "$RPM" + # Actually install it + dnf install -y "$RPM" # Verify installation rpm -qa | grep continuwuity @@ -305,11 +285,9 @@ jobs: run: | mkdir -p artifacts - # Copy all RPMs to artifacts directory find "$HOME/rpmbuild/RPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \; find "$HOME/rpmbuild/SRPMS" -name "*.rpm" -type f -exec cp {} artifacts/ \; - # Create metadata file cd artifacts echo "Build Information:" > BUILD_INFO.txt echo "==================" >> BUILD_INFO.txt @@ -336,7 +314,6 @@ jobs: ! -name "*.src.rpm" \ -type f) - # Create temp directory for this artifact mkdir -p upload-bin cp $BIN_RPM upload-bin/ @@ -367,7 +344,6 @@ jobs: exit 0 fi - # Extract version from RPM filename RPM_BASENAME=$(basename "$RPM") echo "Publishing: $RPM_BASENAME" @@ -383,7 +359,6 @@ jobs: GROUP=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9]/-/g' | tr '[:upper:]' '[:lower:]' | cut -c1-30) fi - # Extract package info from RPM for deletion PACKAGE_INFO=$(rpm -qpi "$RPM" 2>/dev/null) PACKAGE_NAME=$(echo "$PACKAGE_INFO" | grep "^Name" | awk '{print $3}') PACKAGE_VERSION=$(echo "$PACKAGE_INFO" | grep "^Version" | awk '{print $3}') @@ -393,15 +368,20 @@ jobs: # Full version includes release FULL_VERSION="${PACKAGE_VERSION}-${PACKAGE_RELEASE}" - # Try to delete existing package first (ignore errors if it doesn't exist) + # Forgejo's RPM registry cannot overwrite existing packages, so we must delete first + # 404 is OK if package doesn't exist yet echo "Removing any existing package: $PACKAGE_NAME-$FULL_VERSION.$PACKAGE_ARCH" - curl -X DELETE \ + RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \ -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \ - "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/package/$PACKAGE_NAME/$FULL_VERSION/$PACKAGE_ARCH" \ - || echo "Package didn't exist or deletion failed (this is OK)" + "https://forgejo.ellis.link/api/packages/continuwuation/rpm/$GROUP/package/$PACKAGE_NAME/$FULL_VERSION/$PACKAGE_ARCH") + HTTP_CODE=$(echo "$RESPONSE" | tail -n1) + + if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then + echo "ERROR: Failed to delete package (HTTP $HTTP_CODE)" + echo "$RESPONSE" | head -n -1 + exit 1 + fi - # Upload to Forgejo package registry - # Using the RPM registry endpoint with group support curl --fail-with-body \ -X PUT \ -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \ @@ -422,7 +402,6 @@ jobs: for DEBUG_RPM in $DEBUG_RPMS; do echo "Publishing: $(basename "$DEBUG_RPM")" - # Extract debug RPM info DEBUG_INFO=$(rpm -qpi "$DEBUG_RPM" 2>/dev/null) DEBUG_NAME=$(echo "$DEBUG_INFO" | grep "^Name" | awk '{print $3}') DEBUG_VERSION=$(echo "$DEBUG_INFO" | grep "^Version" | awk '{print $3}') @@ -430,13 +409,18 @@ jobs: DEBUG_ARCH=$(echo "$DEBUG_INFO" | grep "^Architecture" | awk '{print $2}') DEBUG_FULL_VERSION="${DEBUG_VERSION}-${DEBUG_RELEASE}" - # Try to delete existing debug package first - curl -X DELETE \ + # Must delete existing package first (Forgejo limitation) + RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \ -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \ - "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/package/$DEBUG_NAME/$DEBUG_FULL_VERSION/$DEBUG_ARCH" \ - || echo "Debug package didn't exist or deletion failed (this is OK)" + "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-debug/package/$DEBUG_NAME/$DEBUG_FULL_VERSION/$DEBUG_ARCH") + HTTP_CODE=$(echo "$RESPONSE" | tail -n1) + + if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then + echo "ERROR: Failed to delete debug package (HTTP $HTTP_CODE)" + echo "$RESPONSE" | head -n -1 + exit 1 + fi - # Upload debug RPM curl --fail-with-body \ -X PUT \ -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \ @@ -455,19 +439,24 @@ jobs: echo "Publishing source RPM: $(basename "$SRPM")" echo "Publishing to group: ${GROUP}-src" - # Extract SRPM info SRPM_INFO=$(rpm -qpi "$SRPM" 2>/dev/null) SRPM_NAME=$(echo "$SRPM_INFO" | grep "^Name" | awk '{print $3}') SRPM_VERSION=$(echo "$SRPM_INFO" | grep "^Version" | awk '{print $3}') SRPM_RELEASE=$(echo "$SRPM_INFO" | grep "^Release" | awk '{print $3}') SRPM_FULL_VERSION="${SRPM_VERSION}-${SRPM_RELEASE}" - # Try to delete existing SRPM first + # Must delete existing SRPM first (Forgejo limitation) echo "Removing any existing SRPM: $SRPM_NAME-$SRPM_FULL_VERSION.src" - curl -X DELETE \ + RESPONSE=$(curl -s -w "\n%{http_code}" -X DELETE \ -H "Authorization: token ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" \ - "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/package/$SRPM_NAME/$SRPM_FULL_VERSION/src" \ - || echo "SRPM didn't exist or deletion failed (this is OK)" + "https://forgejo.ellis.link/api/packages/continuwuation/rpm/${GROUP}-src/package/$SRPM_NAME/$SRPM_FULL_VERSION/src") + HTTP_CODE=$(echo "$RESPONSE" | tail -n1) + + if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "404" ]; then + echo "ERROR: Failed to delete SRPM (HTTP $HTTP_CODE)" + echo "$RESPONSE" | head -n -1 + exit 1 + fi curl --fail-with-body \ -X PUT \