diff options
| author | Roman Lebedev <lebedev.ri@gmail.com> | 2025-09-12 01:43:30 +0300 |
|---|---|---|
| committer | Roman Lebedev <lebedev.ri@gmail.com> | 2025-09-16 20:49:02 +0300 |
| commit | a06a4bb5ea76ddaa62ad5c1ca95a9e90d848dfef (patch) | |
| tree | 1c8968ffbb66e294de8b84ea468081414a789cca | |
| parent | 5dd5a0d3e21ac1516ccd0d9bd798df6b05a5863b (diff) | |
debian package vendoring and PPA
| -rw-r--r-- | .github/workflows/deb-buildd.yml | 199 | ||||
| -rw-r--r-- | .github/workflows/deb-orchestrator.yml | 58 | ||||
| -rw-r--r-- | .github/workflows/deb-publish.yml | 197 | ||||
| -rw-r--r-- | .github/workflows/deb-src.yml | 192 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | debian/cargo.config | 8 | ||||
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/control | 46 | ||||
| -rw-r--r-- | debian/gbp.conf | 6 | ||||
| -rwxr-xr-x | debian/rules | 37 | ||||
| -rw-r--r-- | debian/source/format | 2 | ||||
| -rw-r--r-- | debian/source/options | 36 |
12 files changed, 740 insertions, 50 deletions
diff --git a/.github/workflows/deb-buildd.yml b/.github/workflows/deb-buildd.yml new file mode 100644 index 00000000..4312ba8b --- /dev/null +++ b/.github/workflows/deb-buildd.yml @@ -0,0 +1,199 @@ +on: + workflow_call: + inputs: + deb-src-artifact-id: + required: true + type: string + runs-on: + required: true + type: string + arch: + required: true + type: string + dist: + required: true + type: string + secrets: + GPG_SECRET_SUBKEYS: + GPG_SIGNING_SUBKEY_FINGERPRINT: + +jobs: + linux: + runs-on: ${{ inputs.runs-on }} + container: + image: debian:unstable-slim + options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec + env: + DEBFULLNAME: apt.bcachefs.org CI bot + DEBEMAIL: linux-bcachefs@vger.kernel.org + DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}" + permissions: + id-token: write + contents: read + attestations: write + steps: + - name: Install necessary packages + timeout-minutes: 1 + run: | + set -xe + tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT + force-unsafe-io + EOT + tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT + Dir::Cache::Archives "/tmp/apt/archives"; + APT::ExtractTemplates::TempDir "/tmp/apt/temp"; + EOT + mkdir -p /tmp/apt/archives + tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT + Acquire::Retries "10"; + EOT + tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT + APT::Install-Recommends "false"; + EOT + tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT + APT::Install-Suggests "false"; + EOT + tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT + APT::Get::Assume-Yes "true"; + EOT + tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT + APT::Get::Fix-Missing "true"; + EOT + rm -rf /var/lib/apt/lists/* + rm -rf /etc/apt/sources.list* + tee /etc/apt/sources.list > /dev/null <<EOT + deb http://deb.debian.org/debian unstable main + EOT + apt update + apt full-upgrade + apt install \ + curl \ + debian-keyring \ + devscripts \ + gpg \ + iproute2 \ + mmdebstrap \ + sbuild \ + sudo \ + tar \ + uidmap \ + xz-utils \ + zip + apt clean + USER=`whoami` + sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER + BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist }}/${{ inputs.arch }}" + mkdir -p "$BUILD_DIR" + tee ~/.sbuildrc > /dev/null <<EOT + \$verbose = 0; + \$build_dir = '$BUILD_DIR'; + \$distribution = '${{ inputs.dist }}'; + #\$host_arch = '${{ inputs.arch }}'; + \$chroot_mode = 'unshare'; + \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX'; + \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; + EOT + if [ "${{ inputs.dist }}" != "unstable" ] \ + && [ "${{ inputs.dist }}" != "testing" ]; + then + tee -a ~/.sbuildrc > /dev/null <<EOT + \$extra_repositories = [ + 'deb http://deb.debian.org/debian ${{ inputs.dist }}-updates main', + 'deb http://deb.debian.org/debian ${{ inputs.dist }}-backports main' + ]; + EOT + fi + - name: Import GPG key + timeout-minutes: 1 + id: gpg + if: github.event_name != 'pull_request' + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + with: + gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }} + fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + trust_level: 5 + - name: Configure GPG + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc + tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT + default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.gbp.conf > /dev/null <<EOT + [buildpackage] + sign-tags = True + keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.devscripts > /dev/null <<EOT + DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.sbuildrc > /dev/null <<EOT + \$verbose = 1; + \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; + EOT + - name: Download source-only .deb to be built + timeout-minutes: 1 + uses: actions/download-artifact@v5 + with: + artifact-ids: ${{ inputs.deb-src-artifact-id }} + path: deb-src + - name: Unpack the downloaded tarball + timeout-minutes: 1 + run: | + set -xe + cd "$GITHUB_WORKSPACE/deb-src" + tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" + - name: Ensure that source package is signed + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes + - name: Build the package + timeout-minutes: 10 + run: | + set -xe + cd "$GITHUB_WORKSPACE/deb-bin/" + sbuild --verbose "$GITHUB_WORKSPACE/deb-src/"*.dsc + - name: Sign the .deb's + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + find "$GITHUB_WORKSPACE/deb-bin/" -type f -name '*.deb' -exec gpg --verbose --detach-sign {} ';' + - name: Ensure that binary package is signed + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + cd "$GITHUB_WORKSPACE/deb-bin/" + find -name '*.changes' -print0 | xargs -0 dscverify --verbose + - name: Archive build artifacts + timeout-minutes: 1 + run: | + set -xe + cd "$GITHUB_WORKSPACE/deb-bin/" + tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar" * + - name: Attest build artifact + timeout-minutes: 1 + uses: actions/attest-build-provenance@v3 + with: + subject-path: '${{ github.workspace }}/deb-bin' + - name: Upload build artifact archive + timeout-minutes: 1 + id: deb-bin-upload + uses: actions/upload-artifact@v4 + with: + name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar + path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar' + if-no-files-found: error + compression-level: 0 + - name: Attest uploaded build artifact + timeout-minutes: 1 + uses: actions/attest-build-provenance@v3 + with: + subject-name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar.zip + subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }} diff --git a/.github/workflows/deb-orchestrator.yml b/.github/workflows/deb-orchestrator.yml new file mode 100644 index 00000000..e43b5b46 --- /dev/null +++ b/.github/workflows/deb-orchestrator.yml @@ -0,0 +1,58 @@ +name: .deb build orchestrator + +on: + pull_request: + branches: + - "**" + push: + branches: + - "**" + tags: + - v* + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + source-only: + permissions: + id-token: write + contents: read + attestations: write + uses: ./.github/workflows/deb-src.yml + secrets: + GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} + GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + buildd: + needs: source-only + permissions: + id-token: write + contents: read + attestations: write + strategy: + fail-fast: false + matrix: + stack: + - { runs-on: "ubuntu-latest", arch: "amd64" } + - { runs-on: "ubuntu-24.04-arm", arch: "arm64" } + dist: [ unstable, forky, trixie ] + uses: ./.github/workflows/deb-buildd.yml + with: + deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }} + runs-on: ${{ matrix.stack.runs-on }} + arch: ${{ matrix.stack.arch }} + dist: ${{ matrix.dist }} + secrets: + GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} + GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + publish: + needs: [ source-only, buildd ] + if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master')) + uses: ./.github/workflows/deb-publish.yml + secrets: + GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} + GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + GPG_AUTH_SUBKEY_KEYGRIP: ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} + SSH_HOST: ${{ secrets.SSH_HOST }} + SSH_SERVER_KEYS: ${{ secrets.SSH_SERVER_KEYS }} diff --git a/.github/workflows/deb-publish.yml b/.github/workflows/deb-publish.yml new file mode 100644 index 00000000..b87160de --- /dev/null +++ b/.github/workflows/deb-publish.yml @@ -0,0 +1,197 @@ +on: + workflow_call: + secrets: + GPG_SECRET_SUBKEYS: + required: true + GPG_SIGNING_SUBKEY_FINGERPRINT: + required: true + GPG_AUTH_SUBKEY_KEYGRIP: + required: true + SSH_HOST: + required: true + SSH_SERVER_KEYS: + required: true + +jobs: + linux: + concurrency: apt.bcachefs.org + runs-on: ubuntu-latest + container: + image: debian:unstable-slim + options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --device /dev/fuse --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec + env: + SUITE: ${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }} + steps: + - name: Install necessary packages + timeout-minutes: 1 + run: | + set -xe + tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT + force-unsafe-io + EOT + tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT + Dir::Cache::Archives "/tmp/apt/archives"; + APT::ExtractTemplates::TempDir "/tmp/apt/temp"; + EOT + mkdir -p /tmp/apt/archives + tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT + Acquire::Retries "10"; + EOT + tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT + APT::Install-Recommends "false"; + EOT + tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT + APT::Install-Suggests "false"; + EOT + tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT + APT::Get::Assume-Yes "true"; + EOT + tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT + APT::Get::Fix-Missing "true"; + EOT + rm -rf /var/lib/apt/lists/* + rm -rf /etc/apt/sources.list* + tee /etc/apt/sources.list > /dev/null <<EOT + deb http://deb.debian.org/debian unstable main + EOT + apt update + apt full-upgrade + apt install \ + devscripts \ + gnupg \ + gpg-agent \ + openssh-client \ + reprepro \ + sshfs \ + tar \ + xz-utils \ + zip + apt clean + - name: Configure gpg-agent / ssh + timeout-minutes: 1 + run: | + set -xe + mkdir -p ~/.gnupg ~/.ssh + echo "" >> ~/.gnupg/gpg-agent.conf + echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf + gpgconf --kill gpg-agent + gpgconf --launch gpg-agent + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + echo "SSH_AUTH_SOCK=$(echo ${SSH_AUTH_SOCK})" >> $GITHUB_ENV + echo "" >> /etc/ssh/ssh_known_hosts + echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts + - name: Import GPG key + timeout-minutes: 1 + if: github.event_name != 'pull_request' + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + with: + gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }} + fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + trust_level: 5 + - name: Configure GPG + timeout-minutes: 1 + run: | + set -xe + gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye + gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc + tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT + default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.gbp.conf > /dev/null <<EOT + [buildpackage] + sign-tags = True + keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.devscripts > /dev/null <<EOT + DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.sbuildrc > /dev/null <<EOT + \$verbose = 1; + \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; + EOT + - name: Download all artifacts + timeout-minutes: 1 + uses: actions/download-artifact@v5 + with: + path: packed-artifacts + - name: Unpack all artifacts + timeout-minutes: 1 + run: | + set -xe + SRC_DIR="$GITHUB_WORKSPACE/src-artifacts" + mkdir -p "$SRC_DIR" + find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete + BIN_DIR="$GITHUB_WORKSPACE/bin-artifacts" + mkdir -p "$BIN_DIR" + find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete + rm -rf "$GITHUB_WORKSPACE/packed-artifacts" + - name: Create and populate repos + timeout-minutes: 60 + run: | + set -xe + ls -lahR + MOUNTPOINT="$GITHUB_WORKSPACE/remotefs" + mkdir -p "$MOUNTPOINT" + sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT" + REPO_ROOT="$MOUNTPOINT/public_html" + mkdir -p "$REPO_ROOT" + cp -f /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc "$REPO_ROOT" + cat > "$REPO_ROOT/README.txt" <<EOF + To add this repository to your computer, do: + + + wget -qO- https://apt.bcachefs.org/apt.bcachefs.org.asc | sudo tee /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc + # Fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + sudo cat > "/etc/apt/sources.list.d/apt.bcachefs.org.sources" <<EOF + Types: deb deb-src + URIs: https://apt.bcachefs.org/unstable/ + Suites: bcachefs-tools-snapshot # or -release + Components: main + Signed-By: /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc + EOF + sudo apt update + sudo apt install bcachefs-tools + + + + For more information, see: + https://wiki.debian.org/DebianRepository/UseThirdParty + + Source, Debian tarballs and dsc files can be verified using https://github.com/sigstore/rekor. + EOF + cd "$GITHUB_WORKSPACE/bin-artifacts" + for DIST in * + do + SRCDIR="$GITHUB_WORKSPACE/bin-artifacts/$DIST" + cd "$SRCDIR" + REPO="$REPO_ROOT/$DIST" + mkdir -p "$REPO/conf/distributions" + tee "$REPO/conf/distributions/$SUITE.conf" > /dev/null <<EOT + Codename: bcachefs-tools-$SUITE + Architectures: source amd64 arm64 + Components: main + Contents: + Origin: apt.bcachefs.org + Label: apt.bcachefs.org Packages + Description: bcachefs APT repository + SignWith: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + Signed-By: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + Uploaders: uploaders + EOT + tee "$REPO/conf/uploaders" > /dev/null <<EOT + allow * by key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee "$REPO/conf/options" > /dev/null <<EOT + verbose + ignore longkeyid + EOT + reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/src-artifacts/"*.changes + for f in "$SRCDIR"/*/*.changes + do + reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f + done + reprepro --basedir "$REPO" createsymlinks + reprepro --basedir "$REPO" export + done + umount "$MOUNTPOINT" diff --git a/.github/workflows/deb-src.yml b/.github/workflows/deb-src.yml new file mode 100644 index 00000000..4c9aaea4 --- /dev/null +++ b/.github/workflows/deb-src.yml @@ -0,0 +1,192 @@ +on: + workflow_call: + outputs: + deb-src-artifact-id: + value: ${{ jobs.linux.outputs.deb-src-artifact-id }} + secrets: + GPG_SECRET_SUBKEYS: + GPG_SIGNING_SUBKEY_FINGERPRINT: + +jobs: + linux: + runs-on: ubuntu-latest + container: + image: debian:unstable-slim + options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec + env: + DIST: unstable + ARCH: x86_64 + RUST_VERSION: 1.89.0 + DEBFULLNAME: apt.bcachefs.org CI bot + DEBEMAIL: linux-bcachefs@vger.kernel.org + DEB_SIGN_KEYID: "${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}" + DEBPKG_EPOCH: 1 + steps: + - name: Install necessary packages + timeout-minutes: 1 + run: | + set -xe + tee /etc/dpkg/dpkg.cfg.d/force-unsafe-io > /dev/null <<EOT + force-unsafe-io + EOT + tee /etc/apt/apt.conf.d/tmpfs > /dev/null <<EOT + Dir::Cache::Archives "/tmp/apt/archives"; + APT::ExtractTemplates::TempDir "/tmp/apt/temp"; + EOT + mkdir -p /tmp/apt/archives + tee /etc/apt/apt.conf.d/80retry > /dev/null <<EOT + Acquire::Retries "10"; + EOT + tee /etc/apt/apt.conf.d/80recommends > /dev/null <<EOT + APT::Install-Recommends "false"; + EOT + tee /etc/apt/apt.conf.d/80suggests > /dev/null <<EOT + APT::Install-Suggests "false"; + EOT + tee /etc/apt/apt.conf.d/80forceyes > /dev/null <<EOT + APT::Get::Assume-Yes "true"; + EOT + tee /etc/apt/apt.conf.d/80fixmissing > /dev/null <<EOT + APT::Get::Fix-Missing "true"; + EOT + rm -rf /var/lib/apt/lists/* + rm -rf /etc/apt/sources.list* + tee /etc/apt/sources.list > /dev/null <<EOT + deb http://deb.debian.org/debian unstable main + EOT + apt update + apt full-upgrade + apt install \ + curl \ + devscripts \ + git \ + git-buildpackage \ + gpg \ + iproute2 \ + mmdebstrap \ + sbuild \ + sudo \ + tar \ + uidmap \ + xz-utils \ + zip + apt clean + USER=`whoami` + sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER + tee ~/.sbuildrc > /dev/null <<EOT + \$build_dir = '$GITHUB_WORKSPACE/deb-src'; + \$chroot_mode = 'unshare'; + \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX'; + \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; + EOT + - name: Import GPG key + timeout-minutes: 1 + id: gpg + if: github.event_name != 'pull_request' + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + with: + gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }} + fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + trust_level: 5 + - name: Configure GPG + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc + tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT + default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.gbp.conf > /dev/null <<EOT + [buildpackage] + sign-tags = True + keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.devscripts > /dev/null <<EOT + DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + EOT + tee -a ~/.sbuildrc > /dev/null <<EOT + \$verbose = 1; + \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; + EOT + - name: Install Rust / cargo + timeout-minutes: 1 + run: | + set -xe + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain $RUST_VERSION --profile minimal -y + . "$HOME/.cargo/env" + - name: Fetch our git repository + timeout-minutes: 1 + uses: actions/checkout@v4 + with: + path: 'bcachefs-tools' + fetch-depth: 0 + fetch-tags: true + - name: Update package version/changelog + timeout-minutes: 1 + run: | + set -xe + git config --global user.email "${{ env.DEBFULLNAME }}" + git config --global user.name "${{ env.DEBEMAIL }}" + cd "$GITHUB_WORKSPACE/bcachefs-tools/" + CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))" + PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))" + NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')" + git checkout -B WIP + export EDITOR=/bin/true + if [ "${{ (github.event_name == 'push' && github.ref_type == 'tag') && 'release' || 'snapshot' }}" = "release" ]; then + gbp dch --new-version="$NEW_VERSION" --since=$PREV_TAG --release --commit + else + gbp dch --new-version="$NEW_VERSION" --since=$CURR_TAG --snapshot --snapshot-number=`date -u +%Y%m%d%H%M%S` --commit + fi + - name: Build the source-only .deb package + timeout-minutes: 10 + run: | + set -xe + . "$HOME/.cargo/env" + cd "$GITHUB_WORKSPACE/bcachefs-tools/" + mkdir -p "$GITHUB_WORKSPACE/deb-src" + # FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails + gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ env.DIST }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any + - name: Sign the source tarball + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + find "$GITHUB_WORKSPACE/deb-src/" -type f -name '*.tar.*' -exec gpg --verbose --detach-sign {} ';' + - name: Ensure that source package is signed + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes + - name: Archive source build artifacts + timeout-minutes: 1 + run: | + set -xe + cd "$GITHUB_WORKSPACE/deb-src/" + tar -cf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" * + - name: Attest the source-only .deb package artifact + timeout-minutes: 1 + uses: actions/attest-build-provenance@v3 + with: + subject-path: '${{ github.workspace }}/deb-src' + - name: Upload the source-only .deb package artifact archive + timeout-minutes: 1 + id: deb-src-upload + uses: actions/upload-artifact@v4 + with: + name: artifact-src.tar + path: '${{ github.workspace }}/deb-src/artifact-src.tar' + if-no-files-found: error + compression-level: 0 + - name: Attest the uploaded source-only .deb package artifact + timeout-minutes: 1 + uses: actions/attest-build-provenance@v3 + id: upload + with: + subject-name: artifact-src.tar.zip + subject-digest: sha256:${{ steps.deb-src-upload.outputs.artifact-digest }} + outputs: + deb-src-artifact-id: ${{ steps.deb-src-upload.outputs.artifact-id }} @@ -62,7 +62,7 @@ ifdef CARGO_TOOLCHAIN_VERSION CARGO_TOOLCHAIN = +$(CARGO_TOOLCHAIN_VERSION) endif -CARGO_ARGS=${CARGO_TOOLCHAIN} +override CARGO_ARGS+=${CARGO_TOOLCHAIN} CARGO=cargo $(CARGO_ARGS) CARGO_PROFILE=release # CARGO_PROFILE=debug diff --git a/debian/cargo.config b/debian/cargo.config new file mode 100644 index 00000000..01170d25 --- /dev/null +++ b/debian/cargo.config @@ -0,0 +1,8 @@ +[net] +offline = true + +[source.crates-io] +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" diff --git a/debian/changelog b/debian/changelog index 0e25e3d2..908b1a53 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +bcachefs-tools (1:1.31.0) unstable; urgency=medium + + * Fix package, build against vendored deps + * Implement apt.bcachefs.org repo + + -- Roman Lebedev <lebedev.ri@gmail.com> Tue, 16 Sep 2025 12:50:36 +0300 + bcachefs-tools (1:1.13.0-1~exp1) experimental; urgency=medium * QA Upload diff --git a/debian/control b/debian/control index 45ac0a6d..9beb0cbb 100644 --- a/debian/control +++ b/debian/control @@ -1,19 +1,16 @@ Source: bcachefs-tools -Maintainer: Debian QA Group <packages@qa.debian.org> +Maintainer: Roman Lebedev <lebedev.ri@gmail.com> Section: utils Priority: optional Standards-Version: 4.7.0 Rules-Requires-Root: no Build-Depends: debhelper-compat (= 13), cargo, - rustfmt, - python3:native, - pkgconf, - python3-docutils, - python3-pytest, + jq, libaio-dev, - libfuse3-dev, libblkid-dev, + libclang-dev, + libfuse3-dev, libkeyutils-dev, liblz4-dev, libscrypt-dev, @@ -21,39 +18,14 @@ Build-Depends: debhelper-compat (= 13), libudev-dev, liburcu-dev, libzstd-dev, + pkgconf, + python3-docutils, + python3-pytest, + python3:native, + rustfmt, systemd-dev, uuid-dev, zlib1g-dev, -# -- Cargo.toml - librust-atty-0.2-dev (>= 0.2.14-~~), - librust-log-0.4-dev, - librust-log-0+std-dev, - librust-clap-4-dev (>= 4.0.32-~~), - librust-clap-4+derive-dev, - librust-clap-4+wrap-help-dev, - librust-clap-complete-4-dev (>= 4.3.2-~~), - librust-chrono-dev, - librust-gag-dev, - librust-getset-dev, - librust-anyhow-1.0-dev, - librust-libc-0.2-dev, - librust-udev-0-dev (>= 0.7-~~), - librust-uuid-1-dev (>= 1.2.2-~~), - librust-errno-0-dev (>= 0.2), - librust-either-1-dev (>= 1.5), - librust-rpassword-7-dev, - librust-byteorder-1-dev (>= 1.3), - librust-owo-colors-dev, - librust-strum-dev (>= 0.26), - librust-env-logger-dev, -# -- bch_bindgen/Cargo.toml -# anyhow, uuid, byteorder are covered above - librust-bitfield-0-dev (>= 0.14.0-~~), - librust-memoffset-dev, - librust-bitflags-1-dev (>= 1.3.2-~~), - librust-paste-1.0-dev, - librust-pkg-config-0.3-dev, - librust-bindgen-0.70-dev Homepage: https://bcachefs.org/ Vcs-Git: https://salsa.debian.org/debian/bcachefs-tools.git Vcs-Browser: https://salsa.debian.org/debian/bcachefs-tools diff --git a/debian/gbp.conf b/debian/gbp.conf index 27e23cb0..30d3213d 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -2,4 +2,10 @@ pristine-tar = False upstream-tag = v%(version)s ignore-branch = True +cleaner = +export-dir = ../bcachefs-tools-deb-export-dir +postexport = cargo vendor +compression = xz +compression-level = 9 +[buildpackage] diff --git a/debian/rules b/debian/rules index 17729457..2360f6c1 100755 --- a/debian/rules +++ b/debian/rules @@ -3,6 +3,8 @@ include /usr/share/dpkg/architecture.mk include /usr/share/rustc/architecture.mk +export DH_VERBOSE=1 + export DEB_HOST_RUST_TYPE DEB_HOST_GNU_TYPE export DEB_BUILD_MAINT_OPTIONS=hardening=+all @@ -10,6 +12,12 @@ export CARGO=/usr/share/cargo/bin/cargo export CARGO_HOME=$(CURDIR)/debian/cargo_home export DEB_CARGO_CRATE=bcachefs-tools_$(DEB_VERSION_UPSTREAM) +NUMJOBS = 1 +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif + PREFIX := /usr ROOT_SBINDIR := /usr/sbin @@ -19,23 +27,30 @@ ifeq ($(DEB_BUILD_ARCH),amd64) DEB_BUILD_MAINT_OPTIONS += optimize=-lto endif +export CARGO_ARGS = "--frozen" + %: - dh $@ + dh $@ --parallel -override_dh_auto_configure: - $(CARGO) prepare-debian $(CURDIR)/vendor --link-from-system +override_dh_clean: + # HACK: breaks cargo checksumming by deleting some vendored files. -override_dh_auto_build: - $(RM) Cargo.lock - dh_auto_build -- CARGO="$(CARGO)" +cargo_config: + rm -rf .cargo + mkdir -p .cargo + cp debian/cargo.config .cargo/config.toml -override_dh_auto_install: - dh_auto_install -- "PREFIX=$(PREFIX)" "ROOT_SBINDIR=$(ROOT_SBINDIR)" +override_dh_auto_build: + $(MAKE) -f debian/rules cargo_config + dh_auto_build override_dh_auto_clean: - ! [ -d $(CURDIR)/vendor ] || $(RM) -r $(CURDIR)/vendor - ! [ -d $(CARGO_HOME) ] || $(RM) -r $(CARGO_HOME) - $(RM) Cargo.lock + $(MAKE) -f debian/rules cargo_config dh_auto_clean + rm -rf .cargo + +override_dh_usrlocal: + # FIXME: fails with + # dh_usrlocal: error: debian/bcachefs-tools/usr/local/libexec/bcachefsck_all is not a directory override_dh_auto_test: diff --git a/debian/source/format b/debian/source/format index 163aaf8d..89ae9db8 100644 --- a/debian/source/format +++ b/debian/source/format @@ -1 +1 @@ -3.0 (quilt) +3.0 (native) diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 00000000..8d288259 --- /dev/null +++ b/debian/source/options @@ -0,0 +1,36 @@ +tar-ignore=*.a +tar-ignore=*.la +tar-ignore=*.o +tar-ignore=*.so +tar-ignore=.*.sw? +tar-ignore=*/*~ +tar-ignore=,,* +tar-ignore=.[#~]* +tar-ignore=.arch-ids +tar-ignore=.arch-inventory +tar-ignore=.be +tar-ignore=.bzr +tar-ignore=.bzr.backup +tar-ignore=.bzr.tags +tar-ignore=.bzrignore +tar-ignore=.cvsignore +tar-ignore=.deps +tar-ignore=.git +tar-ignore=.gitattributes +#tar-ignore=.gitignore +#tar-ignore=.gitmodules +tar-ignore=.gitreview +tar-ignore=.hg +tar-ignore=.hgignore +tar-ignore=.hgsigs +tar-ignore=.hgtags +tar-ignore=.mailmap +tar-ignore=.mtn-ignore +tar-ignore=.shelf +tar-ignore=.svn +tar-ignore=CVS +tar-ignore=DEADJOE +tar-ignore=RCS +tar-ignore=_MTN +tar-ignore=_darcs +tar-ignore={arch} |