diff options
| -rw-r--r-- | .github/workflows/deb-buildd.yml | 156 | ||||
| -rw-r--r-- | .github/workflows/deb-orchestrator.yml | 15 | ||||
| -rw-r--r-- | .github/workflows/deb-publish.yml | 47 | ||||
| -rw-r--r-- | .github/workflows/deb-src.yml | 74 | ||||
| -rw-r--r-- | debian/control | 8 |
5 files changed, 215 insertions, 85 deletions
diff --git a/.github/workflows/deb-buildd.yml b/.github/workflows/deb-buildd.yml index 85dd5aea..affab1b2 100644 --- a/.github/workflows/deb-buildd.yml +++ b/.github/workflows/deb-buildd.yml @@ -10,7 +10,10 @@ on: arch: required: true type: string - dist: + dist-name: + required: true + type: string + dist-version: required: true type: string secrets: @@ -67,8 +70,8 @@ jobs: apt update apt full-upgrade apt install \ + ${{ inputs.dist-name }}-keyring \ curl \ - debian-keyring \ devscripts \ gpg \ iproute2 \ @@ -82,27 +85,6 @@ jobs: apt clean USER=`whoami` sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER - BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist }}/${{ inputs.arch }}" - mkdir -p "$BUILD_DIR" - tee ~/.sbuildrc > /dev/null <<EOT - \$verbose = 0; - \$build_dir = '$BUILD_DIR'; - \$distribution = '${{ inputs.dist }}'; - #\$host_arch = '${{ inputs.arch }}'; - \$chroot_mode = 'unshare'; - \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX'; - \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; - EOT - if [ "${{ inputs.dist }}" != "unstable" ] \ - && [ "${{ inputs.dist }}" != "testing" ]; - then - tee -a ~/.sbuildrc > /dev/null <<EOT - \$extra_repositories = [ - 'deb http://deb.debian.org/debian ${{ inputs.dist }}-updates main', - 'deb http://deb.debian.org/debian ${{ inputs.dist }}-backports main' - ]; - EOT - fi - name: Import GPG key timeout-minutes: 1 id: gpg @@ -118,11 +100,12 @@ jobs: run: | set -xe gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + rm -f ~/.gnupg/trustedkeys.gpg gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} EOT - tee -a ~/.gbp.conf > /dev/null <<EOT + tee -a ~/.gbp.conf > /dev/null <<EOT [buildpackage] sign-tags = True keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} @@ -131,9 +114,82 @@ jobs: DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} EOT tee -a ~/.sbuildrc > /dev/null <<EOT - \$verbose = 1; + \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; EOT + - name: Configure sbuild + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + BUILD_DIR="$GITHUB_WORKSPACE/deb-bin/${{ inputs.dist-version }}/${{ inputs.arch }}" + mkdir -p "$BUILD_DIR" + tee -a ~/.sbuildrc > /dev/null <<EOT + \$verbose = 1; + \$build_dir = '$BUILD_DIR'; + \$distribution = '${{ inputs.dist-version }}'; + #\$host_arch = '${{ inputs.arch }}'; + \$chroot_mode = 'unshare'; + \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX'; + EOT + tee -a ~/.sbuildrc > /dev/null <<EOT + push @{\$unshare_mmdebstrap_extra_args}, "*", [ + '--variant=apt' + ]; + EOT + if [ "${{ inputs.dist-name }}" = "debian" ]; + then + tee -a ~/.sbuildrc > /dev/null <<EOT + push @{\$unshare_mmdebstrap_extra_args}, "*", [ + 'http://deb.debian.org/debian', + '--keyring=/usr/share/keyrings/debian-keyring.gpg', + '--components=main' + ]; + EOT + fi + if [ "${{ inputs.dist-name }}" = "debian" ] && [ "${{ inputs.dist-version }}" != "unstable" ]; + then + tee -a ~/.sbuildrc > /dev/null <<EOT + \$extra_repositories = [ + 'deb http://deb.debian.org/debian ${{ inputs.dist-version }}-updates main', + 'deb http://deb.debian.org/debian ${{ inputs.dist-version }}-backports main' + ]; + EOT + fi + if [ "${{ inputs.dist-name }}" = "ubuntu" ]; + then + tee -a ~/.sbuildrc > /dev/null <<EOT + push @{\$unshare_mmdebstrap_extra_args}, "*", [ + '--keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg', + '--components=main,universe' + ]; + EOT + fi + if [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" = "amd64" ]; + then + tee -a ~/.sbuildrc > /dev/null <<EOT + push @{\$unshare_mmdebstrap_extra_args}, "*", [ + 'http://archive.ubuntu.com/ubuntu', + ]; + \$extra_repositories = [ + 'deb http://archive.ubuntu.com/ubuntu ${{ inputs.dist-version }}-updates main universe', + 'deb http://archive.ubuntu.com/ubuntu ${{ inputs.dist-version }}-security main universe', + 'deb http://archive.ubuntu.com/ubuntu ${{ inputs.dist-version }}-backports main universe', + ]; + EOT + elif [ "${{ inputs.dist-name }}" = "ubuntu" ] && [ "${{ inputs.arch }}" != "amd64" ]; + then + tee -a ~/.sbuildrc > /dev/null <<EOT + push @{\$unshare_mmdebstrap_extra_args}, "*", [ + 'http://ports.ubuntu.com/ubuntu-ports', + ]; + \$extra_repositories = [ + 'deb http://ports.ubuntu.com/ubuntu-ports ${{ inputs.dist-version }}-updates main universe', + 'deb http://ports.ubuntu.com/ubuntu-ports ${{ inputs.dist-version }}-security main universe', + 'deb http://ports.ubuntu.com/ubuntu-ports ${{ inputs.dist-version }}-backports main universe', + ]; + EOT + fi - name: Download source-only .deb to be built timeout-minutes: 1 uses: actions/download-artifact@v5 @@ -146,37 +202,51 @@ jobs: set -xe cd "$GITHUB_WORKSPACE/deb-src" tar -xf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" - - name: Ensure that source package is signed + rm "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" + - name: Ensure that all incoming source artifacts are signed timeout-minutes: 1 if: steps.gpg.conclusion != 'skipped' run: | set -xe - dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes + cd "$GITHUB_WORKSPACE/deb-src" + find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ + echo 'Processing {}' \ + && ( \ + gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ + || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ + || (echo 'Processing {}: NOT SIGNED!' && exit 1) \ + ) \ + && echo 'Processing {}: ok' \ + " - name: Build the package timeout-minutes: 10 run: | set -xe - cd "$GITHUB_WORKSPACE/deb-bin/" - sbuild --verbose "$GITHUB_WORKSPACE/deb-src/"*.dsc - - name: Sign the .deb's - timeout-minutes: 1 - if: steps.gpg.conclusion != 'skipped' - run: | - set -xe - find "$GITHUB_WORKSPACE/deb-bin/" -type f -name '*.deb' -exec gpg --verbose --detach-sign {} ';' - - name: Ensure that binary package is signed + cd "$GITHUB_WORKSPACE/deb-bin" + if [ "${{ inputs.dist-name }}" = "ubuntu" ]; + then + export DEB_BUILD_OPTIONS=noautodbgsym + fi + sbuild --verbose --arch-any --arch-all "$GITHUB_WORKSPACE/deb-src/"*.dsc + - name: Ensure that all binary artifacts are signed, or sign them timeout-minutes: 1 if: steps.gpg.conclusion != 'skipped' run: | set -xe - cd "$GITHUB_WORKSPACE/deb-bin/" - find -name '*.changes' -print0 | xargs -0 dscverify --verbose + cd "$GITHUB_WORKSPACE/deb-bin" + find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ + echo 'Processing {}' && ( \ + gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ + || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ + || gpg --verbose --detach-sign {} \ + ) \ + " - name: Archive build artifacts timeout-minutes: 1 run: | set -xe - cd "$GITHUB_WORKSPACE/deb-bin/" - tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar" * + cd "$GITHUB_WORKSPACE/deb-bin" + tar -cf "$GITHUB_WORKSPACE/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar" * - name: Attest build artifact timeout-minutes: 1 if: github.event_name != 'pull_request' @@ -188,8 +258,8 @@ jobs: id: deb-bin-upload uses: actions/upload-artifact@v4 with: - name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar - path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar' + name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar + path: '${{ github.workspace }}/deb-bin/artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar' if-no-files-found: error compression-level: 0 - name: Attest uploaded build artifact @@ -197,5 +267,5 @@ jobs: if: github.event_name != 'pull_request' uses: actions/attest-build-provenance@v3 with: - subject-name: artifact-bin-${{ inputs.dist }}-${{ inputs.arch }}.tar.zip + subject-name: artifact-bin-${{ inputs.dist-version }}-${{ inputs.arch }}.tar.zip subject-digest: sha256:${{ steps.deb-bin-upload.outputs.artifact-digest }} diff --git a/.github/workflows/deb-orchestrator.yml b/.github/workflows/deb-orchestrator.yml index e43b5b46..9db55061 100644 --- a/.github/workflows/deb-orchestrator.yml +++ b/.github/workflows/deb-orchestrator.yml @@ -21,6 +21,10 @@ jobs: contents: read attestations: write uses: ./.github/workflows/deb-src.yml + with: + runs-on: ubuntu-latest + dist-name: debian + dist-version: unstable secrets: GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} @@ -36,19 +40,24 @@ jobs: stack: - { runs-on: "ubuntu-latest", arch: "amd64" } - { runs-on: "ubuntu-24.04-arm", arch: "arm64" } - dist: [ unstable, forky, trixie ] + dist: + - { name: debian, version: unstable } + - { name: debian, version: forky } # Debian 14 + - { name: debian, version: trixie } # Debian 13 + - { name: ubuntu, version: questing } # Ubuntu 25.10 (Questing Quokka) Beta + - { name: ubuntu, version: plucky } # Ubuntu 25.04 (Plucky Puffin) uses: ./.github/workflows/deb-buildd.yml with: deb-src-artifact-id: ${{ needs.source-only.outputs.deb-src-artifact-id }} runs-on: ${{ matrix.stack.runs-on }} arch: ${{ matrix.stack.arch }} - dist: ${{ matrix.dist }} + dist-name: ${{ matrix.dist.name }} + dist-version: ${{ matrix.dist.version }} secrets: GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} GPG_SIGNING_SUBKEY_FINGERPRINT: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} publish: needs: [ source-only, buildd ] - if: github.event_name != 'pull_request' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name == 'master')) uses: ./.github/workflows/deb-publish.yml secrets: GPG_SECRET_SUBKEYS: ${{ secrets.GPG_SECRET_SUBKEYS }} diff --git a/.github/workflows/deb-publish.yml b/.github/workflows/deb-publish.yml index 5a341d8d..4aff5a52 100644 --- a/.github/workflows/deb-publish.yml +++ b/.github/workflows/deb-publish.yml @@ -67,7 +67,7 @@ jobs: xz-utils \ zip apt clean - - name: Configure gpg-agent / ssh + - name: Pre-Configure gpg-agent / ssh timeout-minutes: 1 run: | set -xe @@ -82,23 +82,31 @@ jobs: echo "${{ secrets.SSH_SERVER_KEYS }}" >> /etc/ssh/ssh_known_hosts - name: Import GPG key timeout-minutes: 1 + id: gpg if: github.event_name != 'pull_request' uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 with: gpg_private_key: ${{ secrets.GPG_SECRET_SUBKEYS }} fingerprint: ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} trust_level: 5 - - name: Configure GPG + - name: Finish configuring gpg-agent / ssh timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' run: | set -xe gpg-connect-agent 'keyattr ${{ secrets.GPG_AUTH_SUBKEY_KEYGRIP }} Use-for-ssh: true' /bye + - name: Configure GPG + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + rm -f ~/.gnupg/trustedkeys.gpg gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} EOT - tee -a ~/.gbp.conf > /dev/null <<EOT + tee -a ~/.gbp.conf > /dev/null <<EOT [buildpackage] sign-tags = True keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} @@ -106,10 +114,6 @@ jobs: tee -a ~/.devscripts > /dev/null <<EOT DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} EOT - tee -a ~/.sbuildrc > /dev/null <<EOT - \$verbose = 1; - \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; - EOT - name: Download all artifacts timeout-minutes: 1 uses: actions/download-artifact@v5 @@ -119,13 +123,28 @@ jobs: timeout-minutes: 1 run: | set -xe - SRC_DIR="$GITHUB_WORKSPACE/src-artifacts" + SRC_DIR="$GITHUB_WORKSPACE/incoming/src-artifacts" mkdir -p "$SRC_DIR" find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name artifact-src.tar -exec tar -xf {} -C "$SRC_DIR" ';' -delete - BIN_DIR="$GITHUB_WORKSPACE/bin-artifacts" + BIN_DIR="$GITHUB_WORKSPACE/incoming/bin-artifacts" mkdir -p "$BIN_DIR" find "$GITHUB_WORKSPACE/packed-artifacts" -type f -name '*.tar' -exec tar -xf {} -C "$BIN_DIR" ';' -delete rm -rf "$GITHUB_WORKSPACE/packed-artifacts" + - name: Ensure that all incoming artifacts are signed + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + cd "$GITHUB_WORKSPACE/incoming" + find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ + echo 'Processing {}' \ + && ( \ + gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ + || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ + || (echo 'Processing {}: NOT SIGNED!' && exit 1) \ + ) \ + && echo 'Processing {}: ok' \ + " - name: Create and populate repos timeout-minutes: 60 run: | @@ -133,7 +152,9 @@ jobs: ls -lahR MOUNTPOINT="$GITHUB_WORKSPACE/remotefs" mkdir -p "$MOUNTPOINT" + if [ -n "${{ secrets.SSH_HOST }}" ]; then sshfs ${{ secrets.SSH_HOST }}/uploads "$MOUNTPOINT" + fi REPO_ROOT="$MOUNTPOINT/public_html" mkdir -p "$REPO_ROOT" cp -f /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc "$REPO_ROOT" @@ -169,10 +190,10 @@ jobs: Source, Debian tarballs and dsc files can be verified using https://github.com/sigstore/rekor. EOR - cd "$GITHUB_WORKSPACE/bin-artifacts" + cd "$GITHUB_WORKSPACE/incoming/bin-artifacts" for DIST in * do - SRCDIR="$GITHUB_WORKSPACE/bin-artifacts/$DIST" + SRCDIR="$GITHUB_WORKSPACE/incoming/bin-artifacts/$DIST" cd "$SRCDIR" REPO="$REPO_ROOT/$DIST" mkdir -p "$REPO/conf/distributions" @@ -195,7 +216,7 @@ jobs: verbose ignore longkeyid EOT - reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/src-artifacts/"*.changes + reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE "$GITHUB_WORKSPACE/incoming/src-artifacts/"*.changes for f in "$SRCDIR"/*/*.changes do reprepro --basedir "$REPO" --ignore=wrongdistribution include bcachefs-tools-$SUITE $f @@ -203,4 +224,4 @@ jobs: reprepro --basedir "$REPO" createsymlinks reprepro --basedir "$REPO" export done - umount "$MOUNTPOINT" + umount "$MOUNTPOINT" || /bin/true diff --git a/.github/workflows/deb-src.yml b/.github/workflows/deb-src.yml index e33c47c3..917d907d 100644 --- a/.github/workflows/deb-src.yml +++ b/.github/workflows/deb-src.yml @@ -1,5 +1,15 @@ on: workflow_call: + inputs: + runs-on: + required: true + type: string + dist-name: + required: true + type: string + dist-version: + required: true + type: string outputs: deb-src-artifact-id: value: ${{ jobs.linux.outputs.deb-src-artifact-id }} @@ -9,13 +19,11 @@ on: jobs: linux: - runs-on: ubuntu-latest + runs-on: ${{ inputs.runs-on }} container: image: debian:unstable-slim options: --cap-add=SYS_ADMIN --security-opt=apparmor:unconfined --tmpfs /tmp:exec --tmpfs /__w/${{ github.event.repository.name }}/${{ github.event.repository.name }}:exec env: - DIST: unstable - ARCH: x86_64 RUST_VERSION: 1.89.0 DEBFULLNAME: apt.bcachefs.org CI bot DEBEMAIL: linux-bcachefs@vger.kernel.org @@ -57,6 +65,7 @@ jobs: apt update apt full-upgrade apt install \ + ${{ inputs.dist-name }}-keyring \ curl \ devscripts \ git \ @@ -73,12 +82,6 @@ jobs: apt clean USER=`whoami` sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER - tee ~/.sbuildrc > /dev/null <<EOT - \$build_dir = '$GITHUB_WORKSPACE/deb-src'; - \$chroot_mode = 'unshare'; - \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX'; - \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; - EOT - name: Import GPG key timeout-minutes: 1 id: gpg @@ -94,11 +97,12 @@ jobs: run: | set -xe gpg --output /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc --armor --export ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} + rm -f ~/.gnupg/trustedkeys.gpg gpg --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --import /etc/apt/trusted.gpg.d/apt.bcachefs.org.asc tee -a ~/.gnupg/gpg.conf > /dev/null <<EOT default-key ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} EOT - tee -a ~/.gbp.conf > /dev/null <<EOT + tee -a ~/.gbp.conf > /dev/null <<EOT [buildpackage] sign-tags = True keyid = ${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} @@ -107,9 +111,32 @@ jobs: DEBSIGN_KEYID=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }} EOT tee -a ~/.sbuildrc > /dev/null <<EOT - \$verbose = 1; + \$key_id = '${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}'; \$dpkg_buildpackage_user_options = ['--sign-keyid=${{ secrets.GPG_SIGNING_SUBKEY_FINGERPRINT }}', '--force-sign']; EOT + - name: Configure sbuild + timeout-minutes: 1 + if: steps.gpg.conclusion != 'skipped' + run: | + set -xe + BUILD_DIR="$GITHUB_WORKSPACE/deb-src" + mkdir -p "$BUILD_DIR" + tee -a ~/.sbuildrc > /dev/null <<EOT + \$verbose = 1; + \$build_dir = '$BUILD_DIR'; + \$distribution = '${{ inputs.dist-version }}'; + #\$host_arch = '${{ inputs.arch }}'; + \$chroot_mode = 'unshare'; + \$unshare_tmpdir_template = '/tmp/tmp.sbuild.XXXXXXXXXX'; + EOT + tee -a ~/.sbuildrc > /dev/null <<EOT + push @{\$unshare_mmdebstrap_extra_args}, "*", [ + 'http://deb.debian.org/debian', + '--variant=apt', + '--keyring=/usr/share/keyrings/debian-keyring.gpg', + '--components=main' + ]; + EOT - name: Install Rust / cargo timeout-minutes: 1 run: | @@ -129,7 +156,7 @@ jobs: set -xe git config --global user.email "${{ env.DEBFULLNAME }}" git config --global user.name "${{ env.DEBEMAIL }}" - cd "$GITHUB_WORKSPACE/bcachefs-tools/" + cd "$GITHUB_WORKSPACE/bcachefs-tools" CURR_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=0 --max-count=1))" PREV_TAG="$(git describe --abbrev=0 --tags $(git rev-list HEAD --tags --skip=1 --max-count=1))" NEW_VERSION="${{ env.DEBPKG_EPOCH }}:$(echo $CURR_TAG | sed 's/^v//')" @@ -145,27 +172,28 @@ jobs: run: | set -xe . "$HOME/.cargo/env" - cd "$GITHUB_WORKSPACE/bcachefs-tools/" + cd "$GITHUB_WORKSPACE/bcachefs-tools" mkdir -p "$GITHUB_WORKSPACE/deb-src" # FIXME: pubkey is not avaliable in chroot, .dsc signature verification fails - gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ env.DIST }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any - - name: Sign the source tarball - timeout-minutes: 1 - if: steps.gpg.conclusion != 'skipped' - run: | - set -xe - find "$GITHUB_WORKSPACE/deb-src/" -type f -name '*.tar.*' -exec gpg --verbose --detach-sign {} ';' - - name: Ensure that source package is signed + gbp buildpackage --git-verbose --git-ignore-branch --no-clean --git-dist=${{ inputs.dist-version }} --git-builder=sbuild --source --source-only-changes --no-arch-all --no-arch-any + - name: Ensure that all source artifacts are signed, or sign them timeout-minutes: 1 if: steps.gpg.conclusion != 'skipped' run: | set -xe - dscverify --verbose "$GITHUB_WORKSPACE/deb-src/"*.changes + cd "$GITHUB_WORKSPACE/deb-src" + find . -type f -not -iname '*.sig' -print0 | xargs --null -I'{}' sh -c "\ + echo 'Processing {}' && ( \ + gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {} \ + || gpg --verbose --no-default-keyring --keyring ~/.gnupg/trustedkeys.gpg --verify {}.sig \ + || gpg --verbose --detach-sign {} \ + ) \ + " - name: Archive source build artifacts timeout-minutes: 1 run: | set -xe - cd "$GITHUB_WORKSPACE/deb-src/" + cd "$GITHUB_WORKSPACE/deb-src" tar -cf "$GITHUB_WORKSPACE/deb-src/artifact-src.tar" * - name: Attest the source-only .deb package artifact timeout-minutes: 1 diff --git a/debian/control b/debian/control index 4afd99f0..917b87f2 100644 --- a/debian/control +++ b/debian/control @@ -5,8 +5,8 @@ Priority: optional Standards-Version: 4.7.0 Rules-Requires-Root: no Build-Depends: debhelper-compat (= 13), - dh-dkms, cargo, + dh-dkms, jq, libaio-dev, libblkid-dev, @@ -17,11 +17,12 @@ Build-Depends: debhelper-compat (= 13), libscrypt-dev, libsodium-dev, libudev-dev, - liburcu-dev, + liburcu-dev (>= 0.15), libzstd-dev, pkgconf, python3-docutils, python3:native, + rustc (>= 1.77), systemd-dev, uuid-dev, zlib1g-dev, @@ -46,7 +47,8 @@ Description: bcachefs userspace tools Package: bcachefs-kernel-dkms Architecture: linux-any -Depends: ${shlibs:Depends}, ${misc:Depends}, +Section: kernel +Depends: ${misc:Depends}, initramfs-tools | linux-initramfs-tool, linux-headers-amd64 [amd64], linux-headers-arm64 [arm64], |