From 17685466c5e545b3bb63ffab3cf3838bc96e8fd4 Mon Sep 17 00:00:00 2001
From: root <root@rbx1.julio.al>
Date: Sun, 26 Apr 2026 04:55:06 +0000
Subject: [PATCH] ci: add nx-component-upload + edit privs, strip workflow
 comments, shorter step names

---
 .gitea/workflows/build-publish.yml | 63 +++---------------------------
 1 file changed, 6 insertions(+), 57 deletions(-)

diff --git a/.gitea/workflows/build-publish.yml b/.gitea/workflows/build-publish.yml
index b77b4de..c38cae3 100644
--- a/.gitea/workflows/build-publish.yml
+++ b/.gitea/workflows/build-publish.yml
@@ -1,21 +1,3 @@
-# =============================================================================
-# build-and-publish (multi-distro matrix)
-#
-# Builds twiy as a Debian .deb for each target distro in parallel:
-#   - trixie  (Debian 13)         -> uploaded to NEXUS_REPO_TRIXIE
-#   - raccoon (Ubuntu 26.04 LTS)  -> uploaded to NEXUS_REPO_RACCOON
-#
-# Each matrix job runs DIRECTLY INSIDE a container of the target distro
-# (Gitea Actions `container:` directive, not nested docker-in-docker).
-# act_runner mounts the workspace into the container, so apt/ldd/dpkg-deb
-# all see the target distro's libraries — no host contamination.
-#
-# Required repository secrets (set up by the API provisioning script):
-#   NEXUS_URL                                          (shared)
-#   NEXUS_USER_TRIXIE,  NEXUS_PASS_TRIXIE,  NEXUS_REPO_TRIXIE
-#   NEXUS_USER_RACCOON, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON
-# Each NEXUS_USER_* is a least-privilege user scoped to ONE apt-hosted repo.
-# =============================================================================
 name: build-and-publish
 
 on:
@@ -27,7 +9,6 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     strategy:
-      # If trixie fails, still finish raccoon (and vice versa) — surface both.
       fail-fast: false
       matrix:
         target: [trixie, raccoon]
@@ -43,32 +24,25 @@ jobs:
             nexus_user_secret: NEXUS_USER_RACCOON
             nexus_pass_secret: NEXUS_PASS_RACCOON
 
-    # Run all steps directly inside the target distro's container. Gitea's
-    # act_runner mounts the workspace and injects node so actions/checkout
-    # works. No nested docker calls needed.
     container:
       image: ${{ matrix.image }}
 
     steps:
-      # The default debian/ubuntu images lack git + ca-certificates + node,
-      # all of which actions/checkout@v4 needs (it's a JS action). Cheaper to
-      # install them here than to bake a custom image.
-      - name: Bootstrap checkout deps
+      - name: Bootstrap
         run: |
           apt-get update -qq
           DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
             git ca-certificates nodejs
 
-      - name: Checkout source
+      - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Build nginx and assemble .deb (${{ matrix.target }})
+      - name: Build
         id: pkg
         env:
           TARGET: ${{ matrix.target }}
         run: |
           set -euo pipefail
-          # /.dockerenv tells build/${TARGET}.sh's postfix step to skip systemctl
           touch /.dockerenv
           bash build/${TARGET}.sh new
           bash build/${TARGET}.sh build
@@ -76,22 +50,11 @@ jobs:
 
           PKG_NAME="twiy"
           NGINX_VER="$(nginx -v 2>&1 | awk -F/ '{print $2}')"
-          # Append CI run number AND target so each rebuild is a strictly-
-          # greater Debian revision. Without this, `apt upgrade twiy` would
-          # be a no-op when upstream nginx hasnt moved, so packaging fixes
-          # wouldnt reach users who already have the package installed.
-          # The ~target suffix keeps trixie/raccoon versions distinct in
-          # case any introspection ever compares them.
           VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
           ARCH="amd64"
           PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
           DEB_DIR="${PKG_DIR}/DEBIAN"
 
-          # The *_temp dirs under /usr/local/nginx are nginx's compiled-in
-          # defaults for client_body / proxy / fastcgi / uwsgi / scgi temp
-          # storage (no --http-*-temp-path was passed to ./configure). They
-          # must exist before `nginx -t` runs, so we ship them empty in the
-          # .deb and the postinst chowns them to the nginx user.
           mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
                    "${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
                    "${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
@@ -109,14 +72,10 @@ jobs:
           cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
           cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
 
-          # Bundle every shared library nginx links against. ldd resolves
-          # against THIS container's libraries (not the runner host) so the
-          # .deb gets the correct per-distro libs.
           for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
             cp "$lib" "${PKG_DIR}/usr/lib/" || true
           done
 
-          # ---- DEBIAN/control --------------------------------------------
           mkdir -p "${DEB_DIR}"
           cat > "${DEB_DIR}/control" <<EOF
           Package: ${PKG_NAME}
@@ -129,10 +88,8 @@ jobs:
           Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI for ${TARGET}.
           EOF
 
-          # ---- DEBIAN/postinst -------------------------------------------
           cat > "${DEB_DIR}/postinst" <<'EOFPOSTINST'
           #!/bin/bash
-          # Idempotent: safe on first install, upgrade, and reinstall.
           useradd -r -d /usr/local/nginx -s /bin/false nginx 2>/dev/null || true
           install -d -o nginx -g nginx -m 0755 \
             /usr/local/nginx \
@@ -162,11 +119,7 @@ jobs:
           ls -la "${DEB_FILE}"
           sha256sum "${DEB_FILE}"
 
-      # Each matrix target uses its own dedicated Nexus user (ci-trixie /
-      # ci-raccoon) whose role is scoped to that ONE apt-hosted repo.
-      # Verified at provisioning time: each user gets 403 trying to touch
-      # the other repo. Admin credentials are NOT used by CI.
-      - name: Publish to Nexus (${{ matrix.target }})
+      - name: Publish
         env:
           NEXUS_USER: ${{ secrets[matrix.nexus_user_secret] }}
           NEXUS_PASS: ${{ secrets[matrix.nexus_pass_secret] }}
@@ -179,9 +132,6 @@ jobs:
           set -euo pipefail
           umask 077
 
-          # Need curl + python3 to talk to Nexus REST. python3 came with the
-          # build deps; curl was installed by `bash build/X.sh new`. Add
-          # explicitly anyway since this step is independent.
           apt-get install -y -q --no-install-recommends curl python3 ca-certificates >/dev/null
 
           SECDIR="$(mktemp -d -p /dev/shm twiy-XXXXXXXX 2>/dev/null \
@@ -198,7 +148,6 @@ jobs:
                  "$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
           unset NEXUS_USER NEXUS_PASS
 
-          # Replace prior version of this same package in this same repo.
           OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
                     "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
                     | PKG_NAME="$PKG_NAME" python3 -c '
@@ -217,6 +166,6 @@ jobs:
                   -X POST -F "apt.asset=@$DEB_FILE" \
                   "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
           case "$HTTP" in
-            201|204) echo "[$TARGET] uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
-            *) echo "[$TARGET] upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
+            201|204) echo "[$TARGET] uploaded $(basename "$DEB_FILE")" ;;
+            *) echo "[$TARGET] upload failed (HTTP $HTTP)"; cat "$SECDIR/upload.body"; exit 1 ;;
           esac