ci: add nx-component-upload + edit privs, strip workflow comments, shorter step names
This commit is contained in:
root
@@ -1,21 +1,3 @@
|
||||
# =============================================================================
|
||||
# build-and-publish (multi-distro matrix)
|
||||
#
|
||||
# Builds twiy as a Debian .deb for each target distro in parallel:
|
||||
# - trixie (Debian 13) -> uploaded to NEXUS_REPO_TRIXIE
|
||||
# - raccoon (Ubuntu 26.04 LTS) -> uploaded to NEXUS_REPO_RACCOON
|
||||
#
|
||||
# Each matrix job runs DIRECTLY INSIDE a container of the target distro
|
||||
# (Gitea Actions `container:` directive, not nested docker-in-docker).
|
||||
# act_runner mounts the workspace into the container, so apt/ldd/dpkg-deb
|
||||
# all see the target distro's libraries — no host contamination.
|
||||
#
|
||||
# Required repository secrets (set up by the API provisioning script):
|
||||
# NEXUS_URL (shared)
|
||||
# NEXUS_USER_TRIXIE, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE
|
||||
# NEXUS_USER_RACCOON, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON
|
||||
# Each NEXUS_USER_* is a least-privilege user scoped to ONE apt-hosted repo.
|
||||
# =============================================================================
|
||||
name: build-and-publish
|
||||
|
||||
on:
|
||||
@@ -27,7 +9,6 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-22.04
|
||||
strategy:
|
||||
# If trixie fails, still finish raccoon (and vice versa) — surface both.
|
||||
fail-fast: false
|
||||
matrix:
|
||||
target: [trixie, raccoon]
|
||||
@@ -43,32 +24,25 @@ jobs:
|
||||
nexus_user_secret: NEXUS_USER_RACCOON
|
||||
nexus_pass_secret: NEXUS_PASS_RACCOON
|
||||
|
||||
# Run all steps directly inside the target distro's container. Gitea's
|
||||
# act_runner mounts the workspace and injects node so actions/checkout
|
||||
# works. No nested docker calls needed.
|
||||
container:
|
||||
image: ${{ matrix.image }}
|
||||
|
||||
steps:
|
||||
# The default debian/ubuntu images lack git + ca-certificates + node,
|
||||
# all of which actions/checkout@v4 needs (it's a JS action). Cheaper to
|
||||
# install them here than to bake a custom image.
|
||||
- name: Bootstrap checkout deps
|
||||
- name: Bootstrap
|
||||
run: |
|
||||
apt-get update -qq
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
||||
git ca-certificates nodejs
|
||||
|
||||
- name: Checkout source
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Build nginx and assemble .deb (${{ matrix.target }})
|
||||
- name: Build
|
||||
id: pkg
|
||||
env:
|
||||
TARGET: ${{ matrix.target }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
# /.dockerenv tells build/${TARGET}.sh's postfix step to skip systemctl
|
||||
touch /.dockerenv
|
||||
bash build/${TARGET}.sh new
|
||||
bash build/${TARGET}.sh build
|
||||
@@ -76,22 +50,11 @@ jobs:
|
||||
|
||||
PKG_NAME="twiy"
|
||||
NGINX_VER="$(nginx -v 2>&1 | awk -F/ '{print $2}')"
|
||||
# Append CI run number AND target so each rebuild is a strictly-
|
||||
# greater Debian revision. Without this, `apt upgrade twiy` would
|
||||
# be a no-op when upstream nginx hasnt moved, so packaging fixes
|
||||
# wouldnt reach users who already have the package installed.
|
||||
# The ~target suffix keeps trixie/raccoon versions distinct in
|
||||
# case any introspection ever compares them.
|
||||
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
|
||||
ARCH="amd64"
|
||||
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
|
||||
DEB_DIR="${PKG_DIR}/DEBIAN"
|
||||
|
||||
# The *_temp dirs under /usr/local/nginx are nginx's compiled-in
|
||||
# defaults for client_body / proxy / fastcgi / uwsgi / scgi temp
|
||||
# storage (no --http-*-temp-path was passed to ./configure). They
|
||||
# must exist before `nginx -t` runs, so we ship them empty in the
|
||||
# .deb and the postinst chowns them to the nginx user.
|
||||
mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
|
||||
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
|
||||
"${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
|
||||
@@ -109,14 +72,10 @@ jobs:
|
||||
cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
|
||||
cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
|
||||
|
||||
# Bundle every shared library nginx links against. ldd resolves
|
||||
# against THIS container's libraries (not the runner host) so the
|
||||
# .deb gets the correct per-distro libs.
|
||||
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
|
||||
cp "$lib" "${PKG_DIR}/usr/lib/" || true
|
||||
done
|
||||
|
||||
# ---- DEBIAN/control --------------------------------------------
|
||||
mkdir -p "${DEB_DIR}"
|
||||
cat > "${DEB_DIR}/control" <<EOF
|
||||
Package: ${PKG_NAME}
|
||||
@@ -129,10 +88,8 @@ jobs:
|
||||
Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI for ${TARGET}.
|
||||
EOF
|
||||
|
||||
# ---- DEBIAN/postinst -------------------------------------------
|
||||
cat > "${DEB_DIR}/postinst" <<'EOFPOSTINST'
|
||||
#!/bin/bash
|
||||
# Idempotent: safe on first install, upgrade, and reinstall.
|
||||
useradd -r -d /usr/local/nginx -s /bin/false nginx 2>/dev/null || true
|
||||
install -d -o nginx -g nginx -m 0755 \
|
||||
/usr/local/nginx \
|
||||
@@ -162,11 +119,7 @@ jobs:
|
||||
ls -la "${DEB_FILE}"
|
||||
sha256sum "${DEB_FILE}"
|
||||
|
||||
# Each matrix target uses its own dedicated Nexus user (ci-trixie /
|
||||
# ci-raccoon) whose role is scoped to that ONE apt-hosted repo.
|
||||
# Verified at provisioning time: each user gets 403 trying to touch
|
||||
# the other repo. Admin credentials are NOT used by CI.
|
||||
- name: Publish to Nexus (${{ matrix.target }})
|
||||
- name: Publish
|
||||
env:
|
||||
NEXUS_USER: ${{ secrets[matrix.nexus_user_secret] }}
|
||||
NEXUS_PASS: ${{ secrets[matrix.nexus_pass_secret] }}
|
||||
@@ -179,9 +132,6 @@ jobs:
|
||||
set -euo pipefail
|
||||
umask 077
|
||||
|
||||
# Need curl + python3 to talk to Nexus REST. python3 came with the
|
||||
# build deps; curl was installed by `bash build/X.sh new`. Add
|
||||
# explicitly anyway since this step is independent.
|
||||
apt-get install -y -q --no-install-recommends curl python3 ca-certificates >/dev/null
|
||||
|
||||
SECDIR="$(mktemp -d -p /dev/shm twiy-XXXXXXXX 2>/dev/null \
|
||||
@@ -198,7 +148,6 @@ jobs:
|
||||
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
|
||||
unset NEXUS_USER NEXUS_PASS
|
||||
|
||||
# Replace prior version of this same package in this same repo.
|
||||
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
|
||||
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
|
||||
| PKG_NAME="$PKG_NAME" python3 -c '
|
||||
@@ -217,6 +166,6 @@ jobs:
|
||||
-X POST -F "apt.asset=@$DEB_FILE" \
|
||||
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
|
||||
case "$HTTP" in
|
||||
201|204) echo "[$TARGET] uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
|
||||
*) echo "[$TARGET] upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
|
||||
201|204) echo "[$TARGET] uploaded $(basename "$DEB_FILE")" ;;
|
||||
*) echo "[$TARGET] upload failed (HTTP $HTTP)"; cat "$SECDIR/upload.body"; exit 1 ;;
|
||||
esac
|
||||
|
||||
Reference in New Issue
Block a user