Ubuntu 26.04
This commit is contained in:
root
@@ -1,20 +1,3 @@
|
|||||||
# =============================================================================
|
|
||||||
# build-and-publish (multi-distro matrix)
|
|
||||||
#
|
|
||||||
# Builds twiy as a Debian .deb for each target distro in parallel:
|
|
||||||
# - trixie (Debian 13) -> uploaded to NEXUS_REPO_TRIXIE
|
|
||||||
# - raccoon (Ubuntu 26.04 LTS) -> uploaded to NEXUS_REPO_RACCOON
|
|
||||||
#
|
|
||||||
# Each matrix job spins up a Docker container of the target distro on the
|
|
||||||
# Gitea runner host, builds nginx + modules INSIDE the container so apt deps
|
|
||||||
# and ldd resolution match what end users have, then uploads the resulting
|
|
||||||
# .deb to that distro's Nexus apt-hosted repository.
|
|
||||||
#
|
|
||||||
# Required repository secrets:
|
|
||||||
# NEXUS_USER, NEXUS_PASS, NEXUS_URL (shared)
|
|
||||||
# NEXUS_REPO_TRIXIE (Debian 13 target)
|
|
||||||
# NEXUS_REPO_RACCOON (Ubuntu 26.04 target)
|
|
||||||
# =============================================================================
|
|
||||||
name: build-and-publish
|
name: build-and-publish
|
||||||
|
|
||||||
on:
|
on:
|
||||||
@@ -24,10 +7,8 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
# Runner is just a docker host; build OS is determined by matrix.image.
|
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
strategy:
|
strategy:
|
||||||
# If trixie fails, still finish raccoon (and vice versa) — surface both.
|
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
target: [trixie, raccoon]
|
target: [trixie, raccoon]
|
||||||
@@ -51,16 +32,12 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
mkdir -p dist
|
mkdir -p dist
|
||||||
# The whole compile + .deb assembly happens inside the target distro
|
|
||||||
# container. Output is dropped into ./dist/ (mounted from the runner)
|
|
||||||
# so the publish step on the host can grab it.
|
|
||||||
sudo docker run --rm \
|
sudo docker run --rm \
|
||||||
-v "$PWD:/repo" \
|
-v "$PWD:/repo" \
|
||||||
-w /repo \
|
-w /repo \
|
||||||
-e TARGET="$TARGET" \
|
-e TARGET="$TARGET" \
|
||||||
"$IMAGE" \
|
"$IMAGE" \
|
||||||
bash -euxc '
|
bash -euxc '
|
||||||
# build script handles its own apt-get install (per-distro list)
|
|
||||||
touch /.dockerenv
|
touch /.dockerenv
|
||||||
bash build/${TARGET}.sh new
|
bash build/${TARGET}.sh new
|
||||||
bash build/${TARGET}.sh build
|
bash build/${TARGET}.sh build
|
||||||
@@ -68,22 +45,10 @@ jobs:
|
|||||||
|
|
||||||
PKG_NAME="twiy"
|
PKG_NAME="twiy"
|
||||||
NGINX_VER="$(nginx -v 2>&1 | awk -F/ "{print \$2}")"
|
NGINX_VER="$(nginx -v 2>&1 | awk -F/ "{print \$2}")"
|
||||||
# Append CI run number AND target so each rebuild is a strictly-
|
|
||||||
# greater Debian revision. Without this, `apt upgrade twiy` would
|
|
||||||
# be a no-op when upstream nginx hasnt moved, so packaging fixes
|
|
||||||
# wouldnt reach users who already have the package installed.
|
|
||||||
# The ~target suffix keeps trixie/raccoon versions distinct in
|
|
||||||
# case any introspection ever compares them.
|
|
||||||
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
|
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
|
||||||
ARCH="amd64"
|
ARCH="amd64"
|
||||||
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
|
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
|
||||||
DEB_DIR="${PKG_DIR}/DEBIAN"
|
DEB_DIR="${PKG_DIR}/DEBIAN"
|
||||||
|
|
||||||
# The *_temp dirs under /usr/local/nginx are nginxs compiled-in
|
|
||||||
# defaults for client_body / proxy / fastcgi / uwsgi / scgi temp
|
|
||||||
# storage (no --http-*-temp-path was passed to ./configure). They
|
|
||||||
# must exist before `nginx -t` runs, so we ship them empty in the
|
|
||||||
# .deb and the postinst chowns them to the nginx user.
|
|
||||||
mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
|
mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
|
||||||
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
|
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
|
||||||
"${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
|
"${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
|
||||||
@@ -100,14 +65,9 @@ jobs:
|
|||||||
cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
|
cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
|
||||||
cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
|
cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
|
||||||
cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
|
cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
|
||||||
|
|
||||||
# Bundle every shared library nginx links against. ldd resolves
|
|
||||||
# against THIS containers libraries (not the runner host) so the
|
|
||||||
# .deb gets the correct per-distro libs.
|
|
||||||
for lib in $(ldd /usr/sbin/nginx | grep "=> /" | awk "{print \$3}"); do
|
for lib in $(ldd /usr/sbin/nginx | grep "=> /" | awk "{print \$3}"); do
|
||||||
cp "$lib" "${PKG_DIR}/usr/lib/" || true
|
cp "$lib" "${PKG_DIR}/usr/lib/" || true
|
||||||
done
|
done
|
||||||
|
|
||||||
# ---- DEBIAN/control --------------------------------------------
|
# ---- DEBIAN/control --------------------------------------------
|
||||||
mkdir -p "${DEB_DIR}"
|
mkdir -p "${DEB_DIR}"
|
||||||
cat > "${DEB_DIR}/control" <<EOF
|
cat > "${DEB_DIR}/control" <<EOF
|
||||||
@@ -166,16 +126,6 @@ jobs:
|
|||||||
|
|
||||||
ls -la "${DEB_FILE}"
|
ls -la "${DEB_FILE}"
|
||||||
sha256sum "${DEB_FILE}"
|
sha256sum "${DEB_FILE}"
|
||||||
|
|
||||||
# ─────────────────────────────────────────────────────────────────────────
|
|
||||||
# Publish to Nexus (runs on the runner host, not in the build container).
|
|
||||||
# Same security posture as the previous workflow:
|
|
||||||
# * tmpfs scratch dir for credentials
|
|
||||||
# * trap covers EXIT INT TERM HUP
|
|
||||||
# * netrc auth (no -u user:pass on cmdline → no /proc leak)
|
|
||||||
# * NEXUS_HOST derived from NEXUS_URL so forks don't have to edit YAML
|
|
||||||
# The matrix-driven secret indirection picks the right per-distro repo.
|
|
||||||
# ─────────────────────────────────────────────────────────────────────────
|
|
||||||
- name: Publish to Nexus (${{ matrix.target }})
|
- name: Publish to Nexus (${{ matrix.target }})
|
||||||
env:
|
env:
|
||||||
NEXUS_USER: ${{ secrets.NEXUS_USER }}
|
NEXUS_USER: ${{ secrets.NEXUS_USER }}
|
||||||
@@ -202,10 +152,6 @@ jobs:
|
|||||||
printf 'machine %s login %s password %s\n' \
|
printf 'machine %s login %s password %s\n' \
|
||||||
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
|
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
|
||||||
unset NEXUS_USER NEXUS_PASS
|
unset NEXUS_USER NEXUS_PASS
|
||||||
|
|
||||||
# Replace the prior version of this same package in this same repo,
|
|
||||||
# if any. Best-effort: missing prior is not an error. (apt-hosted
|
|
||||||
# repos in Nexus retain every upload otherwise.)
|
|
||||||
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
|
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
|
||||||
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
|
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
|
||||||
| PKG_NAME="$PKG_NAME" python3 -c '
|
| PKG_NAME="$PKG_NAME" python3 -c '
|
||||||
|
|||||||
Reference in New Issue
Block a user