claude
162 lines
6.3 KiB
YAML
162 lines
6.3 KiB
YAML
name: build-and-publish
|
|
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout source
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install build dependencies
|
|
run: |
|
|
set -euo pipefail
|
|
sudo apt-get update -y
|
|
sudo apt-get install -y --no-install-recommends \
|
|
git curl wget ca-certificates dpkg-dev fakeroot \
|
|
build-essential gnupg dpkg-sig
|
|
|
|
- name: Compile nginx and modules
|
|
run: |
|
|
set -euo pipefail
|
|
sudo touch /.dockerenv
|
|
sudo bash build/run.sh new
|
|
sudo bash build/run.sh build
|
|
sudo bash build/run.sh postfix
|
|
|
|
- name: Assemble .deb package
|
|
id: pkg
|
|
run: |
|
|
set -euo pipefail
|
|
PKG_NAME="twiy"
|
|
VERSION="$(nginx -v 2>&1 | awk -F'/' '{print $2}')"
|
|
ARCH="amd64"
|
|
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
|
|
DEB_DIR="${PKG_DIR}/DEBIAN"
|
|
|
|
sudo mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
|
|
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
|
|
"${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
|
|
"${PKG_DIR}/hostdata/default/public_html" \
|
|
"${PKG_DIR}/usr/nginx_lua"
|
|
|
|
sudo cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
|
|
sudo cp -R /nginx/* "${PKG_DIR}/nginx/" || true
|
|
sudo cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
|
|
sudo cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
|
|
sudo cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
|
|
|
|
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
|
|
sudo cp "$lib" "${PKG_DIR}/usr/lib/" || true
|
|
done
|
|
|
|
sudo mkdir -p "${DEB_DIR}"
|
|
sudo tee "${DEB_DIR}/control" >/dev/null <<EOF
|
|
Package: ${PKG_NAME}
|
|
Version: ${VERSION}
|
|
Section: base
|
|
Priority: optional
|
|
Architecture: ${ARCH}
|
|
Maintainer: Julio <me@julio.al>
|
|
Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI.
|
|
EOF
|
|
|
|
sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF'
|
|
#!/bin/bash
|
|
useradd -r -d /usr/local/nginx -s /bin/false nginx || true
|
|
systemctl daemon-reload || true
|
|
EOF
|
|
sudo chmod 755 "${DEB_DIR}/postinst"
|
|
|
|
sudo dpkg-deb --build "${PKG_DIR}"
|
|
DEB_FILE="${PKG_DIR}.deb"
|
|
sudo chown "$(id -u):$(id -g)" "${DEB_FILE}"
|
|
|
|
{
|
|
echo "deb_file=${DEB_FILE}"
|
|
echo "version=${VERSION}"
|
|
echo "pkg_name=${PKG_NAME}"
|
|
} >> "$GITHUB_OUTPUT"
|
|
|
|
ls -la "${DEB_FILE}"
|
|
sha256sum "${DEB_FILE}"
|
|
|
|
- name: Sign and publish to Nexus
|
|
env:
|
|
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
|
|
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
|
|
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
|
|
NEXUS_USER: ${{ secrets.NEXUS_USER }}
|
|
NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
|
|
NEXUS_URL: ${{ secrets.NEXUS_URL }}
|
|
NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
|
|
DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
|
|
PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
|
|
run: |
|
|
set -euo pipefail
|
|
umask 077
|
|
|
|
# Tmpfs (RAM-only) scratch for every byte of secret material.
|
|
# Falls back to /tmp if /dev/shm is absent.
|
|
SECDIR="$(mktemp -d -p /dev/shm raweb-XXXXXXXX 2>/dev/null \
|
|
|| mktemp -d -t raweb-XXXXXXXX)"
|
|
chmod 700 "$SECDIR"
|
|
export GNUPGHOME="$SECDIR/gnupg"
|
|
|
|
cleanup() {
|
|
(gpg --batch --yes --quiet \
|
|
--delete-secret-and-public-key "$GPG_KEY_ID" 2>/dev/null) || true
|
|
(gpgconf --kill all 2>/dev/null) || true
|
|
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
|
|
rm -rf "$SECDIR"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
# Materialise secrets to in-memory files. After this, drop them from env
|
|
# so any subprocess (or accidental `env`) cannot read them.
|
|
printf '%s' "$GPG_PRIVATE_KEY" > "$SECDIR/key.asc"
|
|
printf '%s' "$GPG_PASSPHRASE" > "$SECDIR/pp"
|
|
printf 'machine apt.julio.al login %s password %s\n' \
|
|
"$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
|
|
unset GPG_PRIVATE_KEY GPG_PASSPHRASE NEXUS_PASS NEXUS_USER
|
|
|
|
# Ephemeral keyring on tmpfs.
|
|
mkdir -p "$GNUPGHOME"; chmod 700 "$GNUPGHOME"
|
|
printf 'allow-loopback-pinentry\n' > "$GNUPGHOME/gpg-agent.conf"
|
|
printf 'pinentry-mode loopback\n' > "$GNUPGHOME/gpg.conf"
|
|
gpg --batch --import "$SECDIR/key.asc"
|
|
|
|
# Sign the .deb. Passphrase passed via FILE — never argv, never env.
|
|
dpkg-sig -k "$GPG_KEY_ID" \
|
|
-g "--batch --pinentry-mode loopback --passphrase-file $SECDIR/pp" \
|
|
--sign builder "$DEB_FILE"
|
|
dpkg-sig --verify "$DEB_FILE"
|
|
|
|
# Replace any prior component of the same name (best-effort).
|
|
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
|
|
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
|
|
| PKG_NAME="$PKG_NAME" python3 -c '
|
|
import sys, json, os
|
|
for c in json.load(sys.stdin).get("items", []):
|
|
if c.get("name") == os.environ["PKG_NAME"]:
|
|
print(c["id"]); break
|
|
' || true)"
|
|
if [ -n "$OLD_ID" ]; then
|
|
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
|
|
"$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
|
|
fi
|
|
|
|
# Upload — auth via netrc (not -u, not query string).
|
|
HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
|
|
-o "$SECDIR/upload.body" -w '%{http_code}' \
|
|
-X POST -F "apt.asset=@$DEB_FILE" \
|
|
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
|
|
case "$HTTP" in
|
|
201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
|
|
*) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
|
|
esac
|