element-desktop/.github/workflows/reprepro.yaml

on:
    workflow_call:
        inputs:
            artifact-name:
                type: string
                required: true
                description: "The name of the artifact containing the debs to include"
        secrets:
            GPG_PRIVATE_KEY:
                required: false
            GPG_PASSPHRASE:
                required: false
            CF_R2_ACCESS_KEY_ID:
                required: false
            CF_R2_TOKEN:
                required: false
            CF_R2_S3_API:
                required: false
# Protect reprepro database using concurrency
concurrency: reprepro
jobs:
    reprepro:
        name: Deploy debian package
        environment: packages.element.io
        runs-on: ubuntu-latest
        env:
            R2_BUCKET: "packages-element-io"
            R2_DB_BUCKET: packages-element-io-db
            R2_URL: ${{ secrets.CF_R2_S3_API }}
        steps:
            - uses: actions/checkout@v3

            - name: Download artifacts
              uses: actions/download-artifact@v3
              with:
                  name: ${{ inputs.artifact-name }}
                  path: dist

            - name: Load GPG key
              uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5
              with:
                  gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
                  passphrase: ${{ secrets.GPG_PASSPHRASE }}
                  fingerprint: 75741890063E5E9A46135D01C2850B265AC085BD

            - name: Install reprepro
              run: sudo apt-get install -y reprepro

            - name: Fetch database
              run: aws s3 cp --recursive s3://$R2_DB_BUCKET debian/db/ --endpoint-url $R2_URL --region auto
              env:
                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}

            - name: Run reprepro
              run: |
                  grep Codename debian/conf/distributions | sed -n 's/Codename: //p' | while read -r target ; do
                      reprepro -b debian includedeb "$target" ./dist/*.deb
                  done

            - name: Check repository works
              run: |
                  # Download signing keyring
                  sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg
                  # Point apt at local apt repo
                  echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://127.0.0.1:8000/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list

                  # Start http server and fetch from it via apt
                  python3 -m http.server 8000 --bind 127.0.0.1 &
                  sudo apt-get update --allow-insecure-repositories
                  killall python3

                  # Validate the package in the repo quacks like the one we expect
                  info=$(dpkg --info ../dist/*.deb)
                  package=$(echo "$info" | grep "Package:" | sed -n 's/ Package: //p')
                  version=$(echo "$info" | grep "Version:" | sed -n 's/ Version: //p')
                  apt-cache show "$package" | grep "Version: $version"
              working-directory: ./packages.element.io

            - name: Deploy debian repo
              run: |
                  aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto
              env:
                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}

            - name: Store database
              run: aws s3 cp --recursive debian/db/ s3://$R2_DB_BUCKET --endpoint-url $R2_URL --region auto
              env:
                  AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                  AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
Guard reprepro db via concurrency limits (#555) 2023-03-02 17:54:57 +01:00			`on:`
			`workflow_call:`
			`inputs:`
			`artifact-name:`
			`type: string`
			`required: true`
			`description: "The name of the artifact containing the debs to include"`
			`secrets:`
			`GPG_PRIVATE_KEY:`
			`required: false`
			`GPG_PASSPHRASE:`
			`required: false`
			`CF_R2_ACCESS_KEY_ID:`
			`required: false`
			`CF_R2_TOKEN:`
			`required: false`
			`CF_R2_S3_API:`
			`required: false`
			`# Protect reprepro database using concurrency`
			`concurrency: reprepro`
			`jobs:`
			`reprepro:`
			`name: Deploy debian package`
			`environment: packages.element.io`
			`runs-on: ubuntu-latest`
			`env:`
Backport packaging scripts to master 2023-03-28 17:08:51 +02:00			`R2_BUCKET: "packages-element-io"`
Guard reprepro db via concurrency limits (#555) 2023-03-02 17:54:57 +01:00			`R2_DB_BUCKET: packages-element-io-db`
			`R2_URL: ${{ secrets.CF_R2_S3_API }}`
			`steps:`
			`- uses: actions/checkout@v3`

			`- name: Download artifacts`
			`uses: actions/download-artifact@v3`
			`with:`
			`name: ${{ inputs.artifact-name }}`
			`path: dist`

			`- name: Load GPG key`
			`uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5`
			`with:`
			`gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}`
			`passphrase: ${{ secrets.GPG_PASSPHRASE }}`
			`fingerprint: 75741890063E5E9A46135D01C2850B265AC085BD`

			`- name: Install reprepro`
			`run: sudo apt-get install -y reprepro`

			`- name: Fetch database`
			`run: aws s3 cp --recursive s3://$R2_DB_BUCKET debian/db/ --endpoint-url $R2_URL --region auto`
			`env:`
			`AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}`
			`AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}`

			`- name: Run reprepro`
			`run: \|`
			`grep Codename debian/conf/distributions \| sed -n 's/Codename: //p' \| while read -r target ; do`
			`reprepro -b debian includedeb "$target" ./dist/*.deb`
			`done`

Assert release & nightly builds are signed, notarised & accessible before deployment (#559) 2023-03-06 09:56:49 +01:00			`- name: Check repository works`
			`run: \|`
			`# Download signing keyring`
			`sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg`
			`# Point apt at local apt repo`
Backport packaging scripts to master 2023-03-28 17:08:51 +02:00			`echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://127.0.0.1:8000/debian/ default main" \| sudo tee /etc/apt/sources.list.d/element-io.list`
Assert release & nightly builds are signed, notarised & accessible before deployment (#559) 2023-03-06 09:56:49 +01:00
			`# Start http server and fetch from it via apt`
Backport packaging scripts to master 2023-03-28 17:08:51 +02:00			`python3 -m http.server 8000 --bind 127.0.0.1 &`
Assert release & nightly builds are signed, notarised & accessible before deployment (#559) 2023-03-06 09:56:49 +01:00			`sudo apt-get update --allow-insecure-repositories`
			`killall python3`

			`# Validate the package in the repo quacks like the one we expect`
			`info=$(dpkg --info ../dist/*.deb)`
			`package=$(echo "$info" \| grep "Package:" \| sed -n 's/ Package: //p')`
			`version=$(echo "$info" \| grep "Version:" \| sed -n 's/ Version: //p')`
			`apt-cache show "$package" \| grep "Version: $version"`
			`working-directory: ./packages.element.io`

Guard reprepro db via concurrency limits (#555) 2023-03-02 17:54:57 +01:00			`- name: Deploy debian repo`
			`run: \|`
			`aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto`
			`env:`
			`AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}`
			`AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}`

			`- name: Store database`
			`run: aws s3 cp --recursive debian/db/ s3://$R2_DB_BUCKET --endpoint-url $R2_URL --region auto`
			`env:`
			`AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}`
			`AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}`