diff --git a/.github/workflows/build_and_deploy.yaml b/.github/workflows/build_and_deploy.yaml index 4307fda..7744910 100644 --- a/.github/workflows/build_and_deploy.yaml +++ b/.github/workflows/build_and_deploy.yaml @@ -39,9 +39,7 @@ on: required: true type: boolean default: true -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true +concurrency: ${{ github.workflow }} env: # XXX: UPDATE THIS BEFORE WHEN GOING LIVE R2_BUCKET: "packages-element-io-test" @@ -99,12 +97,12 @@ jobs: needs: prepare name: Linux uses: ./.github/workflows/build_linux.yaml - secrets: inherit with: sqlcipher: system - deploy-mode: true version: ${{ needs.prepare.outputs.linux-version }} + # This deploy job only handles Windows & macOS as those are stateless and static. + # Linux will be deployed via reprepro after it, but we list it as a dependency to abort if it fails. deploy: needs: - macos @@ -113,7 +111,7 @@ jobs: - windows_64bit runs-on: ubuntu-latest name: Deploy - if: always() && (github.event != 'workflow_dispatch' || inputs.deploy) + if: github.event != 'workflow_dispatch' || (inputs.deploy && (inputs.macos || inputs.windows_32bit || inputs.windows_64bit)) environment: packages.element.io steps: - name: Download artifacts @@ -122,18 +120,7 @@ jobs: name: packages.element.io path: packages.element.io - - name: Deploy debian repo - if: github.event_name != 'workflow_dispatch' || inputs.linux - run: | - mv packages.element.io/debian . - aws s3 cp --recursive debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto - env: - AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} - R2_URL: ${{ secrets.CF_R2_S3_API }} - - name: Deploy artifacts - if: github.event_name != 'workflow_dispatch' || inputs.macos || inputs.windows_32bit || inputs.windows_64bit run: | aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto env: @@ -141,3 +128,15 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} R2_URL: ${{ secrets.CF_R2_S3_API }} DEPLOYMENT_DIR: ${{ inputs.mode == 'release' && 'desktop' || 'nightly' }} + + reprepro: + needs: + - linux + # We queue this after the other deploy stage as we want to abort if that fails + - deploy + name: Run reprepro + if: github.event != 'workflow_dispatch' || (inputs.deploy && inputs.linux) + uses: ./.github/workflows/reprepro.yaml + secrets: inherit + with: + artifact-name: linux-sqlcipher-system diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index 862258c..5d58924 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -3,17 +3,6 @@ # the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch. on: workflow_call: - secrets: - GPG_PRIVATE_KEY: - required: false - GPG_PASSPHRASE: - required: false - CF_R2_ACCESS_KEY_ID: - required: false - CF_R2_TOKEN: - required: false - CF_R2_S3_API: - required: false inputs: version: type: string @@ -23,14 +12,9 @@ on: type: string required: true description: "How to link sqlcipher, one of 'system' | 'static'" - deploy-mode: - type: string - required: false - description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones, this uses reprepro and requires 'packages.element.io' environment" jobs: build: runs-on: ubuntu-latest - environment: ${{ inputs.deploy-mode && 'packages.element.io' || '' }} steps: - uses: actions/checkout@v3 @@ -88,41 +72,9 @@ jobs: scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --deb-custom-control=debcontrol yarn build --publish never -l --config electron-builder.json - - name: Load GPG key - if: inputs.deploy-mode - uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.GPG_PASSPHRASE }} - fingerprint: 75741890063E5E9A46135D01C2850B265AC085BD - - - name: Prepare artifacts for deployment (reprepro) - if: inputs.deploy-mode - run: | - # Clear out the template packages.element.io directory, it has a dedicated deploy workflow - rm -R packages.element.io/* - - # Install reprepro - sudo apt-get install -y reprepro - - # Fetch reprepro database - aws s3 cp --recursive s3://$R2_BUCKET debian/db/ --endpoint-url $R2_URL --region auto - - grep Codename debian/conf/distributions | sed -n 's/Codename: //p' | while read -r target ; do - reprepro -b debian includedeb "$target" ./dist/*.deb - done - - # Store reprepro database - aws s3 cp --recursive debian/db/ s3://$R2_BUCKET --endpoint-url $R2_URL --region auto - env: - R2_BUCKET: packages-element-io-db - AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} - R2_URL: ${{ secrets.CF_R2_S3_API }} - - name: Upload Artifacts uses: actions/upload-artifact@v3 with: - name: ${{ inputs.deploy-mode && 'packages.element.io' || format('linux-sqlcipher-{0}', inputs.sqlcipher) }} - path: ${{ inputs.deploy-mode && 'packages.element.io' || 'dist' }} + name: linux-sqlcipher-${{ inputs.sqlcipher }} + path: dist retention-days: 1 diff --git a/.github/workflows/reprepro.yaml b/.github/workflows/reprepro.yaml new file mode 100644 index 0000000..a2bd67a --- /dev/null +++ b/.github/workflows/reprepro.yaml @@ -0,0 +1,73 @@ +on: + workflow_call: + inputs: + artifact-name: + type: string + required: true + description: "The name of the artifact containing the debs to include" + secrets: + GPG_PRIVATE_KEY: + required: false + GPG_PASSPHRASE: + required: false + CF_R2_ACCESS_KEY_ID: + required: false + CF_R2_TOKEN: + required: false + CF_R2_S3_API: + required: false +# Protect reprepro database using concurrency +concurrency: reprepro +jobs: + reprepro: + name: Deploy debian package + environment: packages.element.io + runs-on: ubuntu-latest + env: + # XXX: UPDATE THIS BEFORE WHEN GOING LIVE + R2_BUCKET: "packages-element-io-test" + R2_DB_BUCKET: packages-element-io-db + R2_URL: ${{ secrets.CF_R2_S3_API }} + steps: + - uses: actions/checkout@v3 + + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.artifact-name }} + path: dist + + - name: Load GPG key + uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + fingerprint: 75741890063E5E9A46135D01C2850B265AC085BD + + - name: Install reprepro + run: sudo apt-get install -y reprepro + + - name: Fetch database + run: aws s3 cp --recursive s3://$R2_DB_BUCKET debian/db/ --endpoint-url $R2_URL --region auto + env: + AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} + + - name: Run reprepro + run: | + grep Codename debian/conf/distributions | sed -n 's/Codename: //p' | while read -r target ; do + reprepro -b debian includedeb "$target" ./dist/*.deb + done + + - name: Deploy debian repo + run: | + aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto + env: + AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} + + - name: Store database + run: aws s3 cp --recursive debian/db/ s3://$R2_DB_BUCKET --endpoint-url $R2_URL --region auto + env: + AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}