Create RPM Release #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| workflow_dispatch: | |
| name: Create RPM Release | |
| jobs: | |
| buildsrpm: | |
| name: Build SRPM | |
| if: github.triggering_actor == 'royaloughtness' | |
| runs-on: ubuntu-latest | |
| container: | |
| image: fedora:41 | |
| steps: | |
| - name: Build SRPM | |
| shell: bash | |
| id: srpm_build | |
| run: | | |
| dnf copr enable secureblue/trivalent -y | |
| dnf update -y | |
| dnf install git wget rpmbuild yum-utils rpm-sign trivalent-chromium-clean-source -y | |
| git clone https://github.com/secureblue/Trivalent.git | |
| bash ./Trivalent/copr_script.sh | |
| rpmbuild -bs -v --define "_sourcedir $PWD" --define "_rpmdir $PWD" --define "_builddir $PWD" --define "_specdir $PWD" --define "_srcrpmdir $PWD" trivalent.spec | |
| - name: Save SRPM | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: srpm-artifact | |
| path: "*.rpm" | |
| retention-days: 30 | |
| buildrpm: | |
| name: Build RPM | |
| if: github.triggering_actor == 'royaloughtness' | |
| runs-on: self-hosted | |
| timeout-minutes: 1800 | |
| needs: buildsrpm | |
| steps: | |
| - name: Retrieve SRPM | |
| uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 | |
| with: | |
| name: srpm-artifact | |
| - name: Build RPM | |
| shell: bash | |
| id: rpm_build | |
| run: | | |
| sudo dnf config-manager --set-enabled crb -y | |
| sudo dnf install https://dl.fedoraproject.org/pub/epel/epel{,-next}-release-latest-9.noarch.rpm -y | |
| sudo dnf install mock rclone -y | |
| sudo usermod -aG mock $(whoami) | |
| mock --resultdir=. -r fedora-41-x86_64 --rebuild trivalent-*.src.rpm | |
| - name: Prepare for upload | |
| shell: bash | |
| run: | | |
| rm trivalent-*.src.rpm | |
| - name: Save RPM | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: rpm-artifact | |
| path: "*.rpm" | |
| retention-days: 7 | |
| pushrpm: | |
| name: Push RPM | |
| if: github.triggering_actor == 'royaloughtness' | |
| runs-on: ubuntu-latest | |
| container: | |
| image: fedora:41 | |
| needs: buildrpm | |
| steps: | |
| - name: Retrieve RPM | |
| uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 | |
| with: | |
| name: rpm-artifact | |
| - name: Setup | |
| shell: bash | |
| run: | | |
| dnf install reposync rpm-sign createrepo rclone -y | |
| curl -o /etc/yum.repos.d/secureblue.repo https://repo.secureblue.dev/secureblue.repo | |
| dnf update --refresh -y | |
| echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --import | |
| echo " | |
| %_signature gpg | |
| %_gpg_name 26B4463ED8F313BC7E3FBDF9D9223AF0F47B3E41 | |
| " > ~/.rpmmacros | |
| - name: Sign | |
| shell: bash | |
| run: | | |
| rpm --addsign *.rpm | |
| reposync --repo secureblue -y | |
| mv *.rpm secureblue/Packages | |
| cd secureblue | |
| rm -rf repodata | |
| createrepo . | |
| gpg --detach-sign --local-user 26B4463ED8F313BC7E3FBDF9D9223AF0F47B3E41 --armor repodata/repomd.xml | |
| - name: Upload RPM and logs to R2 to trivalent Bucket | |
| shell: bash | |
| env: | |
| RCLONE_CONFIG_R2_TYPE: s3 | |
| RCLONE_CONFIG_R2_PROVIDER: Cloudflare | |
| RCLONE_CONFIG_R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }} | |
| RCLONE_CONFIG_R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }} | |
| RCLONE_CONFIG_R2_REGION: auto | |
| RCLONE_CONFIG_R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }} | |
| SOURCE_DIR: . | |
| run: | | |
| rclone copy ./secureblue/ R2:/ | |