name: "Publish: Package Repositories" run-name: "Publish Package Repositories (${{ github.event.inputs.channel || 'stable' }})" on: workflow_dispatch: inputs: build_number: description: Build number or release label for package artifact paths required: false default: "" channel: description: Native package repository channel required: true default: stable type: choice options: - stable - beta - nightly publish_gcs: description: Publish repository tree to configured package storage targets required: false default: "true" permissions: contents: read concurrency: group: publish-package-repositories-${{ github.ref }}-${{ github.event.inputs.channel || 'stable' }} cancel-in-progress: false jobs: publish: name: Build Native Repositories runs-on: [self-hosted, linux, x86_64, burrow-forge] timeout-minutes: 45 env: BUILD_NUMBER: ${{ github.event.inputs.build_number || github.sha }} BURROW_PACKAGE_CHANNEL: ${{ github.event.inputs.channel || 'stable' }} BURROW_KMS_LOCATION: ${{ vars.BURROW_KMS_LOCATION || 'global' }} BURROW_KMS_KEYRING: ${{ vars.BURROW_KMS_KEYRING || 'burrow-identity' }} BURROW_KMS_VERSION: ${{ vars.BURROW_KMS_VERSION || '1' }} BURROW_GOOGLE_PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }} GOOGLE_CLOUD_PROJECT: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }} BURROW_GOOGLE_PROJECT_NUMBER: ${{ vars.GOOGLE_PROJECT_NUMBER || '416198671487' }} BURROW_GOOGLE_WIF_POOL_ID: ${{ vars.BURROW_GOOGLE_WIF_POOL_ID || 'burrow-authentik' }} BURROW_GOOGLE_WIF_PROVIDER_ID: ${{ vars.BURROW_GOOGLE_WIF_PROVIDER_ID || 'forgejo-runners' }} BURROW_GOOGLE_WIF_SERVICE_ACCOUNT: ${{ vars.BURROW_GOOGLE_WIF_SERVICE_ACCOUNT || 'burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com' }} BURROW_AUTHENTIK_WIF_ISSUER: ${{ vars.BURROW_AUTHENTIK_WIF_ISSUER || 'https://auth.burrow.net/application/o/google-cloud/' }} BURROW_AUTHENTIK_WIF_AUDIENCE: ${{ vars.BURROW_AUTHENTIK_WIF_AUDIENCE || 'google-wif.burrow.net' }} BURROW_AUTHENTIK_WIF_CLIENT_ID: ${{ vars.BURROW_AUTHENTIK_WIF_CLIENT_ID || 'google-wif.burrow.net' }} BURROW_AUTHENTIK_WIF_CLIENT_SECRET: ${{ secrets.BURROW_AUTHENTIK_WIF_CLIENT_SECRET }} BURROW_PACKAGE_GCS_BUCKET: ${{ vars.BURROW_PACKAGE_GCS_BUCKET || 'burrow-net-packages' }} BURROW_PACKAGE_GCS_PREFIX: ${{ vars.BURROW_PACKAGE_GCS_PREFIX || '' }} BURROW_PACKAGE_GCS_BACKUP: ${{ vars.BURROW_PACKAGE_GCS_BACKUP || 'true' }} BURROW_PACKAGE_GARAGE_BUCKET: ${{ vars.BURROW_PACKAGE_GARAGE_BUCKET || 'burrow-packages' }} BURROW_PACKAGE_GARAGE_PREFIX: ${{ vars.BURROW_PACKAGE_GARAGE_PREFIX || vars.BURROW_PACKAGE_GCS_PREFIX || '' }} BURROW_PACKAGE_REQUIRE_GARAGE: ${{ vars.BURROW_PACKAGE_REQUIRE_GARAGE || 'true' }} BURROW_GARAGE_ENDPOINT: ${{ vars.BURROW_GARAGE_ENDPOINT || 'https://objects.burrow.net' }} BURROW_GARAGE_REGION: ${{ vars.BURROW_GARAGE_REGION || 'garage' }} AWS_ACCESS_KEY_ID: ${{ secrets.BURROW_GARAGE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.BURROW_GARAGE_SECRET_ACCESS_KEY }} BURROW_NIX_CACHE_URL: ${{ vars.BURROW_NIX_CACHE_URL || 'https://nix.burrow.net/burrow' }} BURROW_NIX_CACHE_PUBLIC_KEY: ${{ vars.BURROW_NIX_CACHE_PUBLIC_KEY }} steps: - name: Checkout shell: bash run: | set -euo pipefail repo_url="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" if [ ! -d .git ]; then git init . fi if git remote get-url origin >/dev/null 2>&1; then git remote set-url origin "${repo_url}" else git remote add origin "${repo_url}" fi git fetch --force --tags origin "${GITHUB_SHA}" git checkout --force --detach FETCH_HEAD git clean -ffdqx - name: Ensure Nix shell: bash run: bash Scripts/ci/ensure-nix.sh - name: Build Linux Packages shell: bash run: | set -euo pipefail export BURROW_RELEASE_OUT="$PWD/dist/builds/$BUILD_NUMBER" nix develop .#ci -c Scripts/ci/package-release-artifacts.sh linux - name: Authenticate Google WIF shell: bash run: | set -euo pipefail nix develop .#ci -c Scripts/ci/google-wif-auth.sh - name: Export KMS Public Keys shell: bash run: | set -euo pipefail mkdir -p "$PWD/.kms" export BURROW_APT_REPO_KMS_KEY="${BURROW_APT_REPO_KMS_KEY:-package-apt-repository}" export BURROW_RPM_REPO_KMS_KEY="${BURROW_RPM_REPO_KMS_KEY:-package-rpm-repository}" export BURROW_PACMAN_REPO_KMS_KEY="${BURROW_PACMAN_REPO_KMS_KEY:-package-pacman-repository}" for item in \ "APT:${BURROW_APT_REPO_KMS_KEY}:apt" \ "RPM:${BURROW_RPM_REPO_KMS_KEY}:rpm" \ "PACMAN:${BURROW_PACMAN_REPO_KMS_KEY}:pacman" do IFS=: read -r env_prefix key_name file_prefix <<< "$item" pem="$PWD/.kms/${file_prefix}.pem" nix develop .#ci -c gcloud kms keys versions get-public-key "$BURROW_KMS_VERSION" \ --location "$BURROW_KMS_LOCATION" \ --keyring "$BURROW_KMS_KEYRING" \ --key "$key_name" \ --project "$GOOGLE_CLOUD_PROJECT" \ --output-file "$pem" echo "BURROW_${env_prefix}_REPO_KMS_PUBLIC_KEY_PEM=$pem" >> "$GITHUB_ENV" echo "BURROW_${env_prefix}_REPO_KMS_KEY=$key_name" >> "$GITHUB_ENV" done - name: Build Repository Metadata shell: bash run: | set -euo pipefail export BURROW_PACKAGE_INPUT_DIR="$PWD/dist/builds/$BUILD_NUMBER/linux" export BURROW_PACKAGE_REPOSITORY_DIR="$PWD/dist/builds/$BUILD_NUMBER/repositories" nix develop .#ci -c Scripts/package/build-repositories.sh all - name: Upload Repository Artifact uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-package-repositories-${{ github.event.inputs.channel || 'stable' }}-${{ github.event.inputs.build_number || github.sha }} path: dist/builds/${{ github.event.inputs.build_number || github.sha }}/repositories/** if-no-files-found: error - name: Publish Package Repository To Storage if: ${{ github.event.inputs.publish_gcs == 'true' }} shell: bash run: | set -euo pipefail export BURROW_PACKAGE_REPOSITORY_DIR="$PWD/dist/builds/$BUILD_NUMBER/repositories" nix develop .#ci -c Scripts/ci/upload-package-storage.sh