aur/.github/workflows/checkupdates.yml at main · envolution/aur · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: Scheduled Batch Updates
on:
  schedule:
    - cron: "0 */12 * * *" # Runs every 12 hours
  workflow_dispatch: # Allows manual triggering

jobs:
  arch-task:
    runs-on: ubuntu-latest
    concurrency:
      group: checkupdates
      cancel-in-progress: true
    container:
      image: archlinux:latest
      options: --privileged # Required for system-level changes like useradd, pacman
    env:
      AUR_MAINTAINER_NAME: envolution
      GIT_USERNAME: envolution
      GIT_EMAIL: involution@gmail.com
      ACTIONS_STEP_SUMMARY: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}#step:${{ github.job }}:markdown-summary

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Initialize pacman, Update System, and Configure Makepkg
        run: |
          set -e
          echo "::group::Initialize pacman, Update System, and Configure Makepkg"
          echo "Initializing pacman keyring..."
          mkdir -p /etc/pacman.d/gnupg
          pacman-key --init
          pacman-key --populate archlinux

          echo "Enabling multilib repository..."
          echo -e "\n[multilib]\nInclude = /etc/pacman.d/mirrorlist" >> /etc/pacman.conf

          echo "Updating system and installing core dependencies..."
          pacman -Sy --noconfirm --needed archlinux-keyring
          pacman -Syu --noconfirm

          echo "Installing necessary packages..."
          pacman -S --noconfirm --needed \
            git base-devel pacman-contrib openssh github-cli jq expac \
            ruby-rdoc ruby-pkg-config gnupg \
            python python-pip \
            pyalpm python-awesomeversion python-packaging python-lxml \
            python-gobject python-requests libnotify nvchecker \
            binutils multilib-devel python-aiohttp clang python-jq \
            sudo

          echo "Configuring makepkg for parallel compilation..."
          # Check if MAKEFLAGS is already set and uncommented
          if grep -q -E '^#?\s*MAKEFLAGS=' /etc/makepkg.conf; then
            # If found (commented or uncommented), replace the line
            sed -i "s|^#*\s*MAKEFLAGS=.*|MAKEFLAGS=\"-j$(nproc)\"|g" /etc/makepkg.conf
            echo "Updated existing MAKEFLAGS in /etc/makepkg.conf."
          else
            # If not found, append it
            echo "MAKEFLAGS=\"-j$(nproc)\"" >> /etc/makepkg.conf
            echo "Appended MAKEFLAGS to /etc/makepkg.conf."
          fi
          echo "Current MAKEFLAGS setting in /etc/makepkg.conf:"
          grep --color=auto MAKEFLAGS /etc/makepkg.conf || echo "MAKEFLAGS not found after attempting to set."
          sed -i '/^BUILDENV=/ s/\bcheck\b/!check/' /etc/makepkg.conf
          grep --color=auto BUILDENV /etc/makepkg.conf || echo "BUILDENV not found after attempting to set."

          echo "::endgroup::"

      - name: Setup non-root user for AUR operations
        shell: bash
        run: |
          set -e
          echo "::group::Setup non-root user 'builder'"
          echo "Creating build user 'builder'..."
          useradd -m -s /bin/bash builder
          echo "builder ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/builder
          chmod 0440 /etc/sudoers.d/builder

          echo "Setting up directories for builder..."
          install -d -o builder -g builder -m 700 /home/builder/.gnupg
          install -d -o builder -g builder -m 755 /home/builder/.cache
          install -d -o builder -g builder -m 755 /home/builder/.local
          install -d -o builder -g builder -m 755 /home/builder/.local/share
          install -d -o builder -g builder -m 755 /home/builder/.cache/paru
          install -d -o builder -g builder -m 755 /home/builder/.local/share/paru

          echo "$GPG_PRIVATE_KEY" > private.key.asc
          sudo mv private.key.asc /home/builder/private.key.asc
          sudo chown builder:builder /home/builder/private.key.asc
          sudo -u builder env HOME=/home/builder gpg --batch --yes --import /home/builder/private.key.asc
          rm /home/builder/private.key.asc

          echo "Builder user setup complete."
          echo "::endgroup::"
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY}}

      - name: Export GPG signature if key is present
        if: env.GPG_PRIVATE_KEY != ''
        run: |
          echo "::group::Exporting GPG_SIGNATURE short key"
          SHORT_KEY=$(sudo -u builder env HOME=/home/builder \
            gpg --with-colons --import-options show-only --import <<< "$GPG_PRIVATE_KEY" \
            | awk -F: '/^fpr:/ { print $10; exit }')
          echo "GPG_SIGNATURE = $SHORT_KEY"
          echo "GPG_SIGNATURE=${SHORT_KEY}" >> "$GITHUB_ENV"
          echo "::endgroup::"
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}

      - name: Install paru (AUR helper)
        run: |
          set -e
          echo "::group::Install paru (AUR helper)"
          echo "Installing paru for 'builder' user..."
          cd /tmp
          sudo -u builder mkdir -p paru-bin && cd paru-bin
          sudo -u builder git clone --depth 1 --filter=blob:none --sparse --branch paru-bin https://github.com/archlinux/aur.git
          cd aur && sudo -u builder makepkg -si --noconfirm
          cd ../.. && rm -rf paru-bin
          echo "::endgroup::"

      - name: Setup SSH key for AUR
        run: |
          set -e
          echo "::group::Setup SSH key for AUR"
          echo "Setting up SSH key for AUR access..."
          SSH_DIR="/home/builder/.ssh"
          mkdir -p "${SSH_DIR}"
          echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > "${SSH_DIR}/aur"

          #ssh-keyscan aur.archlinux.org >> "${SSH_DIR}/known_hosts"
          echo 'aur.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKF9vAFWdgm9Bi8uc+tYRBmXASBb5cB5iZsB7LOWWFeBrLp3r14w0/9S2vozjgqY5sJLDPONWoTTaVTbhe3vwO8CBKZTEt1AcWxuXNlRnk9FliR1/eNB9uz/7y1R0+c1Md+P98AJJSJWKN12nqIDIhjl2S1vOUvm7FNY43fU2knIhEbHybhwWeg+0wxpKwcAd/JeL5i92Uv03MYftOToUijd1pqyVFdJvQFhqD4v3M157jxS5FTOBrccAEjT+zYmFyD8WvKUa9vUclRddNllmBJdy4NyLB8SvVZULUPrP3QOlmzemeKracTlVOUG1wsDbxknF1BwSCU7CmU6UFP90kpWIyz66bP0bl67QAvlIc52Yix7pKJPbw85+zykvnfl2mdROsaT8p8R9nwCdFsBc9IiD0NhPEHcyHRwB8fokXTajk2QnGhL+zP5KnkmXnyQYOCUYo3EKMXIlVOVbPDgRYYT/XqvBuzq5S9rrU70KoI/S5lDnFfx/+lPLdtcnnEPk=' \
            >> "${SSH_DIR}/known_hosts"

          echo "Host aur.archlinux.org" >> "${SSH_DIR}/config"
          echo "  IdentityFile ${SSH_DIR}/aur" >> "${SSH_DIR}/config"
          echo "  User aur" >> "${SSH_DIR}/config"
          echo "  StrictHostKeyChecking yes" >> "${SSH_DIR}/config"

          chown -R builder:builder "${SSH_DIR}"
          chmod 700 "${SSH_DIR}"
          chmod 600 "${SSH_DIR}/aur"
          chmod 600 "${SSH_DIR}/config"
          chmod 644 "${SSH_DIR}/known_hosts"

          echo "SSH key setup complete. Permissions:"
          ls -ldn "${SSH_DIR}" "${SSH_DIR}/aur" "${SSH_DIR}/config" "${SSH_DIR}/known_hosts" # Use -n to show numeric UID/GID
          echo "::endgroup::"

      - name: Configure Git for builder user
        run: |
          set -e
          echo "::group::Configure Git for builder user"
          echo "Configuring Git for 'builder' user..."
          sudo -u builder git config --global user.name "${{ env.GIT_USERNAME }}"
          sudo -u builder git config --global user.email "${{ env.GIT_EMAIL }}"
          sudo -u builder git config --global init.defaultBranch 'master'
          echo "Git configuration complete."
          echo "::endgroup::"

      - name: Run AUR Package Build and Update Task
        shell: bash
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GIT_COMMIT_USER_NAME: envolution
          GIT_COMMIT_USER_EMAIL: involution@gmail.com
          PKGBUILD_ROOT: ${{ github.workspace }}/maintain
          SECRET_GHUK_VALUE: ${{ secrets.GHuK }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          GITHUB_RUNID: ${{ github.run_id }}
          ACTIONS_STEP_DEBUG: true
        run: |
          echo "::notice::Attempting to execute external script main_task_script.py"
          # Ensure the script is executable inside the container if permissions were lost
          mkdir -p task
          cp ${GITHUB_WORKSPACE}/scripts/main_task_script.py task/
          chmod +x task/main_task_script.py
          python3 ./task/main_task_script.py

      - name: Upload build logs and artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: build-artifacts-${{ github.run_id }}
          path: ${{ github.workspace }}/artifacts/
          retention-days: 7