fix(ci): mark AUR repo as safe directory #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish AUR package | |
| on: | |
| push: | |
| branches: [master, main] | |
| workflow_dispatch: | |
| env: | |
| AUR_PACKAGE_NAME: ${{ vars.AUR_PACKAGE_NAME || 'dropdeck-git' }} | |
| AUR_GIT_URL: ${{ vars.AUR_GIT_URL || 'ssh://[email protected]/dropdeck-git.git' }} | |
| AUR_PACKAGE_DIR: ${{ vars.AUR_PACKAGE_DIR || 'packaging/aur/dropdeck-git' }} | |
| AUR_COMMIT_NAME: ${{ vars.AUR_COMMIT_NAME || 'dropdeck-ci' }} | |
| AUR_COMMIT_EMAIL: ${{ vars.AUR_COMMIT_EMAIL || '[email protected]' }} | |
| AUR_BRANCH: ${{ vars.AUR_BRANCH || 'master' }} | |
| jobs: | |
| publish: | |
| name: Sync package files to AUR | |
| runs-on: ubuntu-latest | |
| container: | |
| image: archlinux:base-devel | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install tooling | |
| run: | | |
| pacman -Sy --noconfirm --needed git openssh rsync | |
| - name: Validate package directory | |
| run: | | |
| test -d "$AUR_PACKAGE_DIR" | |
| test -f "$AUR_PACKAGE_DIR/PKGBUILD" | |
| - name: Create non-root build user | |
| run: | | |
| useradd -m builder | |
| chown -R builder:builder "$GITHUB_WORKSPACE" | |
| - name: Build fresh .SRCINFO | |
| run: | | |
| su - builder -c "cd '$GITHUB_WORKSPACE/$AUR_PACKAGE_DIR' && makepkg --printsrcinfo > .SRCINFO" | |
| - name: Prepare package payload | |
| run: | | |
| rm -rf /tmp/aur-payload | |
| mkdir -p /tmp/aur-payload | |
| rsync -a --delete "$AUR_PACKAGE_DIR/" /tmp/aur-payload/ | |
| # Force one AUR commit per upstream commit. | |
| printf '%s\n' "$GITHUB_SHA" > /tmp/aur-payload/.upstream-commit | |
| - name: Configure SSH for AUR | |
| env: | |
| AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
| run: | | |
| set -euo pipefail | |
| test -n "$AUR_SSH_PRIVATE_KEY" | |
| printf '%s\n' "$AUR_SSH_PRIVATE_KEY" > /tmp/aur_id_ed25519 | |
| chmod 600 /tmp/aur_id_ed25519 | |
| ssh-keyscan -H -t ed25519,rsa aur.archlinux.org > /tmp/aur_known_hosts 2>/dev/null | |
| test -s /tmp/aur_known_hosts | |
| chmod 644 /tmp/aur_known_hosts | |
| - name: Clone AUR repository | |
| run: | | |
| rm -rf /tmp/aur-repo | |
| export GIT_SSH_COMMAND="ssh -i /tmp/aur_id_ed25519 -o IdentitiesOnly=yes -o UserKnownHostsFile=/tmp/aur_known_hosts -o StrictHostKeyChecking=yes" | |
| git ls-remote "$AUR_GIT_URL" >/dev/null | |
| git clone "$AUR_GIT_URL" /tmp/aur-repo | |
| - name: Sync, commit, and push | |
| run: | | |
| export GIT_SSH_COMMAND="ssh -i /tmp/aur_id_ed25519 -o IdentitiesOnly=yes -o UserKnownHostsFile=/tmp/aur_known_hosts -o StrictHostKeyChecking=yes" | |
| git config --global --add safe.directory /tmp/aur-repo | |
| rsync -a --delete --exclude='.git/' /tmp/aur-payload/ /tmp/aur-repo/ | |
| cd /tmp/aur-repo | |
| git checkout "$AUR_BRANCH" || git checkout -b "$AUR_BRANCH" | |
| git config user.name "$AUR_COMMIT_NAME" | |
| git config user.email "$AUR_COMMIT_EMAIL" | |
| if git diff --quiet && git diff --cached --quiet; then | |
| echo "No changes to publish." | |
| exit 0 | |
| fi | |
| git add -A | |
| if git diff --cached --quiet; then | |
| echo "No staged changes to publish." | |
| exit 0 | |
| fi | |
| git commit -m "chore(aur): sync from ${GITHUB_REPOSITORY}@${GITHUB_SHA}" | |
| git push origin "$AUR_BRANCH" |