22bef1fd0a4e8a7c67dc0a89cc238b4acb0ec094
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 enricobuehler
|
59bcfa1a12 |
fix(ci): rpm signing uses rpm's default signer; flatpak installs node before checkout
ci / rust (push) Successful in 1m10s
ci / web (push) Successful in 29s
android / android (push) Failing after 1m48s
ci / docs-site (push) Successful in 31s
ci / bench (push) Successful in 1m46s
decky / build-publish (push) Successful in 12s
apple / swift (push) Successful in 53s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 4s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 3s
deb / build-publish (push) Failing after 2m39s
flatpak / build-publish (push) Successful in 4m1s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 5m13s
docker / deploy-docs (push) Successful in 20s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 4m51s
Two CI fixes:
- rpm signing (2nd bug): overriding %__gpg_sign_cmd via --define reached gpg with
%{__plaintext_filename}/%{__signature_filename} UNEXPANDED ("No such file or directory").
Stop overriding it — use rpm's default signer (which expands those correctly) and just set
_gpg_name; a passphrase-less key + loopback in gpg.conf makes gpg sign headless. (Requires a
passphrase-less signing key, as the runbook's %no-protection key is.)
- flatpak: the job runs in fedora:43 which has no node, so actions/checkout (a JS action) failed
with "node: not found". Install nodejs in a plain `run:` step (shell, no node needed) before
checkout. Also scope the heavy flatpak-builder run to client/core/manifest changes (+ tags) so
it stops rebuilding on every unrelated docs/host push (tag pushes still build — paths filters
only branch pushes).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|
enricobuehler
|
0f17b6f864 |
fix(rpm): sign-rpms.sh — %{__gpg} is already the gpg binary, drop the literal gpg
apple / swift (push) Successful in 52s
ci / web (push) Successful in 29s
android / android (push) Failing after 1m51s
ci / docs-site (push) Successful in 33s
ci / bench (push) Successful in 1m49s
decky / build-publish (push) Successful in 11s
ci / rust (push) Failing after 1m12s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
flatpak / build-publish (push) Failing after 2s
deb / build-publish (push) Failing after 2m52s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 5m17s
docker / deploy-docs (push) Successful in 17s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 5m4s
The first signed CI run failed at the Sign step: `%{__gpg} gpg ...` expands to `<gpgpath> gpg ...`,
so gpg got a spurious `gpg` filename arg ("no command supplied", options "not considered"). Dropped
the literal `gpg` → `%{__gpg} --batch ...`. Validated locally: the corrected invocation parses as a
sign command (fails only with "No secret key", which is present in CI). The checksig gate did its
job — nothing published, installs stayed safe.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|
enricobuehler
|
1fd4c97139 |
feat(rpm): wire per-package GPG signing (dormant until a key secret is set)
apple / swift (push) Successful in 53s
ci / rust (push) Successful in 1m11s
ci / web (push) Successful in 32s
android / android (push) Failing after 1m51s
ci / docs-site (push) Successful in 30s
ci / bench (push) Successful in 1m47s
decky / build-publish (push) Successful in 12s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 4s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 19s
flatpak / build-publish (push) Failing after 2s
deb / build-publish (push) Failing after 2m43s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 5m19s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 5m15s
docker / deploy-docs (push) Successful in 5s
The audit's signing recommendation, scoped to RPM (apt's signed Release metadata already covers .debs; bootc cosign deferred). packaging/rpm/sign-rpms.sh GPG-signs dist/*.rpm and self-verifies (rpmkeys --checksig), run from rpm.yml between build + publish. Safe to ship: the step is a NO-OP (exit 0, unsigned as today) until RPM_GPG_PRIVATE_KEY is set as a CI secret — so it can't break current CI, and when enabled a bad macro fails loudly via the in-step checksig rather than shipping bad signatures. rpm/README gains the one-time enablement runbook (generate a dedicated passphrase-less key, add the secret, publish the public key, flip gpgcheck=1 only after a signed build lands) and notes step-ca is for TLS, not OpenPGP (it can't sign RPMs). Also fixes the rpm/README version staleness the doc review caught: rolling is 0.2.0-0.ciN (outranks the stray 0.1.1, no pin needed), host releases use host-v* not the client's v*. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |