# Build the punktfunk-host and punktfunk-client .debs and publish them to Gitea's Debian # package registry, so Ubuntu boxes get new builds via `apt update && apt upgrade`. Runs # inside the same Ubuntu 26.04 rust-ci builder image as ci.yml, so dpkg-shlibdeps pins the # runtime lib package names (libavcodec62, libpipewire-0.3-0t64, …) to exactly what the # target boxes run. # # Registry (public, unom org): https://git.unom.io/unom/-/packages # Box setup (once): see packaging/debian/README.md # # REGISTRY_TOKEN: repo Actions secret, a PAT with write:package scope (shared with docker.yml). name: deb on: push: branches: [main] # Single project version: a `vX.Y.Z` tag is THE release for every platform (see # docs-site channels.md). The old version-shadow (a client tag shipping a host package # that outranked rolling builds) is now structurally impossible — main publishes to the # `canary` apt distribution, tags to `stable`, so the two never share a version line. tags: ['v*'] workflow_dispatch: env: REGISTRY: git.unom.io OWNER: unom COMPONENT: main jobs: build-publish: runs-on: ubuntu-24.04 container: image: git.unom.io/unom/punktfunk-rust-ci:latest timeout-minutes: 90 steps: - uses: actions/checkout@v4 - name: Version + channel # vX.Y.Z tag -> X.Y.Z, published to the `stable` apt distribution (a real release). # A main push -> 0.3.0~ciN.g, published to the `canary` distribution: the '~' sorts # below the eventual 0.3.0 tag, it climbs monotonically by run number, and the canary base # stays one minor AHEAD of the latest stable so a stable->canary box re-point still moves # forward (see channels.md). Computed BEFORE the build so it's stamped into the binary # (PUNKTFUNK_BUILD_VERSION -> build.rs -> --version). run: | SHORT=$(echo "$GITHUB_SHA" | cut -c1-8) case "$GITHUB_REF" in refs/tags/v*) V="${GITHUB_REF_NAME#v}"; DIST=stable ;; *) V="0.3.0~ci${GITHUB_RUN_NUMBER}.g${SHORT}"; DIST=canary ;; esac echo "VERSION=$V" >> "$GITHUB_ENV" echo "DISTRIBUTION=$DIST" >> "$GITHUB_ENV" echo "package version $V -> apt distribution '$DIST'" # dpkg-shlibdeps (Depends resolution) + dpkg-deb live in dpkg-dev. The client's link # deps are also baked into the rust-ci image, but this job runs against the image # from the PREVIOUS push (docker.yml bootstrap note) — keep it green across image # changes; a no-op once the image has them. - name: dpkg-dev + client link deps run: | apt-get update # python3 is used by scripts/ci/gitea-release.sh for the stable-tag release attach. apt-get install -y --no-install-recommends dpkg-dev python3 \ libgtk-4-dev libadwaita-1-dev libsdl3-dev # Share ci.yml's cache keys so the release build reuses its registry + target artifacts. - name: Cache keys run: echo "rustc=$(rustc --version | cut -d' ' -f2)" >> "$GITHUB_ENV" - uses: actions/cache@v4 with: path: | /usr/local/cargo/registry /usr/local/cargo/git key: cargo-home-${{ hashFiles('Cargo.lock') }} restore-keys: cargo-home- - uses: actions/cache@v4 with: path: target # -v3-: bypass a target cache poisoned by a disk-full build (see ci.yml). Shares the # key with ci.yml so the release build reuses its clean artifacts. key: cargo-target-v3-${{ env.rustc }}-${{ hashFiles('Cargo.lock') }} restore-keys: cargo-target-v3-${{ env.rustc }}- - name: Build release host + client env: PUNKTFUNK_BUILD_VERSION: ${{ env.VERSION }} # stamped into the binary (build.rs) run: | git config --global --add safe.directory "$PWD" cargo build --release -p punktfunk-host -p punktfunk-client-linux --locked - name: Build + smoke-boot web console (node-server preset) # Gate the .deb on a real node boot: the punktfunk-web .deb runs `node .output/server`, # so prove the node-server build exists, isn't a bun bundle, and actually serves /login. run: | # bun builds the console. It's baked into the rust-ci image, but bootstrap it here too so # the job stays green against the PREVIOUS image (docker.yml bootstrap lag). command -v bun >/dev/null || { apt-get install -y --no-install-recommends unzip curl -fsSL https://bun.sh/install | bash } export PATH="$HOME/.bun/bin:$PATH" cd web bun install --frozen-lockfile bun run build if grep -q 'Bun\.serve' .output/server/index.mjs; then echo "ERROR: web build is a bun bundle (Bun.serve) — need the node-server preset"; exit 1 fi PORT=3009 HOST=127.0.0.1 PUNKTFUNK_UI_PASSWORD=ci node .output/server/index.mjs & NP=$!; sleep 3 code=$(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:3009/login || echo 000) kill "$NP" 2>/dev/null || true echo "web console smoke: /login -> $code" [ "$code" = 200 ] || { echo "ERROR: web console failed to boot under node"; exit 1; } - name: Build .debs run: | VERSION="$VERSION" bash packaging/debian/build-deb.sh VERSION="$VERSION" bash packaging/debian/build-client-deb.sh VERSION="$VERSION" bash packaging/debian/build-web-deb.sh - name: Publish to the Gitea apt registry env: TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | for DEB in dist/*.deb; do echo "uploading $DEB" # PAT owner (enricobuehler), not the push actor — matches docker.yml's registry login. curl -fsS --user "enricobuehler:$TOKEN" --upload-file "$DEB" \ "https://$REGISTRY/api/packages/$OWNER/debian/pool/$DISTRIBUTION/$COMPONENT/upload" done echo "published to $OWNER/debian $DISTRIBUTION/$COMPONENT" # On a real release, also attach the .debs to the unified Gitea Release so they're on the # downloads page next to every other platform's artifact (canary builds live in the apt # `canary` distribution above — no release page for those). - name: Attach .debs to the Gitea release (stable tags only) if: startsWith(gitea.ref, 'refs/tags/v') env: GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | . scripts/ci/gitea-release.sh RID=$(ensure_release "$GITHUB_REF_NAME" "$GITHUB_REF_NAME" auto) for DEB in dist/*.deb; do upsert_asset "$RID" "$DEB" done