2190dad2ad
Layering is a last resort per the Bazzite docs (slows every OS update, can block upgrades until removed); a sysext never enters an rpm-ostree transaction, survives OS updates, and installs/updates with no reboot — the mechanism Fedora Atomic ships via fedora-sysexts. - build-sysext.sh wraps the built host+web RPMs into punktfunk-<V-R>-x86-64.raw: /etc payload relocated to /usr/share/punktfunk/etc (a sysext carries only /usr), the punktfunk-sysext helper embedded, ID=fedora + VERSION_ID pinned (merges on Bazzite via ID_LIKE; REFUSED after a major rebase instead of running soname-broken binaries — both behaviors validated live on Bazzite 43). SELinux labels are baked in as squashfs pseudo-xattrs from matchpathcon: unlabeled files run fine for user units but system daemons are DENIED (udev couldn't read the gamepad rule under enforcing) — validated on-glass. Refuses duplicate input package names (a stale noarch punktfunk-web next to the x86_64 one built a chimera image with the dead node launcher once). - punktfunk-sysext.sh: install/update/status/remove against per-Fedora-major feeds (…/generic/punktfunk-sysext/f43[-canary]), SHA-256-verified, applies the udev/sysctl scriptlet work + /etc copies, prints the layering-migration hint. Live-validated on the .41 Bazzite box incl. service restart + web console. - publish-sysext-feed.sh + rpm.yml: build + publish the image per matrix leg (fedver 43/44), canary feeds pruned to 6, stable release assets attached. - update-punktfunk.sh warns when the sysext shadows a layered install. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
163 lines
8.0 KiB
YAML
163 lines
8.0 KiB
YAML
# Build the punktfunk-host RPM and publish it to Gitea's RPM package registry, so Bazzite /
|
|
# Fedora Atomic hosts layer + update it with rpm-ostree. Counterpart to deb.yml (apt). Runs in
|
|
# the Fedora 43 builder image (ci/fedora-rpm.Dockerfile) so the RPM's auto library Requires
|
|
# (libavcodec.so.NN, …) match the target's sonames.
|
|
#
|
|
# Registry (public, unom org), group "bazzite":
|
|
# repo file https://git.unom.io/api/packages/unom/rpm/bazzite.repo
|
|
# Box setup (once): see packaging/rpm/README.md
|
|
#
|
|
# REGISTRY_TOKEN: repo Actions secret, a PAT with write:package scope (shared with docker.yml).
|
|
name: rpm
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
# Single project version: a `vX.Y.Z` tag is THE release. main publishes to the `*-canary` rpm
|
|
# groups, tags to the base groups (`bazzite`/`fedora-44`) — separate repos, so the old
|
|
# version-shadow (a release outranking rolling builds in one group) is structurally gone.
|
|
tags: ['v*']
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
REGISTRY: git.unom.io
|
|
OWNER: unom
|
|
|
|
jobs:
|
|
build-publish:
|
|
runs-on: ubuntu-24.04
|
|
# One RPM per target whose ffmpeg soname must match (a binary RPM is soname-coupled to its
|
|
# base): Fedora 43 == Bazzite (libavcodec.so.61), Fedora 44 == the Fedora KDE spin (.so.62).
|
|
# Each builds in its matching builder image and publishes to its own registry group.
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- image: punktfunk-fedora-rpm # Fedora 43 == Bazzite base
|
|
group: bazzite
|
|
fedver: 43
|
|
- image: punktfunk-fedora44-rpm # Fedora 44 == Fedora KDE spin
|
|
group: fedora-44
|
|
fedver: 44
|
|
container:
|
|
image: git.unom.io/unom/${{ matrix.image }}:latest
|
|
timeout-minutes: 90
|
|
env:
|
|
CARGO_HOME: /usr/local/cargo
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
# rpmbuild + git archive need the checkout trusted; cache the crates download.
|
|
# The client link deps are also baked into the fedora-rpm image, but this job runs
|
|
# against the image from the PREVIOUS push (docker.yml bootstrap note) — keep it
|
|
# green across image changes; a no-op once the image has them.
|
|
- name: Prep
|
|
run: |
|
|
git config --global --add safe.directory "$PWD"
|
|
dnf -y install gtk4-devel libadwaita-devel SDL3-devel
|
|
# sysext build (packaging/bazzite/build-sysext.sh): squashfs + SELinux labeling.
|
|
dnf -y install squashfs-tools cpio libselinux-utils selinux-policy-targeted
|
|
# bun builds the punktfunk-web console (--with web). Baked into the image; install it
|
|
# here too so the job stays green against the PREVIOUS image (docker.yml bootstrap note).
|
|
command -v bun >/dev/null || {
|
|
dnf -y install unzip
|
|
curl -fsSL https://bun.sh/install | bash
|
|
install -m0755 "$HOME/.bun/bin/bun" /usr/local/bin/bun
|
|
}
|
|
bun --version
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: /usr/local/cargo/registry
|
|
key: cargo-home-${{ hashFiles('Cargo.lock') }}
|
|
restore-keys: cargo-home-
|
|
|
|
- name: Version + channel
|
|
# vX.Y.Z tag -> X.Y.Z-1 in the base group (a real release); main push -> <next-minor>-0.ciN.g<sha>
|
|
# in the `<base>-canary` group, whose "0." release sorts below the eventual <next-minor>-1 yet
|
|
# climbs by run number. The canary base is derived one minor ahead of the latest stable tag
|
|
# (scripts/ci/pf-version.sh) so a stable->canary box re-point still moves forward. The spec %build stamps
|
|
# PUNKTFUNK_BUILD_VERSION from these macros into the binary (--version provenance).
|
|
run: |
|
|
eval "$(bash scripts/ci/pf-version.sh)" # -> PF_BASE (one minor ahead of the latest stable tag)
|
|
SHORT=$(echo "$GITHUB_SHA" | cut -c1-8)
|
|
case "$GITHUB_REF" in
|
|
refs/tags/v*) V="${GITHUB_REF_NAME#v}"; R="1"; GROUP="${{ matrix.group }}" ;;
|
|
*) V="$PF_BASE"; R="0.ci${GITHUB_RUN_NUMBER}.g${SHORT}"; GROUP="${{ matrix.group }}-canary" ;;
|
|
esac
|
|
echo "PF_VERSION=$V" >> "$GITHUB_ENV"
|
|
echo "PF_RELEASE=$R" >> "$GITHUB_ENV"
|
|
echo "GROUP=$GROUP" >> "$GITHUB_ENV"
|
|
echo "rpm $V-$R -> group '$GROUP'"
|
|
|
|
- name: Build RPM
|
|
# PF_WITH_WEB=1 → also build the noarch punktfunk-web subpackage (the publish loop below
|
|
# globs it in; the host RPM Recommends it). Needs bun (ensured in Prep).
|
|
run: PF_VERSION="$PF_VERSION" PF_RELEASE="$PF_RELEASE" PF_WITH_WEB=1 bash packaging/rpm/build-rpm.sh
|
|
|
|
- name: Sign RPMs (dormant until RPM_GPG_PRIVATE_KEY is set — see packaging/rpm/README.md)
|
|
env:
|
|
RPM_GPG_PRIVATE_KEY: ${{ secrets.RPM_GPG_PRIVATE_KEY }}
|
|
RPM_GPG_PASSPHRASE: ${{ secrets.RPM_GPG_PASSPHRASE }}
|
|
run: bash packaging/rpm/sign-rpms.sh
|
|
|
|
- name: Publish to the Gitea RPM registry
|
|
env:
|
|
TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
run: |
|
|
# Publish only the main package (skip -debuginfo/-debugsource subpackages).
|
|
for rpm in dist/*.rpm; do
|
|
case "$rpm" in *debuginfo*|*debugsource*) echo "skip $rpm"; continue;; esac
|
|
echo "uploading $rpm"
|
|
# A re-tagged release re-fires this workflow and the rpm registry 409s on duplicate
|
|
# package versions — delete any prior copy of this exact name/version-release/arch
|
|
# first (404 on the first publish is fine).
|
|
NAME=$(rpm -qp --qf '%{NAME}' "$rpm" 2>/dev/null)
|
|
VR=$(rpm -qp --qf '%{VERSION}-%{RELEASE}' "$rpm" 2>/dev/null)
|
|
ARCH=$(rpm -qp --qf '%{ARCH}' "$rpm" 2>/dev/null)
|
|
curl -fsS -o /dev/null --user "enricobuehler:$TOKEN" -X DELETE \
|
|
"https://$REGISTRY/api/packages/$OWNER/rpm/$GROUP/package/$NAME/$VR/$ARCH" || true
|
|
curl -fsS --user "enricobuehler:$TOKEN" --upload-file "$rpm" \
|
|
"https://$REGISTRY/api/packages/$OWNER/rpm/$GROUP/upload"
|
|
done
|
|
echo "published to $OWNER/rpm/$GROUP"
|
|
|
|
# The no-layering Bazzite path: wrap the just-built host + web RPMs into a systemd-sysext
|
|
# image and publish it to the per-Fedora-major feed (punktfunk-sysext/f43[-canary], …) that
|
|
# `punktfunk-sysext install|update` reads. Same RPMs, same channels — just no rpm-ostree.
|
|
- name: Build the sysext image
|
|
run: |
|
|
bash packaging/bazzite/build-sysext.sh --version-id "${{ matrix.fedver }}" \
|
|
--out "dist-sysext/punktfunk-${PF_VERSION}-${PF_RELEASE}-x86-64.raw" \
|
|
dist/punktfunk-"${PF_VERSION}-${PF_RELEASE}"*.rpm \
|
|
dist/punktfunk-web-"${PF_VERSION}-${PF_RELEASE}"*.rpm
|
|
|
|
- name: Publish the sysext feed
|
|
env:
|
|
TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
run: |
|
|
case "$GROUP" in
|
|
*-canary) FEED="f${{ matrix.fedver }}-canary"; KEEP=6 ;; # rolling: bound the pile-up
|
|
*) FEED="f${{ matrix.fedver }}"; KEEP=0 ;; # stable: keep every release
|
|
esac
|
|
KEEP=$KEEP bash packaging/bazzite/publish-sysext-feed.sh "$FEED" \
|
|
"dist-sysext/punktfunk-${PF_VERSION}-${PF_RELEASE}-x86-64.raw"
|
|
|
|
# On a real release, also attach the .rpms to the unified Gitea Release. Both Fedora bases
|
|
# (bazzite=F43, fedora-44) build the SAME filename, so suffix the asset with the base to keep
|
|
# both on the release; canary builds live in the `*-canary` rpm groups (no release page).
|
|
- name: Attach .rpms to the Gitea release (stable tags only)
|
|
if: startsWith(gitea.ref, 'refs/tags/v')
|
|
env:
|
|
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
run: |
|
|
. scripts/ci/gitea-release.sh
|
|
RID=$(ensure_release "$GITHUB_REF_NAME" "$GITHUB_REF_NAME" auto)
|
|
for rpm in dist/*.rpm; do
|
|
case "$rpm" in *debuginfo*|*debugsource*) continue;; esac
|
|
base="$(basename "$rpm" .rpm)"
|
|
upsert_asset "$RID" "$rpm" "${base}.${{ matrix.group }}.rpm"
|
|
done
|
|
for raw in dist-sysext/*.raw; do
|
|
upsert_asset "$RID" "$raw" "$(basename "$raw" .raw).f${{ matrix.fedver }}.raw"
|
|
done
|