From 2b1e08e12dc92d5b1d82ef491ba6c8a4a4bec0d1 Mon Sep 17 00:00:00 2001 From: grenade Date: Thu, 2 Jul 2026 06:13:23 +0000 Subject: [PATCH] Add build-release workflow: package + publish to rpm.lair.cafe (fc43, fc44) --- .gitea/workflows/build-release.yml | 161 +++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 .gitea/workflows/build-release.yml diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml new file mode 100644 index 0000000..8b84fe8 --- /dev/null +++ b/.gitea/workflows/build-release.yml @@ -0,0 +1,161 @@ +name: build-release + +on: + workflow_dispatch: + inputs: + version: + description: "claude-desktop upstream version (e.g. 1.17377.2)" + required: true + type: string + +concurrency: + group: build-release + cancel-in-progress: false + +env: + APT_BASE: https://downloads.claude.ai/claude-desktop/apt/stable + +jobs: + package: + runs-on: rpm + strategy: + fail-fast: false + matrix: + fedora_version: ["43", "44"] + steps: + - uses: actions/checkout@v4 + + - name: Resolve .deb URL and checksum + id: deb + run: | + packages_url="${APT_BASE}/dists/stable/main/binary-amd64/Packages" + # paragraph-mode match on the exact Version: stanza (dots escaped) + escaped=$(printf '%s' "${VERSION}" | sed 's/\./\\./g') + stanza=$(curl --silent --show-error --fail --location "${packages_url}" \ + | awk -v RS='' -v v="${escaped}" '$0 ~ ("(^|\n)Version: " v "(\n|$)")') + if [ -z "${stanza}" ]; then + echo "version ${VERSION} not found in ${packages_url}"; exit 1 + fi + filename=$(printf '%s\n' "${stanza}" | awk '/^Filename:/{print $2; exit}') + sha256=$(printf '%s\n' "${stanza}" | awk '/^SHA256:/{print $2; exit}') + echo "url=${APT_BASE}/${filename}" >> "$GITHUB_OUTPUT" + echo "sha256=${sha256}" >> "$GITHUB_OUTPUT" + echo "resolved ${VERSION}: ${APT_BASE}/${filename} (sha256 ${sha256})" + env: + VERSION: ${{ inputs.version }} + + - name: Download and verify .deb + run: | + curl --silent --show-error --fail --location \ + --output "claude-desktop_${VERSION}_amd64.deb" \ + "${DEB_URL}" + echo "${DEB_SHA256} claude-desktop_${VERSION}_amd64.deb" | sha256sum --check --strict + env: + VERSION: ${{ inputs.version }} + DEB_URL: ${{ steps.deb.outputs.url }} + DEB_SHA256: ${{ steps.deb.outputs.sha256 }} + + - name: Build RPM + run: | + rm -f ~/.rpmmacros + rpmdev-setuptree + cp "claude-desktop_${VERSION}_amd64.deb" ~/rpmbuild/SOURCES/ + # generated %changelog entry — upstream ships no git repo to mine + cp rpm/claude-desktop.spec /tmp/claude-desktop.spec + { + echo "* $(LC_ALL=C date '+%a %b %d %Y') lair CI - ${VERSION}-1" + echo "- Automated repackage of upstream claude-desktop ${VERSION} .deb" + } >> /tmp/claude-desktop.spec + rpmbuild -bb /tmp/claude-desktop.spec \ + --define "claude_desktop_version ${VERSION}" \ + --undefine dist \ + --define "dist .fc${{ matrix.fedora_version }}" + env: + VERSION: ${{ inputs.version }} + + - name: Upload RPM + uses: actions/upload-artifact@v3 + with: + name: rpm-fc${{ matrix.fedora_version }} + path: ~/rpmbuild/RPMS/x86_64/*.rpm + retention-days: 7 + + publish: + needs: package + runs-on: rpm + env: + RPM_REPO_HOST: oolon.kosherinata.internal + strategy: + fail-fast: false + matrix: + fedora_version: ["43", "44"] + steps: + - uses: actions/checkout@v4 + + - name: Download RPMs for fc${{ matrix.fedora_version }} + uses: actions/download-artifact@v3 + with: + path: rpms/ + pattern: rpm-fc${{ matrix.fedora_version }} + + - name: Flatten RPM artifacts + run: | + find rpms/ -name '*.rpm' -exec mv --target-directory=rpms/ {} + + find rpms/ -mindepth 1 -type d -empty -delete + + - name: Check for sequoia-sq + run: | + if ! command -v sq &> /dev/null; then + echo "ERROR: sequoia-sq is not installed. Install with: sudo dnf install sequoia-sq" + exit 1 + fi + + - name: Import signing key + run: | + echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import + fpr=$(gpg --batch --with-colons --list-keys "${{ secrets.RPM_SIGNING_KEY_ID }}" | awk -F: '/^fpr:/ { print $10; exit }') + echo "${fpr}:6:" | gpg --batch --import-ownertrust + sed "s/@GPG_NAME@/${{ secrets.RPM_SIGNING_KEY_ID }}/" rpm/rpmmacros > ~/.rpmmacros + + - name: Sign RPMs + run: | + for rpm in rpms/*.rpm; do + echo "signing ${rpm}..." + rpm --addsign "${rpm}" + done + + - name: Set up SSH + run: | + install --directory --mode 700 ~/.ssh + echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519 + env: + RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }} + + - name: Test SSH connectivity + run: | + ssh -o StrictHostKeyChecking=accept-new "gitea_ci@${RPM_REPO_HOST}" exit + + - name: Sync RPMs to repo + run: | + rsync \ + --archive \ + --verbose \ + --chmod D755,F644 \ + rpms/*.rpm \ + "gitea_ci@${RPM_REPO_HOST}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/" + + - name: Update repo metadata + run: | + # flock guards createrepo against concurrent publishes into the + # shared repo tree (other package repos publish here too). + ssh "gitea_ci@${RPM_REPO_HOST}" \ + "flock /var/www/rpm/.publish.lock -c 'cd /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64 && createrepo_c --update .'" + + - name: Generate packages.json + run: | + scp script/generate-packages-json.py "gitea_ci@${RPM_REPO_HOST}:/tmp/" + ssh "gitea_ci@${RPM_REPO_HOST}" \ + "flock /var/www/rpm/.publish.lock -c 'python3 /tmp/generate-packages-json.py \ + --repodata-dir /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/repodata \ + --output /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/packages.json \ + --base-url https://rpm.lair.cafe/fedora/${{ matrix.fedora_version }}/x86_64'"