name: build-release on: workflow_dispatch: inputs: version: description: "claude-desktop upstream version (e.g. 1.17377.2)" required: true type: string concurrency: group: build-release cancel-in-progress: false env: APT_BASE: https://downloads.claude.ai/claude-desktop/apt/stable jobs: package: runs-on: rpm strategy: fail-fast: false matrix: fedora_version: ["43", "44"] steps: - uses: actions/checkout@v4 - name: Resolve .deb URL and checksum id: deb run: | packages_url="${APT_BASE}/dists/stable/main/binary-amd64/Packages" # paragraph-mode match on the exact Version: stanza (dots escaped) escaped=$(printf '%s' "${VERSION}" | sed 's/\./\\./g') stanza=$(curl --silent --show-error --fail --location "${packages_url}" \ | awk -v RS='' -v v="${escaped}" '$0 ~ ("(^|\n)Version: " v "(\n|$)")') if [ -z "${stanza}" ]; then echo "version ${VERSION} not found in ${packages_url}"; exit 1 fi filename=$(printf '%s\n' "${stanza}" | awk '/^Filename:/{print $2; exit}') sha256=$(printf '%s\n' "${stanza}" | awk '/^SHA256:/{print $2; exit}') echo "url=${APT_BASE}/${filename}" >> "$GITHUB_OUTPUT" echo "sha256=${sha256}" >> "$GITHUB_OUTPUT" echo "resolved ${VERSION}: ${APT_BASE}/${filename} (sha256 ${sha256})" env: VERSION: ${{ inputs.version }} - name: Download and verify .deb run: | curl --silent --show-error --fail --location \ --output "claude-desktop_${VERSION}_amd64.deb" \ "${DEB_URL}" echo "${DEB_SHA256} claude-desktop_${VERSION}_amd64.deb" | sha256sum --check --strict env: VERSION: ${{ inputs.version }} DEB_URL: ${{ steps.deb.outputs.url }} DEB_SHA256: ${{ steps.deb.outputs.sha256 }} - name: Build RPM run: | rm -f ~/.rpmmacros rpmdev-setuptree cp "claude-desktop_${VERSION}_amd64.deb" ~/rpmbuild/SOURCES/ # generated %changelog entry — upstream ships no git repo to mine cp rpm/claude-desktop.spec /tmp/claude-desktop.spec { echo "* $(LC_ALL=C date '+%a %b %d %Y') lair CI - ${VERSION}-1" echo "- Automated repackage of upstream claude-desktop ${VERSION} .deb" } >> /tmp/claude-desktop.spec rpmbuild -bb /tmp/claude-desktop.spec \ --define "claude_desktop_version ${VERSION}" \ --undefine dist \ --define "dist .fc${{ matrix.fedora_version }}" env: VERSION: ${{ inputs.version }} - name: Upload RPM uses: actions/upload-artifact@v3 with: name: rpm-fc${{ matrix.fedora_version }} path: ~/rpmbuild/RPMS/x86_64/*.rpm retention-days: 7 publish: needs: package runs-on: rpm env: RPM_REPO_HOST: oolon.kosherinata.internal strategy: fail-fast: false matrix: fedora_version: ["43", "44"] steps: - uses: actions/checkout@v4 - name: Download RPMs for fc${{ matrix.fedora_version }} uses: actions/download-artifact@v3 with: path: rpms/ pattern: rpm-fc${{ matrix.fedora_version }} - name: Flatten RPM artifacts run: | find rpms/ -name '*.rpm' -exec mv --target-directory=rpms/ {} + find rpms/ -mindepth 1 -type d -empty -delete - name: Check for sequoia-sq run: | if ! command -v sq &> /dev/null; then echo "ERROR: sequoia-sq is not installed. Install with: sudo dnf install sequoia-sq" exit 1 fi - name: Import signing key run: | echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import fpr=$(gpg --batch --with-colons --list-keys "${{ secrets.RPM_SIGNING_KEY_ID }}" | awk -F: '/^fpr:/ { print $10; exit }') echo "${fpr}:6:" | gpg --batch --import-ownertrust sed "s/@GPG_NAME@/${{ secrets.RPM_SIGNING_KEY_ID }}/" rpm/rpmmacros > ~/.rpmmacros - name: Sign RPMs run: | for rpm in rpms/*.rpm; do echo "signing ${rpm}..." rpm --addsign "${rpm}" done - name: Set up SSH run: | install --directory --mode 700 ~/.ssh echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519 env: RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }} - name: Test SSH connectivity run: | ssh -o StrictHostKeyChecking=accept-new "gitea_ci@${RPM_REPO_HOST}" exit - name: Sync RPMs to repo run: | rsync \ --archive \ --verbose \ --chmod D755,F644 \ rpms/*.rpm \ "gitea_ci@${RPM_REPO_HOST}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/" - name: Update repo metadata run: | # flock guards createrepo against concurrent publishes into the # shared repo tree (other package repos publish here too). ssh "gitea_ci@${RPM_REPO_HOST}" \ "flock /var/www/rpm/.publish.lock -c 'cd /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64 && createrepo_c --update .'" - name: Generate packages.json run: | scp script/generate-packages-json.py "gitea_ci@${RPM_REPO_HOST}:/tmp/" ssh "gitea_ci@${RPM_REPO_HOST}" \ "flock /var/www/rpm/.publish.lock -c 'python3 /tmp/generate-packages-json.py \ --repodata-dir /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/repodata \ --output /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/packages.json \ --base-url https://rpm.lair.cafe/fedora/${{ matrix.fedora_version }}/x86_64'"