Files
claude-desktop-package/.gitea/workflows/build-release.yml

162 lines
5.8 KiB
YAML

name: build-release
on:
workflow_dispatch:
inputs:
version:
description: "claude-desktop upstream version (e.g. 1.17377.2)"
required: true
type: string
concurrency:
group: build-release
cancel-in-progress: false
env:
APT_BASE: https://downloads.claude.ai/claude-desktop/apt/stable
jobs:
package:
runs-on: rpm
strategy:
fail-fast: false
matrix:
fedora_version: ["43", "44"]
steps:
- uses: actions/checkout@v4
- name: Resolve .deb URL and checksum
id: deb
run: |
packages_url="${APT_BASE}/dists/stable/main/binary-amd64/Packages"
# paragraph-mode match on the exact Version: stanza (dots escaped)
escaped=$(printf '%s' "${VERSION}" | sed 's/\./\\./g')
stanza=$(curl --silent --show-error --fail --location "${packages_url}" \
| awk -v RS='' -v v="${escaped}" '$0 ~ ("(^|\n)Version: " v "(\n|$)")')
if [ -z "${stanza}" ]; then
echo "version ${VERSION} not found in ${packages_url}"; exit 1
fi
filename=$(printf '%s\n' "${stanza}" | awk '/^Filename:/{print $2; exit}')
sha256=$(printf '%s\n' "${stanza}" | awk '/^SHA256:/{print $2; exit}')
echo "url=${APT_BASE}/${filename}" >> "$GITHUB_OUTPUT"
echo "sha256=${sha256}" >> "$GITHUB_OUTPUT"
echo "resolved ${VERSION}: ${APT_BASE}/${filename} (sha256 ${sha256})"
env:
VERSION: ${{ inputs.version }}
- name: Download and verify .deb
run: |
curl --silent --show-error --fail --location \
--output "claude-desktop_${VERSION}_amd64.deb" \
"${DEB_URL}"
echo "${DEB_SHA256} claude-desktop_${VERSION}_amd64.deb" | sha256sum --check --strict
env:
VERSION: ${{ inputs.version }}
DEB_URL: ${{ steps.deb.outputs.url }}
DEB_SHA256: ${{ steps.deb.outputs.sha256 }}
- name: Build RPM
run: |
rm -f ~/.rpmmacros
rpmdev-setuptree
cp "claude-desktop_${VERSION}_amd64.deb" ~/rpmbuild/SOURCES/
# generated %changelog entry — upstream ships no git repo to mine
cp rpm/claude-desktop.spec /tmp/claude-desktop.spec
{
echo "* $(LC_ALL=C date '+%a %b %d %Y') lair CI <ci@lair.cafe> - ${VERSION}-1"
echo "- Automated repackage of upstream claude-desktop ${VERSION} .deb"
} >> /tmp/claude-desktop.spec
rpmbuild -bb /tmp/claude-desktop.spec \
--define "claude_desktop_version ${VERSION}" \
--undefine dist \
--define "dist .fc${{ matrix.fedora_version }}"
env:
VERSION: ${{ inputs.version }}
- name: Upload RPM
uses: actions/upload-artifact@v3
with:
name: rpm-fc${{ matrix.fedora_version }}
path: ~/rpmbuild/RPMS/x86_64/*.rpm
retention-days: 7
publish:
needs: package
runs-on: rpm
env:
RPM_REPO_HOST: oolon.kosherinata.internal
strategy:
fail-fast: false
matrix:
fedora_version: ["43", "44"]
steps:
- uses: actions/checkout@v4
- name: Download RPMs for fc${{ matrix.fedora_version }}
uses: actions/download-artifact@v3
with:
path: rpms/
pattern: rpm-fc${{ matrix.fedora_version }}
- name: Flatten RPM artifacts
run: |
find rpms/ -name '*.rpm' -exec mv --target-directory=rpms/ {} +
find rpms/ -mindepth 1 -type d -empty -delete
- name: Check for sequoia-sq
run: |
if ! command -v sq &> /dev/null; then
echo "ERROR: sequoia-sq is not installed. Install with: sudo dnf install sequoia-sq"
exit 1
fi
- name: Import signing key
run: |
echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import
fpr=$(gpg --batch --with-colons --list-keys "${{ secrets.RPM_SIGNING_KEY_ID }}" | awk -F: '/^fpr:/ { print $10; exit }')
echo "${fpr}:6:" | gpg --batch --import-ownertrust
sed "s/@GPG_NAME@/${{ secrets.RPM_SIGNING_KEY_ID }}/" rpm/rpmmacros > ~/.rpmmacros
- name: Sign RPMs
run: |
for rpm in rpms/*.rpm; do
echo "signing ${rpm}..."
rpm --addsign "${rpm}"
done
- name: Set up SSH
run: |
install --directory --mode 700 ~/.ssh
echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519
env:
RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }}
- name: Test SSH connectivity
run: |
ssh -o StrictHostKeyChecking=accept-new "gitea_ci@${RPM_REPO_HOST}" exit
- name: Sync RPMs to repo
run: |
rsync \
--archive \
--verbose \
--chmod D755,F644 \
rpms/*.rpm \
"gitea_ci@${RPM_REPO_HOST}:/var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/"
- name: Update repo metadata
run: |
# flock guards createrepo against concurrent publishes into the
# shared repo tree (other package repos publish here too).
ssh "gitea_ci@${RPM_REPO_HOST}" \
"flock /var/www/rpm/.publish.lock -c 'cd /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64 && createrepo_c --update .'"
- name: Generate packages.json
run: |
scp script/generate-packages-json.py "gitea_ci@${RPM_REPO_HOST}:/tmp/"
ssh "gitea_ci@${RPM_REPO_HOST}" \
"flock /var/www/rpm/.publish.lock -c 'python3 /tmp/generate-packages-json.py \
--repodata-dir /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/repodata \
--output /var/www/rpm/fedora/${{ matrix.fedora_version }}/x86_64/packages.json \
--base-url https://rpm.lair.cafe/fedora/${{ matrix.fedora_version }}/x86_64'"