build: automatically update APT repository on release

This uses https://github.com/kastelo/ezapt to generate and sign the archive, and uploads it to blob storage.
2024-12-22 02:48:59 +00:00 · 2024-11-24 21:21:49 +01:00 · 2024-11-24 21:21:49 +01:00 · 612fdff377
commit 612fdff377
parent 8ccb7f1924
1 changed files with 82 additions and 0 deletions
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@ -725,6 +725,88 @@ jobs:
        with:
          args: sync objstore:${{ secrets.S3_BUCKET }}/release/${{ env.VERSION }} objstore:${{ secrets.S3_BUCKET }}/release/latest

+  #
+  # Push Debian/APT archive
+  #
+
+  publish-apt:
+    name: Publish APT
+    if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release' || startsWith(github.ref, 'refs/heads/release-'))
+    environment: signing
+    needs:
+      - basics
+      - package-debian
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download packages
+        uses: actions/download-artifact@v4
+        with:
+          name: debian-packages
+          path: packages
+
+      - name: Set version
+        run: |
+          version=$(go run build.go version)
+          echo "Version: $version"
+          echo "VERSION=$version" >> $GITHUB_ENV
+
+      # Decide whether packages should go to stable, candidate or nightly
+      - name: Prepare packages
+        run: |
+          kind=stable
+          if [[ $VERSION == *-rc.[0-9] ]] ; then
+            kind=candidate
+          elif [[ $VERSION == *-* ]] ; then
+            kind=nightly
+          fi
+          echo "Kind: $kind"
+          mkdir -p packages/syncthing/$kind
+          mv packages/*.deb packages/syncthing/$kind
+
+      - name: Pull archive
+        uses: docker://docker.io/rclone/rclone:latest
+        env:
+          RCLONE_CONFIG_OBJSTORE_TYPE: s3
+          RCLONE_CONFIG_OBJSTORE_PROVIDER: ${{ secrets.S3_PROVIDER }}
+          RCLONE_CONFIG_OBJSTORE_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }}
+          RCLONE_CONFIG_OBJSTORE_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }}
+          RCLONE_CONFIG_OBJSTORE_ENDPOINT: ${{ secrets.S3_ENDPOINT }}
+          RCLONE_CONFIG_OBJSTORE_REGION: ${{ secrets.S3_REGION }}
+          RCLONE_CONFIG_OBJSTORE_ACL: public-read
+        with:
+          args: sync objstore:syncthing-apt/dists dists
+
+      - name: Prepare signing key
+        run: |
+          echo "$APT_GPG_KEYRING_BASE64" | base64 -d > keyring.pgp
+        env:
+          APT_GPG_KEYRING_BASE64: ${{ secrets.APT_GPG_KEYRING_BASE64 }}
+
+      - name: Update archive
+        uses: docker://ghcr.io/kastelo/ezapt:latest
+        with:
+          args:
+            --add packages
+            --dists dists
+            --keyring keyring.pgp
+
+      - name: Push archive
+        uses: docker://docker.io/rclone/rclone:latest
+        env:
+          RCLONE_CONFIG_OBJSTORE_TYPE: s3
+          RCLONE_CONFIG_OBJSTORE_PROVIDER: ${{ secrets.S3_PROVIDER }}
+          RCLONE_CONFIG_OBJSTORE_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY_ID }}
+          RCLONE_CONFIG_OBJSTORE_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY }}
+          RCLONE_CONFIG_OBJSTORE_ENDPOINT: ${{ secrets.S3_ENDPOINT }}
+          RCLONE_CONFIG_OBJSTORE_REGION: ${{ secrets.S3_REGION }}
+          RCLONE_CONFIG_OBJSTORE_ACL: public-read
+        with:
+          args: sync dists -v objstore:syncthing-apt/dists
+
  #
  # Build and push to Docker Hub
  #