Auto sign built code (#9)

* Bump to pypy 7.3.14 and alpine 19 * Ignore python2.7 docker container for now * Use 7.3.14 for pypy * Verify releases
Cyb3r-Jak3 · Jan 1, 2024 · df5f7d2 · df5f7d2
1 parent 72bd8b6
commit df5f7d2
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 22 deletions.
diff --git a/.github/release.py b/.github/release.py
@@ -1,21 +1,23 @@
 import os
 import requests
 
+
 def save_file(url: str) -> None:
     """Saves a file from R2"""
     resp = requests.get(url, timeout=300)
     if resp.status_code == 200:
         with open(url.split("/")[-1], "wb") as file:
-                file.write(resp.content)
+            file.write(resp.content)
     else:
         raise Exception(f"Failed to download {url} with status code {resp.status_code}")
 
+
 def main():
     PYPY_BASE = os.environ["PYPY_BASE"]
     PYPY_VERSION = os.environ["PYPY_VERSION"]
-    PYPY_BASES= PYPY_BASE.split(",")
+    PYPY_BASES = PYPY_BASE.split(",")
     ARCHES = ["x86_64", "aarch64"]
-    base_url= "https://pypy.cyberjake.xyz/pypy/{base}/pypy{base}-v{pypy_version}-linux-{arch}-alpine.tar.bz2"
+    base_url = "https://pypy.cyberjake.xyz/pypy/{base}/pypy{base}-v{pypy_version}-linux-{arch}-alpine.tar.bz2"
     for base in PYPY_BASES:
         for arch in ARCHES:
             file_url = base_url.format(
@@ -26,5 +28,6 @@ def main():
             save_file(file_url)
             save_file(f"{file_url}.sig")
 
+
 if __name__ == "__main__":
-    main()
+    main()
diff --git a/.github/sign.py b/.github/sign.py
@@ -0,0 +1,22 @@
+import subprocess
+import sys
+import hashlib
+
+BUF_SIZE = 1048576   # lets read stuff in 64kb chunks!
+
+
+def sign(filename: str):
+    subprocess.run(["gpg", "--quiet", "--batch", "--yes", "--detach-sign", filename])
+    sha256sum = hashlib.sha256()
+    with open(sys.argv[1], 'rb') as f:
+        while True:
+            data = f.read(BUF_SIZE)
+            if not data:
+                break
+            sha256sum.update(data)
+    with open(f"{filename}.sha256sum", "w") as f:
+        f.write(f"{sha256sum.hexdigest()}  {filename}")
+
+
+if __name__ == "__main__":
+    sign(sys.argv[1])
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
@@ -27,12 +27,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target: ["python-2_7", "alpine-pypy-builder", "alpine-pypy-builder-bootstrap", "alpine-pypy-2_7", "alpine-pypy-3_9", "alpine-pypy-3_10"]
+        target: ["alpine-pypy-builder", "alpine-pypy-builder-bootstrap", "alpine-pypy-2_7", "alpine-pypy-3_9", "alpine-pypy-3_10"] # "python-2_7"
         runner: ["ubuntu-latest", "self-hosted"]
         # Don't know a better way to only run python-2_7 on self-hosted
         exclude:
-          - target: "python-2_7"
-            runner: "ubuntu-latest"
+          # - target: "python-2_7"
+          #   runner: "ubuntu-latest"
           - target: "alpine-pypy-builder"
             runner: "self-hosted"
           - target: "alpine-pypy-builder-bootstrap"

diff --git a/.github/workflows/build-pypy.yml b/.github/workflows/build-pypy.yml
@@ -15,7 +15,7 @@ permissions:
 
 
 env:
-  ALPINE_VERSION: 3.18
+  ALPINE_VERSION: 3.19
   BUILDER_IMAGE_TAG: ghcr.io/cyb3r-jak3/alpine-pypy-builder-workflow
 
 concurrency:
@@ -28,23 +28,23 @@ jobs:
     name: Prep Docker Container
     steps:
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Login To GitHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5.1.0
         with:
           context: "builder/"
           tags: ${{ env.BUILDER_IMAGE_TAG }}:${{ env.ALPINE_VERSION }}-${{ github.sha }}
@@ -63,7 +63,7 @@ jobs:
       fail-fast: true
       matrix:
         PYPY_BASE: ["2.7", "3.9", "3.10"]
-        PYPY_VERSION: ["7.3.13"]
+        PYPY_VERSION: ["7.3.14"]
         RUNNER: ["self-hosted", "ubuntu-latest"]
 
     steps:
@@ -130,13 +130,14 @@ jobs:
       - name: Prep files
         if: steps.file-check.outputs.STATUS == 404
         run: |
+          wget --quiet -O sign.py https://raw.githubusercontent.com/Cyb3r-Jak3/docker-alpine-pypy/${{ github.sha }}/.github/sign.py
           mkdir output
           mv ./tmp/usession-release-pypy${{ matrix.PYPY_BASE }}-v${{ matrix.PYPY_VERSION }}-*/build/**.tar.bz2 ./output/pypy${{ matrix.PYPY_BASE }}-v${{ matrix.PYPY_VERSION }}-linux-${{ env.PYPY_ARCH }}-alpine.tar.bz2
-          gpg --quiet --batch --yes --detach-sig ./output/pypy${{ matrix.PYPY_BASE }}-v${{ matrix.PYPY_VERSION }}-linux-${{ env.ARCH }}-alpine.tar.bz2
-          sha256sum ./output/pypy${{ matrix.PYPY_BASE }}-v${{ matrix.PYPY_VERSION }}-linux-${{ env.PYPY_ARCH }}-alpine.tar.bz2 > ./output/pypy${{ matrix.PYPY_BASE }}-v${{ matrix.PYPY_VERSION }}-linux-${{ env.PYPY_ARCH }}-alpine.tar.bz2.sha256sum
+          find ./output/ -type f -exec python3 sign.py {} \;
           
       - name: Upload PyPy to Artifacts
         if: steps.file-check.outputs.STATUS == 404
+        # Leave with v3 so we can use the same name for the artifact
         uses: actions/upload-artifact@v3
         with:
           name: pypy-${{ env.ARCH }} 

diff --git a/.github/workflows/generate-release.yml b/.github/workflows/generate-release.yml
@@ -7,7 +7,7 @@ on:
           description: 'Comma seperated base version: 2.7,3.9,3.10'
           required: true
       pypy_version:
-          description: 'PyPy version to build: 7.3.13'
+          description: 'PyPy version to download: 7.3.13'
           required: true
 
 jobs:
@@ -19,7 +19,7 @@ jobs:
       TAG: "${{ github.event.inputs.pypy_version }}-${{ github.event.inputs.pypy_base }}"
     steps:
         - name: Checkout code
-          uses: actions/checkout@v2
+          uses: actions/checkout@v4
         - name: Release Info
           run: |
               echo "::notice title=PYPY_BASE::${{ github.event.inputs.pypy_base }}"
@@ -35,9 +35,11 @@ jobs:
           run: |
             ls -la *.tar.bz2*
             sha256sum *.tar.bz2 > checksums.sha256
+            gpg --no-tty --keyserver hkps://keys.openpgp.org --auto-key-locate keyserver --locate-keys [email protected]
+            find . -iname "*.tar.bz2" -type f -exec  bash -c "echo verifying {}; gpg --verify {}.sig {} " \;
 
         - name: Create tag
-          uses: actions/github-script@v6.4.1
+          uses: actions/github-script@v7.0.1
           with:
             script: |
               github.rest.git.createRef({
@@ -50,7 +52,7 @@ jobs:
         - name: Release
           uses: crazy-max/ghaction-github-release@v2
           with:
-            draft: trues
+            draft: true
             tag_name: ${{ env.TAG }}
             files: |
               *.tar.bz2

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -7,11 +7,11 @@ target "docker-metadata-action" {
 }
 
 variable "PYPY_VERSION" {
-    default = "7.3.13"
+    default = "7.3.14"
 }
 
 variable "ALPINE_VERSION" {
-    default = "3.18"
+    default = "3.19"
 }
 
 target "alpine-pypy-2_7" {