Bump jinja2 from 3.1.3 to 3.1.4 #152

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

	name: deb

	on:
	push:
	branches:
	- master
	- fix-cryptography

	jobs:
	build:
	runs-on: ubuntu-22.04
	steps:
	- name: Check out repository
	uses: actions/checkout@v2

	- name: Extract branch name
	id: extract_branch
	shell: bash
	run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT

	- name: Generate release tag
	id: tag
	run: echo "tag=$(date -u '+%y%m%d%H%M')-${{steps.extract_branch.outputs.branch}}" >> $GITHUB_OUTPUT

	- uses: uraimo/[email protected]
	name: Build deb
	with:
	arch: armv6
	distro: bullseye # Equivalent to Raspbian 8
	githubToken: ${{ github.token }}

	# Create an artifacts directory
	setup: \|
	mkdir -p "${PWD}/artifacts"

	# Mount the artifacts directory as /artifacts in the container
	dockerRunArgs: \|
	--volume "${PWD}/artifacts:/artifacts"

	install: \|
	set -x

	apt-get update -q -y

	# Install Python, fpm deps (ruby) and the kitchen sink required to build everything...
	apt-get install -q -y git python3 python3-venv python3-dev python3-pip build-essential libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev libgdbm-dev libc6-dev libbz2-dev squashfs-tools ruby-full jq libpq-dev postgresql postgresql-contrib

	# these dependencies are installed for compiling cryptography
	apt-get install -q -y curl libssl-dev pkg-config

	# install rustc using rustup script
	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| bash -s -- -y
	source "$HOME/.cargo/env"

	# Install FPM
	gem install fpm

	# Install Poetry (requires 1.2.0+)
	# curl -sSL https://install.python-poetry.org \| POETRY_VERSION=1.5.0 python3 - --yes \|\| true
	# export PATH=$PATH:/root/.local/bin

	# poetry requires cryptography, but the latest version wants to be compiled by Rust, and this environment doesn't like Rust.
	# the same logic applies to the cryptography installation in the run section.
	# using pip to install poetry, instead of shell script in Adam's work
	pip install poetry==1.5.1

	run: \|
	set -x

	# Add Poetry to $PATH
	export PATH=$PATH:/root/.local/bin

	# We want to write to _actual_ /opt as some installation processes
	# are creating hard coded shebangs pointing to the venv location.
	mkdir -p /opt

	# Create virtualenv
	python3 -m venv /opt/hackman
	. /opt/hackman/bin/activate

	source "$HOME/.cargo/env"

	# workaround for poetry installation stalling. what's happening here: use pip to install the packages specified in poetry.
	# source: https://github.com/python-poetry/poetry/issues/7148#issuecomment-1398322105
	# 2 things are happening here that makes poetry stall.
	# the first is poetry wants to compile cryptography and gevent from source, which stalls
	# the second is if pip install from requirements.txt, cryptography and gevent stall as well. To get around this is to install both of them specifically using pip.
	poetry export -f requirements.txt --output requirements.txt
	pip install -r requirements.txt

	# Install dependencies
	poetry install --no-interaction --no-root --only main
	# ^^^ this should practically do nothing, becasue the work is already done by pip. ^^^

	# Install self into env
	poetry build -f wheel -n
	pip install --no-deps dist/*.whl
	rm -rf dist *.egg-info

	# Generate Django static files
	env DJANGO_SETTINGS_MODULE=hackman.settings_prod hackman-manage collectstatic

	# Create a temporary rootfs directory
	mkdir -p rootfs/opt
	mv /opt/hackman rootfs/opt/hackman

	# Create symlinks to all binaries starting with hackman* or dsl* in /usr/bin
	mkdir -p rootfs/usr/bin
	for bin in rootfs/opt/hackman/bin/dsl* rootfs/opt/hackman/bin/hackman*; do
	ln -s /opt/hackman/bin/$(basename $bin) rootfs/usr/bin/$(basename $bin)
	done

	# Copy systemd units
	mkdir -p rootfs/lib/systemd
	cp -rv systemd rootfs/lib/systemd/system

	# Copy nginx configuration
	cp -rv nginx rootfs/opt/hackman/nginx

	# Create a postinstall script that enables all the shipped units
	# and symlinks our nginx configuration in place of the default one.
	# We also set up the database user in this block
	echo "#/bin/sh" > postinstall.sh
	for f in ./systemd/*; do
	echo "systemctl enable $(basename $f)" >> postinstall.sh
	done
	echo "ln -sf /opt/hackman/nginx/default /etc/nginx/sites-enabled/default" >> postinstall.sh

	# Ugly auto-generated escape sequences galore! \o/
	echo 'echo '"'"'CREATE DATABASE hackman;'"'"' \| sudo -u postgres psql' >> postinstall.sh
	echo 'echo '"'"'CREATE USER hackman WITH PASSWORD '"'"'"'"'"'"'"'"'hackman'"'"'"'"'"'"'"'"';'"'"' \| sudo -u postgres psql' >> postinstall.sh
	echo 'echo '"'"'ALTER ROLE hackman SET client_encoding TO '"'"'"'"'"'"'"'"'utf8'"'"'"'"'"'"'"'"';'"'"' \| sudo -u postgres psql' >> postinstall.sh
	echo 'echo '"'"'ALTER ROLE hackman SET default_transaction_isolation TO '"'"'"'"'"'"'"'"'read committed'"'"'"'"'"'"'"'"';'"'"' \| sudo -u postgres psql' >> postinstall.sh
	echo 'echo '"'"'ALTER ROLE hackman SET timezone TO '"'"'"'"'"'"'"'"'UTC'"'"'"'"'"'"'"'"';'"'"' \| sudo -u postgres psql' >> postinstall.sh
	echo 'echo '"'"'GRANT ALL PRIVILEGES ON DATABASE hackman TO hackman;'"'"' \| sudo -u postgres psql' >> postinstall.sh

	# Reload main systemd units
	echo "systemctl start hackman" >> postinstall.sh
	echo "systemctl reload nginx" >> postinstall.sh

	chmod +x postinstall.sh

	# Build deb
	version=$(grep '^version' pyproject.toml \| cut -d = -f 2 \| jq -r)
	fpm \
	-s dir \
	-t deb \
	-C rootfs \
	--name hackman \
	--version $version \
	--iteration ${{ steps.tag.outputs.tag }} \
	--description "DSL Hackman" \
	--depends redis-server \
	--depends python3 \
	--depends nginx \
	--depends libffi-dev \
	--depends libpq-dev \
	--depends postgresql \
	--depends postgresql-contrib \
	--after-install ./postinstall.sh \
	.

	mv *.deb /artifacts/

	- name: Upload binaries to release
	id: upload_deb
	uses: svenstaro/upload-release-action@v2
	with:
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	file: ./artifacts/*
	file_glob: true
	tag: ${{ steps.tag.outputs.tag }}
	overwrite: true

	- name: Print artifacts url
	run: echo "${{ steps.upload_deb.outputs.browser_download_url }}"
	# ^^^ end of building debian package ^^^ #

	# vvv start of pi-gen image vvv #
	- name: Create files for stage2a
	run: \|
	# the name stage2a came from developing on the pi-gen repository

	mkdir -p stage2a/01-install-hackman/

	cat > stage2a/01-install-hackman/00-packages <<-EOF
	redis-server
	nginx
	libffi-dev
	libpq-dev
	postgresql
	postgresql-contrib
	EOF

	cat stage2a/01-install-hackman/00-packages

	RRRR=stage2a/01-install-hackman/01-run.sh
	echo "#!/bin/bash -e" >> $RRRR
	echo "on_chroot << EOF" >> $RRRR
	echo "curl -sLO ${{ steps.upload_deb.outputs.browser_download_url }}" >> $RRRR
	echo "dpkg -i hackman*.deb" >> $RRRR
	echo "EOF" >> $RRRR

	cat stage2a/01-install-hackman/01-run.sh

	cat > stage2a/prerun.sh <<-EOF
	#!/bin/bash -e
	if [ ! -d "\${ROOTFS_DIR}" ]; then
	copy_previous
	fi
	EOF

	cat stage2a/prerun.sh

	chmod +x stage2a/01-install-hackman/01-run.sh
	chmod +x stage2a/prerun.sh

	- name: PiGen image
	uses: usimd/pi-gen-action@v1
	id: pigen
	with:
	# Compression to apply on final image (either "none", "zip", "xz" or "gz").
	compression: zip

	# Compression level to be used. From 0 to 9 (refer to the tool man page for more
	# information on this. Usually 0 is no compression but very fast, up to 9 with the
	# best compression but very slow).
	compression-level: 6

	# Disable the renaming of the first user during the first boot. This make it so
	# 'username' stays activated. 'username' must be set for this to work. Please be
	# aware of the implied security risk of defining a default username and password
	# for your devices.
	disable-first-boot-user-rename: 1

	# Additional options to include in PIGEN_DOCKER_OPTS
	docker-opts: ''

	# Set whether a NOOBS image should be built as well. If enabled, the output
	# directory containing the NOOBS files will be saved as output variable
	# 'image-noobs-path'.
	enable-noobs: false

	# Enable SSH access to Pi.
	enable-ssh: 1

	# If this feature is enabled, the action will configure pi-gen to not export any
	# stage as image but the last one defined in property 'stage-list'. This is
	# helpful when building a single image flavor (in contrast to building a
	# lite/server and full-blown desktop image), since it speeds up the build process
	# significantly.
	export-last-stage-only: true

	# Comma or whitespace separated list of additional packages to install on host
	# before running pi-gen. Use this list to add any packages your custom stages may
	# require. Note that this is not affecting the final image. In order to add
	# additional packages, you need to add a respective 'XX-packages' file in your
	# custom stage.
	extra-host-dependencies: ''

	# Comma or whitespace separated list of additional modules to load on host before
	# running pi-gen. If your custom stage requires additional software or kernel
	# modules to be loaded, add them here. Note that this is not meant to configure
	# modules to be loaded in the target image.
	extra-host-modules: ''

	# Token to use for checking out pi-gen repo.
	github-token: ${{ github.token }}

	# Host name of the image.
	hostname: door

	# Final image name.
	image-name: "door-${{steps.tag.outputs.tag}}"

	# Default keyboard keymap.
	keyboard-keymap: us

	# Default keyboard layout.
	keyboard-layout: English (US)

	# Default locale of the system image.
	locale: en_US.UTF-8

	# Password of the intial user account, locked if empty.
	password: 'door' # fixme

	# Path where selected pi-gen ref will be checked out to. If the path does not yet
	# exist, it will be created (including its parents).
	pi-gen-dir: pi-gen

	# GitHub repository to fetch pi-gen from, must be a fork from RPi-Distro/pi-gen.
	pi-gen-repository: RPi-Distro/pi-gen

	# Release version of pi-gen to use. This can both be a branch or tag name known in
	# the pi-gen repository.
	pi-gen-version: 2023-05-03-raspios-bullseye

	# The release version to build images against. Valid values are jessie, stretch,
	# buster, bullseye, and testing.
	release: bullseye

	# Setting to `1` will prevent pi-gen from dropping the "capabilities" feature.
	# Generating the root filesystem with capabilities enabled and running it from a
	# filesystem that does not support capabilities (like NFS) can cause issues. Only
	# enable this if you understand what it is.
	setfcap: ''

	# List of stage name to execute in given order. Relative and absolute paths to
	# custom stage directories are allowed here. Note that by default pi-gen exports
	# images in stage2 (lite), stage4 and stage5. You probably want to hook in custom
	# stages before one of the exported stages. Otherwise, the action will make sure
	# any custom stage will include an image export directive.
	stage-list: stage0 stage1 stage2 ./stage2a

	# System timezone.
	timezone: Asia/Hong_Kong

	# Use qcow2 images to reduce space and runtime requirements.
	use-qcow2: 1

	# Name of the initial user account.
	username: pi

	# Print all output from pi-gen.
	verbose-output: true

	# Wifi country code of default network to connect to.
	wpa-country: ''

	# SSID of a default wifi network to connect to.
	wpa-essid: ''

	# Password of default wifi network to connect to.
	wpa-password: ''

	- name: Upload pi-gen image to release
	uses: svenstaro/upload-release-action@v2
	with:
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	file: ${{ steps.pigen.outputs.image-path }}
	file_glob: true
	tag: ${{ steps.tag.outputs.tag }}
	overwrite: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump jinja2 from 3.1.3 to 3.1.4 #152

Workflow file

Bump jinja2 from 3.1.3 to 3.1.4 #152

Jobs

Run details

Workflow file for this run