Revert "run test workflow for push" #159
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: deb | |
on: | |
push: | |
branches: | |
- master | |
- fix-cryptography | |
jobs: | |
build: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v2 | |
- name: Extract branch name | |
id: extract_branch | |
shell: bash | |
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
- name: Get short sha | |
id: shortsha | |
run: echo "sha=$(echo $GITHUB_SHA | tail -c 7)" >> $GITHUB_OUTPUT | |
- name: Generate release tag | |
id: tag | |
run: echo "tag=$(date -u '+%y%m%d%H%M')-${{steps.extract_branch.outputs.branch}}-${{steps.shortsha.outputs.sha}}" >> $GITHUB_OUTPUT | |
- name: Build deb | |
uses: uraimo/[email protected] | |
with: | |
arch: armv6 | |
distro: bullseye # Equivalent to Raspbian 8 | |
githubToken: ${{ github.token }} | |
# Create an artifacts directory | |
setup: | | |
mkdir -p "${PWD}/artifacts" | |
# Mount the artifacts directory as /artifacts in the container | |
dockerRunArgs: | | |
--volume "${PWD}/artifacts:/artifacts" | |
install: | | |
set -x | |
apt-get update -q -y | |
# Install Python, fpm deps (ruby) and the kitchen sink required to build everything... | |
apt-get install -q -y git python3 python3-venv python3-dev python3-pip build-essential libffi-dev libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev libgdbm-dev libc6-dev libbz2-dev squashfs-tools ruby-full jq libpq-dev postgresql postgresql-contrib systemd | |
# these dependencies are installed for compiling cryptography | |
apt-get install -q -y curl libssl-dev pkg-config | |
# install rustc using rustup script | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y | |
source "$HOME/.cargo/env" | |
# Install FPM | |
gem install fpm | |
# Install Poetry (requires 1.2.0+) | |
# curl -sSL https://install.python-poetry.org | POETRY_VERSION=1.5.0 python3 - --yes || true | |
# export PATH=$PATH:/root/.local/bin | |
# poetry requires cryptography, but the latest version wants to be compiled by Rust, and this environment doesn't like Rust. | |
# the same logic applies to the cryptography installation in the run section. | |
# using pip to install poetry, instead of shell script in Adam's work | |
pip install poetry==1.5.1 wheel==0.36.0 --no-color --progress-bar off | |
run: | | |
set -x | |
# Add Poetry to $PATH | |
export PATH=$PATH:/root/.local/bin | |
# We want to write to _actual_ /opt as some installation processes | |
# are creating hard coded shebangs pointing to the venv location. | |
mkdir -p /opt | |
# Create virtualenv | |
python3 -m venv /opt/hackman | |
. /opt/hackman/bin/activate | |
pip install wheel==0.36.0 | |
source "$HOME/.cargo/env" | |
# workaround for poetry installation stalling. what's happening here: use pip to install the packages specified in poetry. | |
# source: https://github.com/python-poetry/poetry/issues/7148#issuecomment-1398322105 | |
# 2 things are happening here that makes poetry stall. | |
# the first is poetry wants to compile cryptography and gevent from source, which stalls | |
# the second is if pip install from requirements.txt, cryptography and gevent stall as well. To get around this is to install both of them specifically using pip. | |
poetry export -f requirements.txt --output requirements.txt | |
pip install --use-pep517 --no-color --progress-bar off hidapi==0.14.0 # hidapi does not like to be installed with others | |
pip install -r requirements.txt --use-pep517 --no-color --progress-bar off | |
# Install dependencies | |
poetry install --no-interaction --no-root --only main | |
# ^^^ this should practically do nothing, becasue the work is already done by pip. ^^^ | |
# Install self into env | |
poetry build -f wheel -n | |
pip install --no-color --no-deps dist/*.whl | |
rm -rf dist *.egg-info | |
# Generate Django static files | |
env DJANGO_SETTINGS_MODULE=hackman.settings_prod hackman-manage collectstatic | |
# Create a temporary rootfs directory | |
mkdir -p rootfs/opt | |
mv /opt/hackman rootfs/opt/hackman | |
# Create symlinks to all binaries starting with hackman* or dsl* in /usr/bin | |
mkdir -p rootfs/usr/bin | |
for bin in rootfs/opt/hackman/bin/dsl* rootfs/opt/hackman/bin/hackman*; do | |
ln -s /opt/hackman/bin/$(basename $bin) rootfs/usr/bin/$(basename $bin) | |
done | |
# Copy systemd units | |
mkdir -p rootfs/lib/systemd | |
cp -rv systemd rootfs/lib/systemd/system | |
# Copy udev units | |
mkdir -p rootfs/lib/udev | |
cp -rv udev rootfs/lib/udev/rules.d | |
# Copy nginx configuration | |
cp -rv nginx rootfs/opt/hackman/nginx | |
# Create a postinstall script that enables all the shipped units | |
# and symlinks our nginx configuration in place of the default one. | |
# We also set up the database user in this block | |
echo "#/bin/sh" > postinstall.sh | |
echo "#/bin/sh" > preremove.sh | |
echo "set -x" >> postinstall.sh | |
echo "set -x" >> preremove.sh | |
for f in ./systemd/*; do | |
echo "systemctl enable $(basename $f)" >> postinstall.sh | |
echo "systemctl stop $(basename $f)" >> preremove.sh | |
echo "systemctl disable $(basename $f)" >> preremove.sh | |
done | |
for f in ./udev/*; do | |
echo "rm -f /etc/udev/rules.d/$(basename $f)" >> postinstall.sh | |
echo "ln -s /lib/udev/rules.d/$(basename $f) /etc/udev/rules.d/" >> postinstall.sh | |
echo "rm -f /etc/udev/rules.d/$(basename $f)" >> preremove.sh | |
done | |
echo "ln -sf /opt/hackman/nginx/default /etc/nginx/sites-enabled/default" >> postinstall.sh | |
echo "rm /etc/nginx/sites-enabled/default" >> preremove.sh | |
# Ugly auto-generated escape sequences galore! \o/ | |
echo 'echo '"'"'CREATE DATABASE hackman;'"'"' | sudo -u postgres psql' >> postinstall.sh | |
echo 'echo '"'"'CREATE USER hackman WITH PASSWORD '"'"'"'"'"'"'"'"'hackman'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh | |
echo 'echo '"'"'ALTER ROLE hackman SET client_encoding TO '"'"'"'"'"'"'"'"'utf8'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh | |
echo 'echo '"'"'ALTER ROLE hackman SET default_transaction_isolation TO '"'"'"'"'"'"'"'"'read committed'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh | |
echo 'echo '"'"'ALTER ROLE hackman SET timezone TO '"'"'"'"'"'"'"'"'UTC'"'"'"'"'"'"'"'"';'"'"' | sudo -u postgres psql' >> postinstall.sh | |
echo 'echo '"'"'GRANT ALL PRIVILEGES ON DATABASE hackman TO hackman;'"'"' | sudo -u postgres psql' >> postinstall.sh | |
# Reload main systemd units | |
echo "systemctl start hackman" >> postinstall.sh | |
echo "systemctl restart multi-user.target" >> postinstall.sh | |
echo "systemctl restart timers.target" >> postinstall.sh | |
echo "systemctl restart sockets.target" >> postinstall.sh | |
echo "systemctl reload nginx" >> postinstall.sh | |
echo "systemctl reload nginx" >> preremove.sh | |
# Reload udev rules | |
echo 'udevadm control --reload-rules && udevadm trigger' >> postinstall.sh | |
echo 'udevadm control --reload-rules && udevadm trigger' >> preremove.sh | |
chmod +x postinstall.sh | |
chmod +x preremove.sh | |
# Build deb | |
version=$(grep '^version' pyproject.toml | cut -d = -f 2 | jq -r) | |
fpm \ | |
-s dir \ | |
-t deb \ | |
-C rootfs \ | |
--name hackman \ | |
--version $version \ | |
--iteration ${{ steps.tag.outputs.tag }} \ | |
--description "DSL Hackman" \ | |
--depends redis-server \ | |
--depends python3 \ | |
--depends nginx \ | |
--depends libffi-dev \ | |
--depends libpq-dev \ | |
--depends postgresql \ | |
--depends postgresql-contrib \ | |
--after-install ./postinstall.sh \ | |
--before-remove ./preremove.sh \ | |
. | |
mv *.deb /artifacts/ | |
- name: Upload binaries to release | |
id: upload_deb | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: ./artifacts/* | |
file_glob: true | |
tag: ${{ steps.tag.outputs.tag }} | |
overwrite: true | |
- name: Print artifacts url | |
run: echo "${{ steps.upload_deb.outputs.browser_download_url }}" | |
# ^^^ end of building debian package ^^^ # | |
# vvv start of pi-gen image vvv # | |
- name: Create files for stage2a | |
run: | | |
# the name stage2a came from developing on the pi-gen repository | |
mkdir -p stage2a/01-install-hackman/ | |
cat > stage2a/01-install-hackman/00-packages <<-EOF | |
redis-server | |
nginx | |
libffi-dev | |
libpq-dev | |
postgresql | |
postgresql-contrib | |
EOF | |
cat stage2a/01-install-hackman/00-packages | |
RRRR=stage2a/01-install-hackman/01-run.sh | |
echo "#!/bin/bash -e" >> $RRRR | |
echo "on_chroot << EOF" >> $RRRR | |
echo "curl -sLO ${{ steps.upload_deb.outputs.browser_download_url }}" >> $RRRR | |
echo "dpkg -i hackman*.deb" >> $RRRR | |
echo "EOF" >> $RRRR | |
cat stage2a/01-install-hackman/01-run.sh | |
cat > stage2a/prerun.sh <<-EOF | |
#!/bin/bash -e | |
if [ ! -d "\${ROOTFS_DIR}" ]; then | |
copy_previous | |
fi | |
EOF | |
cat stage2a/prerun.sh | |
chmod +x stage2a/01-install-hackman/01-run.sh | |
chmod +x stage2a/prerun.sh | |
- name: PiGen image | |
uses: usimd/pi-gen-action@v1 | |
id: pigen | |
with: | |
# Compression to apply on final image (either "none", "zip", "xz" or "gz"). | |
compression: zip | |
# Compression level to be used. From 0 to 9 (refer to the tool man page for more | |
# information on this. Usually 0 is no compression but very fast, up to 9 with the | |
# best compression but very slow). | |
compression-level: 6 | |
# Disable the renaming of the first user during the first boot. This make it so | |
# 'username' stays activated. 'username' must be set for this to work. Please be | |
# aware of the implied security risk of defining a default username and password | |
# for your devices. | |
disable-first-boot-user-rename: 1 | |
# Additional options to include in PIGEN_DOCKER_OPTS | |
docker-opts: '' | |
# Set whether a NOOBS image should be built as well. If enabled, the output | |
# directory containing the NOOBS files will be saved as output variable | |
# 'image-noobs-path'. | |
enable-noobs: false | |
# Enable SSH access to Pi. | |
enable-ssh: 1 | |
# If this feature is enabled, the action will configure pi-gen to not export any | |
# stage as image but the last one defined in property 'stage-list'. This is | |
# helpful when building a single image flavor (in contrast to building a | |
# lite/server and full-blown desktop image), since it speeds up the build process | |
# significantly. | |
export-last-stage-only: true | |
# Comma or whitespace separated list of additional packages to install on host | |
# before running pi-gen. Use this list to add any packages your custom stages may | |
# require. Note that this is not affecting the final image. In order to add | |
# additional packages, you need to add a respective 'XX-packages' file in your | |
# custom stage. | |
extra-host-dependencies: '' | |
# Comma or whitespace separated list of additional modules to load on host before | |
# running pi-gen. If your custom stage requires additional software or kernel | |
# modules to be loaded, add them here. Note that this is not meant to configure | |
# modules to be loaded in the target image. | |
extra-host-modules: '' | |
# Token to use for checking out pi-gen repo. | |
github-token: ${{ github.token }} | |
# Host name of the image. | |
hostname: door | |
# Final image name. | |
image-name: "door-${{steps.tag.outputs.tag}}" | |
# Default keyboard keymap. | |
keyboard-keymap: us | |
# Default keyboard layout. | |
keyboard-layout: English (US) | |
# Default locale of the system image. | |
locale: en_US.UTF-8 | |
# Password of the intial user account, locked if empty. | |
password: 'door' # fixme | |
# Path where selected pi-gen ref will be checked out to. If the path does not yet | |
# exist, it will be created (including its parents). | |
pi-gen-dir: pi-gen | |
# GitHub repository to fetch pi-gen from, must be a fork from RPi-Distro/pi-gen. | |
pi-gen-repository: RPi-Distro/pi-gen | |
# Release version of pi-gen to use. This can both be a branch or tag name known in | |
# the pi-gen repository. | |
pi-gen-version: 2023-05-03-raspios-bullseye | |
# The release version to build images against. Valid values are jessie, stretch, | |
# buster, bullseye, and testing. | |
release: bullseye | |
# Setting to `1` will prevent pi-gen from dropping the "capabilities" feature. | |
# Generating the root filesystem with capabilities enabled and running it from a | |
# filesystem that does not support capabilities (like NFS) can cause issues. Only | |
# enable this if you understand what it is. | |
setfcap: '' | |
# List of stage name to execute in given order. Relative and absolute paths to | |
# custom stage directories are allowed here. Note that by default pi-gen exports | |
# images in stage2 (lite), stage4 and stage5. You probably want to hook in custom | |
# stages before one of the exported stages. Otherwise, the action will make sure | |
# any custom stage will include an image export directive. | |
stage-list: stage0 stage1 stage2 ./stage2a | |
# System timezone. | |
timezone: Asia/Hong_Kong | |
# Use qcow2 images to reduce space and runtime requirements. | |
use-qcow2: 1 | |
# Name of the initial user account. | |
username: pi | |
# Print all output from pi-gen. | |
verbose-output: true | |
# Wifi country code of default network to connect to. | |
wpa-country: '' | |
# SSID of a default wifi network to connect to. | |
wpa-essid: '' | |
# Password of default wifi network to connect to. | |
wpa-password: '' | |
- name: Upload pi-gen image to release | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: ${{ steps.pigen.outputs.image-path }} | |
file_glob: true | |
tag: ${{ steps.tag.outputs.tag }} | |
overwrite: true |