git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity
Files
5349cbbd05861a9a7ec40c18b8026c3053dc0011
linux_patch_api/.github/workflows/ci.yml
Draco Lunaris 5349cbbd05 fix: add workspace cleanup step to all self-hosted build jobs (#9) 
Previous build runs leave root-owned artifacts in releases/ directory
which causes actions/checkout@v4 to fail with EACCES on subsequent runs.

- Added sudo rm -rf releases/ before checkout in all 6 self-hosted jobs
- Alpine build unaffected (runs in Docker container, clean each run)

Co-authored-by: git-echo <git-echo@moon-dragon.us>
2026-05-31 17:07:14 -05:00

283 lines
10 KiB
YAML
Raw Blame History

name: CI
on:
push:
branches: [master]
tags: ['v*.*.*']
pull_request:
branches: [master]
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
permissions:
contents: write
jobs:
# ── Quality Gates (GitHub-hosted, all triggers) ──────────────────────────
fmt:
name: Rust Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- uses: Swatinem/rust-cache@v2
- run: cargo fmt --all -- --check
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- uses: Swatinem/rust-cache@v2
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
- run: cargo clippy --all-targets --all-features -- -D warnings
test:
name: Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
- run: cargo test --all-features
audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- run: cargo install cargo-audit && cargo audit --ignore RUSTSEC-2025-0134
enrollment-tests:
name: Enrollment Tests
needs: [fmt, clippy]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
- run: cargo test --test enroll_identity
- run: cargo test --test enrollment_test
- run: cargo test --test enrollment_e2e
# ── Release Preparation (tag push only) ───────────────────────────────────
prepare-release:
name: Prepare Release
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Generate release notes
id: release_notes
run: |
PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
if [ -n "$PREV_TAG" ]; then
NOTES=$(git log ${PREV_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges)
else
NOTES=$(git log --pretty=format:"- %s (%h)" --no-merges)
fi
echo "notes<<EOF" >> $GITHUB_OUTPUT
echo "$NOTES" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
body: ${{ steps.release_notes.outputs.notes }}
# ── Build Jobs (tag push only, self-hosted runners) ───────────────────────
build-deb-u2404:
name: Build .deb (Ubuntu 24.04)
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
runs-on: [self-hosted, linux, ubuntu-24.04]
steps:
- name: Clean previous build artifacts from root
run: sudo rm -rf releases/ || true
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
- name: Add Rust to PATH
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Build .deb package
run: chmod +x scripts/build-package.sh && scripts/build-package.sh
- name: Rename package with distro suffix
run: |
FILE=$(ls linux-patch-api_*_amd64.deb 2>/dev/null | head -1)
if [ -n "$FILE" ]; then
mv "$FILE" "$(echo "$FILE" | sed 's/_amd64/_u2404_amd64/')"
fi
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: linux-patch-api_*_u2404_amd64.deb
build-deb-u2204:
name: Build .deb (Ubuntu 22.04)
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
runs-on: [self-hosted, linux, ubuntu-22.04]
steps:
- name: Clean previous build artifacts from root
run: sudo rm -rf releases/ || true
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
- name: Add Rust to PATH
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Build .deb package
run: chmod +x scripts/build-package.sh && scripts/build-package.sh
- name: Rename package with distro suffix
run: |
FILE=$(ls linux-patch-api_*_amd64.deb 2>/dev/null | head -1)
if [ -n "$FILE" ]; then
mv "$FILE" "$(echo "$FILE" | sed 's/_amd64/_u2204_amd64/')"
fi
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: linux-patch-api_*_u2204_amd64.deb
build-deb-debian13:
name: Build .deb (Debian 13)
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
runs-on: [self-hosted, linux, debian-13]
steps:
- name: Clean previous build artifacts from root
run: sudo rm -rf releases/ || true
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
- name: Add Rust to PATH
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Build .deb package
run: chmod +x scripts/build-package.sh && scripts/build-package.sh
- name: Rename package with distro suffix
run: |
FILE=$(ls linux-patch-api_*_amd64.deb 2>/dev/null | head -1)
if [ -n "$FILE" ]; then
mv "$FILE" "$(echo "$FILE" | sed 's/_amd64/_debian13_amd64/')"
fi
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: linux-patch-api_*_debian13_amd64.deb
build-rpm-fedora:
name: Build .rpm (Fedora)
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
runs-on: [self-hosted, linux, fedora]
steps:
- name: Clean previous build artifacts from root
run: sudo rm -rf releases/ || true
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo dnf install -y systemd-devel openssl-devel pkg-config gcc make
- name: Add Rust to PATH
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Build release binary
run: cargo build --release
- name: Build RPM package
run: chmod +x build-rpm.sh && SKIP_CARGO_BUILD=1 sudo -E ./build-rpm.sh
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: releases/linux-patch-api-*.rpm
build-rpm-almalinux:
name: Build .rpm (AlmaLinux 10)
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
runs-on: [self-hosted, linux, almalinux-10]
steps:
- name: Clean previous build artifacts from root
run: sudo rm -rf releases/ || true
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo dnf install -y systemd-devel openssl-devel pkg-config gcc make
- name: Add Rust to PATH
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Build release binary
run: cargo build --release
- name: Build RPM package
run: chmod +x build-rpm.sh && SKIP_CARGO_BUILD=1 sudo -E ./build-rpm.sh
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: releases/linux-patch-api-*.rpm
build-arch:
name: Build .pkg.tar.zst (Arch Linux)
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
runs-on: [self-hosted, linux, arch]
steps:
- name: Clean previous build artifacts from root
run: sudo rm -rf releases/ || true
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo pacman -Syu --noconfirm systemd openssl pkg-config gcc
- name: Add Rust to PATH
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Build release binary
run: cargo build --release
- name: Build Arch package
run: chmod +x build-arch.sh && SKIP_CARGO_BUILD=1 ./build-arch.sh
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: releases/*.pkg.tar.zst
build-alpine:
name: Build .apk (Alpine)
if: startsWith(github.ref, 'refs/tags/v')
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
runs-on: ubuntu-latest
container:
image: alpine:latest
env:
HOME: /root
steps:
- name: Install prerequisites for actions/checkout
run: apk add --no-cache bash git curl tar
- uses: actions/checkout@v4
- name: Install Alpine build dependencies
run: apk add --no-cache gcc musl-dev openssl-dev openssl elogind-dev alpine-sdk abuild
- name: Install Rust via rustup
run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
- name: Add Rust to PATH
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Add musl target
run: rustup target add x86_64-unknown-linux-musl
- name: Build release binary (musl target)
run: cargo build --release --target x86_64-unknown-linux-musl
- name: Build Alpine package
run: |
chmod +x build-alpine.sh
SKIP_CARGO_BUILD=1 ./build-alpine.sh
- name: Upload to GitHub Release
uses: softprops/action-gh-release@v2
with:
files: releases/linux-patch-api-*.apk
View Git Blame Copy Permalink