Breadway/bos
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Fix Forgejo workflows for the actual server capabilities

Browse source 
- package.yml: use correct Arch registry upload (octet-stream + binary body
  + PUT /api/packages/Breadway/arch/os), drop --privileged, remove
  actions/checkout (archlinux image has no Node) in favour of a manual
  shell clone, use the built-in Actions token instead of a stored secret,
  and --nocheck (tests belong in CI, not packaging)
- mirror.yml: clone --mirror + explicit refs/heads + refs/tags push with
  --prune, instead of pushing refs/remotes pollution from a checkout
- pacman.conf: correct Server URL to the Forgejo Arch registry format

Requires only the GITHUB_MIRROR_TOKEN secret (GitHub PAT, repo scope) for
the mirror job; package publishing uses the automatic per-run token.
This commit is contained in:
Breadway 2026-06-13 16:01:50 +08:00
parent baff024016
commit 267f6df523
3 changed files with 36 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

17
.forgejo/workflows/mirror.yml
View file

@ -9,12 +9,13 @@ jobs:
mirror: mirror:
runs-on: [self-hosted, hestia] runs-on: [self-hosted, hestia]
steps: steps:
- uses: actions/checkout@v4 - name: Mirror to GitHub
with:
fetch-depth: 0
- name: Push to GitHub
run: | run: |
git remote add github \ set -euo pipefail
"https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/bos.git" git clone --mirror "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" repo.git
git push github --mirror cd repo.git
# Mirror only branches and tags (not refs/pull/*, which GitHub rejects);
# --prune deletes GitHub refs that no longer exist on Forgejo.
git push --prune \
"https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/bos.git" \
'+refs/heads/*:refs/heads/*' '+refs/tags/*:refs/tags/*'

48
.forgejo/workflows/package.yml
View file

@ -9,38 +9,32 @@ jobs:
runs-on: [self-hosted, hestia] runs-on: [self-hosted, hestia]
container: container:
image: archlinux:latest image: archlinux:latest
options: --privileged
steps: steps:
- uses: actions/checkout@v4 # Note: no actions/checkout — the archlinux image has no Node, which JS
# actions require. Everything runs as shell steps and clones manually.
- name: Set version - name: Build and publish
run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV env:
PUBLISH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install build dependencies
run: pacman -Syu --noconfirm base-devel git rust cargo gtk4 glib2
- name: Create builder user
run: useradd -m builder
- name: Prepare source
run: | run: |
git archive --format=tar.gz \ set -euo pipefail
--prefix=bos-settings-${VERSION}/ \ VERSION="${GITHUB_REF_NAME#v}"
HEAD > packaging/arch/bos-settings-${VERSION}.tar.gz pacman -Syu --noconfirm base-devel git rust cargo gtk4 glib2
useradd -m builder
git config --global --add safe.directory '*'
git clone --branch "${GITHUB_REF_NAME}" --depth 1 \
"${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" /home/builder/src
cd /home/builder/src
git archive --format=tar.gz --prefix="bos-settings-${VERSION}/" HEAD \
> packaging/arch/bos-settings-${VERSION}.tar.gz
SHA=$(sha256sum packaging/arch/bos-settings-${VERSION}.tar.gz | awk '{print $1}') SHA=$(sha256sum packaging/arch/bos-settings-${VERSION}.tar.gz | awk '{print $1}')
sed -i "s/^pkgver=.*/pkgver=${VERSION}/" packaging/arch/PKGBUILD sed -i "s/^pkgver=.*/pkgver=${VERSION}/" packaging/arch/PKGBUILD
sed -i "s/^sha256sums=.*/sha256sums=('${SHA}')/" packaging/arch/PKGBUILD sed -i "s/^sha256sums=.*/sha256sums=('${SHA}')/" packaging/arch/PKGBUILD
cp -r . /home/builder/src
chown -R builder:builder /home/builder/src chown -R builder:builder /home/builder/src
# --nocheck: packaging builds the artifact; tests belong in a CI job.
- name: Build package su builder -c "cd /home/builder/src/packaging/arch && makepkg -f --noconfirm --nocheck"
run: su builder -c "cd /home/builder/src/packaging/arch && makepkg -sf --noconfirm"
- name: Publish to Forgejo registry
run: |
PKG=$(find /home/builder/src/packaging/arch -name '*.pkg.tar.zst' | head -1) PKG=$(find /home/builder/src/packaging/arch -name '*.pkg.tar.zst' | head -1)
curl -fsS -X PUT \ curl -fsS -X PUT \
-H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \ -H "Authorization: token ${PUBLISH_TOKEN}" \
--upload-file "${PKG}" \ -H "Content-Type: application/octet-stream" \
"https://git.breadway.dev/api/packages/breadway/arch/push?distrib=breadway" --data-binary "@${PKG}" \
"https://git.breadway.dev/api/packages/Breadway/arch/os"

10
iso/pacman.conf
View file

@ -30,10 +30,12 @@ Include = /etc/pacman.d/mirrorlist
# bread ecosystem packages (bread, breadbar, breadbox, breadcrumbs, breadpad, # bread ecosystem packages (bread, breadbar, breadbox, breadcrumbs, breadpad,
# bos-settings). # bos-settings).
# #
# Packages are published here by the Forgejo Actions package.yml workflow # Packages are published to the Forgejo Arch registry (group "os") by the
# in each repo. See git.breadway.dev/api/packages/breadway/arch for the # .forgejo/workflows/package.yml workflow in each repo, on tag push.
# package registry. #
# TODO: packages are currently unsigned (TrustAll). For production, sign
# them in CI with a GPG key and switch to SigLevel = Required.
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
[breadway] [breadway]
SigLevel = Optional TrustAll SigLevel = Optional TrustAll
Server = https://git.breadway.dev/api/packages/breadway/arch/breadway/$arch Server = https://git.breadway.dev/api/packages/Breadway/arch/os/$arch