From 769b6283e04cc99f9bf5c6a9285950a1ccf9eeeb Mon Sep 17 00:00:00 2001 From: Breadway Date: Sat, 13 Jun 2026 16:01:50 +0800 Subject: [PATCH] Fix Forgejo workflows for the actual server capabilities - package.yml: use correct Arch registry upload (octet-stream + binary body + PUT /api/packages/Breadway/arch/os), drop --privileged, remove actions/checkout (archlinux image has no Node) in favour of a manual shell clone, use the built-in Actions token instead of a stored secret, and --nocheck (tests belong in CI, not packaging) - mirror.yml: clone --mirror + explicit refs/heads + refs/tags push with --prune, instead of pushing refs/remotes pollution from a checkout - pacman.conf: correct Server URL to the Forgejo Arch registry format Requires only the GITHUB_MIRROR_TOKEN secret (GitHub PAT, repo scope) for the mirror job; package publishing uses the automatic per-run token. Co-Authored-By: Claude Opus 4.8 --- .forgejo/workflows/mirror.yml | 17 ++++++------ .forgejo/workflows/package.yml | 48 +++++++++++++++------------------- iso/pacman.conf | 10 ++++--- 3 files changed, 36 insertions(+), 39 deletions(-) diff --git a/.forgejo/workflows/mirror.yml b/.forgejo/workflows/mirror.yml index 9e7f427..a97385f 100644 --- a/.forgejo/workflows/mirror.yml +++ b/.forgejo/workflows/mirror.yml @@ -9,12 +9,13 @@ jobs: mirror: runs-on: [self-hosted, hestia] steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Push to GitHub + - name: Mirror to GitHub run: | - git remote add github \ - "https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/bos.git" - git push github --mirror + set -euo pipefail + git clone --mirror "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" repo.git + cd repo.git + # Mirror only branches and tags (not refs/pull/*, which GitHub rejects); + # --prune deletes GitHub refs that no longer exist on Forgejo. + git push --prune \ + "https://x-access-token:${{ secrets.GITHUB_MIRROR_TOKEN }}@github.com/Breadway/bos.git" \ + '+refs/heads/*:refs/heads/*' '+refs/tags/*:refs/tags/*' diff --git a/.forgejo/workflows/package.yml b/.forgejo/workflows/package.yml index 2a339b4..de406ea 100644 --- a/.forgejo/workflows/package.yml +++ b/.forgejo/workflows/package.yml @@ -9,38 +9,32 @@ jobs: runs-on: [self-hosted, hestia] container: image: archlinux:latest - options: --privileged - steps: - - uses: actions/checkout@v4 - - - name: Set version - run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV - - - name: Install build dependencies - run: pacman -Syu --noconfirm base-devel git rust cargo gtk4 glib2 - - - name: Create builder user - run: useradd -m builder - - - name: Prepare source + # Note: no actions/checkout — the archlinux image has no Node, which JS + # actions require. Everything runs as shell steps and clones manually. + - name: Build and publish + env: + PUBLISH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - git archive --format=tar.gz \ - --prefix=bos-settings-${VERSION}/ \ - HEAD > packaging/arch/bos-settings-${VERSION}.tar.gz + set -euo pipefail + VERSION="${GITHUB_REF_NAME#v}" + pacman -Syu --noconfirm base-devel git rust cargo gtk4 glib2 + useradd -m builder + git config --global --add safe.directory '*' + git clone --branch "${GITHUB_REF_NAME}" --depth 1 \ + "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" /home/builder/src + cd /home/builder/src + git archive --format=tar.gz --prefix="bos-settings-${VERSION}/" HEAD \ + > packaging/arch/bos-settings-${VERSION}.tar.gz SHA=$(sha256sum packaging/arch/bos-settings-${VERSION}.tar.gz | awk '{print $1}') sed -i "s/^pkgver=.*/pkgver=${VERSION}/" packaging/arch/PKGBUILD sed -i "s/^sha256sums=.*/sha256sums=('${SHA}')/" packaging/arch/PKGBUILD - cp -r . /home/builder/src chown -R builder:builder /home/builder/src - - - name: Build package - run: su builder -c "cd /home/builder/src/packaging/arch && makepkg -sf --noconfirm" - - - name: Publish to Forgejo registry - run: | + # --nocheck: packaging builds the artifact; tests belong in a CI job. + su builder -c "cd /home/builder/src/packaging/arch && makepkg -f --noconfirm --nocheck" PKG=$(find /home/builder/src/packaging/arch -name '*.pkg.tar.zst' | head -1) curl -fsS -X PUT \ - -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \ - --upload-file "${PKG}" \ - "https://git.breadway.dev/api/packages/breadway/arch/push?distrib=breadway" + -H "Authorization: token ${PUBLISH_TOKEN}" \ + -H "Content-Type: application/octet-stream" \ + --data-binary "@${PKG}" \ + "https://git.breadway.dev/api/packages/Breadway/arch/os" diff --git a/iso/pacman.conf b/iso/pacman.conf index 701e900..8ec5fd6 100644 --- a/iso/pacman.conf +++ b/iso/pacman.conf @@ -30,10 +30,12 @@ Include = /etc/pacman.d/mirrorlist # bread ecosystem packages (bread, breadbar, breadbox, breadcrumbs, breadpad, # bos-settings). # -# Packages are published here by the Forgejo Actions package.yml workflow -# in each repo. See git.breadway.dev/api/packages/breadway/arch for the -# package registry. +# Packages are published to the Forgejo Arch registry (group "os") by the +# .forgejo/workflows/package.yml workflow in each repo, on tag push. +# +# TODO: packages are currently unsigned (TrustAll). For production, sign +# them in CI with a GPG key and switch to SigLevel = Required. # ----------------------------------------------------------------------- [breadway] SigLevel = Optional TrustAll -Server = https://git.breadway.dev/api/packages/breadway/arch/breadway/$arch +Server = https://git.breadway.dev/api/packages/Breadway/arch/os/$arch