forked from edlanglois/pkgbuild-action
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathentrypoint.sh
executable file
·136 lines (113 loc) · 4.45 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/bin/bash
set -euo pipefail
FILE="$(basename "$0")"
# Enable the multilib repository
cat << EOM >> /etc/pacman.conf
[multilib]
Include = /etc/pacman.d/mirrorlist
[cachyos]
Server = https://mirror.cachyos.org/repo/x86_64/cachyos
EOM
# Use all available threads to build a package
sed -i 's/#MAKEFLAGS="-j2"/MAKEFLAGS="-j$(nproc) -l$(nproc)"/g' /etc/makepkg.conf
# CachyOS repository keys
pacman-key --init
pacman-key --recv-keys F3B607488DB35A47 --keyserver keyserver.ubuntu.com
pacman-key --lsign-key F3B607488DB35A47
pacman -Syu --noconfirm --needed base-devel
# Makepkg does not allow running as root
# Create a new user `builder`
# `builder` needs to have a home directory because some PKGBUILDs will try to
# write to it (e.g. for cache)
useradd builder -m
# When installing dependencies, makepkg will use sudo
# Give user `builder` passwordless sudo access
echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
# Give all users (particularly builder) full access to these files
chmod -R a+rw .
BASEDIR="$PWD"
cd "${INPUT_PKGDIR:-.}"
# Assume that if .SRCINFO is missing then it is generated elsewhere.
# AUR checks that .SRCINFO exists so a missing file can't go unnoticed.
if [ -f .SRCINFO ] && ! sudo -u builder makepkg --printsrcinfo | diff -d -I '^#' - .SRCINFO; then
echo "::error file=$FILE,line=$LINENO::Mismatched .SRCINFO. Update with: makepkg --printsrcinfo > .SRCINFO"
exit 1
fi
# Optionally install dependencies from AUR
if [ -n "${INPUT_AURDEPS:-}" ]; then
# First install yay
pacman -S --noconfirm --needed git
git clone https://aur.archlinux.org/yay-bin.git /tmp/yay
pushd /tmp/yay
chmod -R a+rw .
sudo -H -u builder makepkg --syncdeps --install --noconfirm
popd
# Extract dependencies from .SRCINFO (depends or depends_x86_64) and install
mapfile -t PKGDEPS < \
<(sed -n -e 's/^[[:space:]]*\(make\)\?depends\(_x86_64\)\? = \([[:alnum:][:punct:]]*\)[[:space:]]*$/\3/p' .SRCINFO)
sudo -H -u builder yay --sync --noconfirm "${PKGDEPS[@]}"
fi
# Make the builder user the owner of these files
# Without this, (e.g. only having every user have read/write access to the files),
# makepkg will try to change the permissions of the files itself which will fail since it does not own the files/have permission
# we can't do this earlier as it will change files that are for github actions, which results in warnings in github actions logs.
chown -R builder .
# Build packages
# INPUT_MAKEPKGARGS is intentionally unquoted to allow arg splitting
# shellcheck disable=SC2086
sudo -H -E -u builder makepkg --syncdeps --noconfirm ${INPUT_MAKEPKGARGS:-}
# Get array of packages to be built
mapfile -t PKGFILES < <( sudo -u builder makepkg --packagelist )
echo "Package(s): ${PKGFILES[*]}"
# Report built package archives
i=0
for PKGFILE in "${PKGFILES[@]}"; do
# makepkg reports absolute paths, must be relative for use by other actions
RELPKGFILE="$(realpath --relative-base="$BASEDIR" "$PKGFILE")"
# Caller arguments to makepkg may mean the pacakge is not built
if [ -f "$PKGFILE" ]; then
echo "pkgfile$i=$RELPKGFILE" >> $GITHUB_OUTPUT
else
echo "Archive $RELPKGFILE not built"
fi
(( ++i ))
done
function prepend () {
# Prepend the argument to each input line
while read -r line; do
echo "$1$line"
done
}
function namcap_check() {
# Run namcap checks
# Installing namcap after building so that makepkg happens on a minimal
# install where any missing dependencies can be caught.
pacman -S --noconfirm --needed namcap
NAMCAP_ARGS=()
if [ -n "${INPUT_NAMCAPRULES:-}" ]; then
NAMCAP_ARGS+=( "-r" "${INPUT_NAMCAPRULES}" )
fi
if [ -n "${INPUT_NAMCAPEXCLUDERULES:-}" ]; then
NAMCAP_ARGS+=( "-e" "${INPUT_NAMCAPEXCLUDERULES}" )
fi
# For reasons that I don't understand, sudo is not resetting '$PATH'
# As a result, namcap finds program paths in /usr/sbin instead of /usr/bin
# which makes namcap fail to identify the packages that provide the
# program and so it emits spurious warnings.
# More details: https://bugs.archlinux.org/task/66430
#
# Work around this issue by putting bin ahead of sbin in $PATH
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
namcap "${NAMCAP_ARGS[@]}" PKGBUILD \
| prepend "::warning file=$FILE,line=$LINENO::"
for PKGFILE in "${PKGFILES[@]}"; do
if [ -f "$PKGFILE" ]; then
RELPKGFILE="$(realpath --relative-base="$BASEDIR" "$PKGFILE")"
namcap "${NAMCAP_ARGS[@]}" "$PKGFILE" \
| prepend "::warning file=$FILE,line=$LINENO::$RELPKGFILE:"
fi
done
}
if [ -z "${INPUT_NAMCAPDISABLE:-}" ]; then
namcap_check
fi