archzfs: add package and GitHub workflows

archzfs · Oct 31, 2024 · e31fc11 · e31fc11
1 parent 482109e
commit e31fc11
Show file tree

Hide file tree

Showing 5 changed files with 296 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+---
+version: 2
+updates:
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    assignees:
+      - "Doridian"
+      - "kerberizer"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,202 @@
+---
+name: CI
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/**
+      - Makefile
+      - keyring/**
+      - keyringctl
+      - libkeyringctl/**
+      - package/**
+      - tests/**
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/**
+      - Makefile
+      - keyring/**
+      - keyringctl
+      - libkeyringctl/**
+      - package/**
+      - tests/**
+
+jobs:
+
+  lint:
+
+    runs-on: ubuntu-latest
+    container: archlinux:latest
+
+    steps:
+
+      - name: Install dependencies
+        env:
+          packages: >
+            flake8
+            git
+            make
+            mypy
+            python-black
+            python-isort
+        run: |
+          pacman-key --init
+          pacman -Syu --needed --noconfirm ${packages}
+
+      - name: Checkout the repository
+        uses: actions/[email protected]
+
+      - name: Run lint
+        run: make lint
+
+  test:
+
+    runs-on: ubuntu-latest
+    container: archlinux:latest
+
+    steps:
+
+      - name: Install dependencies
+        env:
+          packages: >
+            git
+            make
+            python
+            python-coverage
+            python-pytest
+            python-tomli
+            sequoia-sq
+        run: |
+          pacman-key --init
+          pacman -Syu --needed --noconfirm ${packages}
+
+      - name: Checkout the repository
+        uses: actions/[email protected]
+
+      - name: Run tests
+        run: make test
+
+      - name: Store the coverage report
+        uses: actions/[email protected]
+        with:
+          include-hidden-files: true
+          name: coverage-report
+          path: .coverage
+
+  coverage:
+
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      pull-requests: write
+      contents: write
+
+    steps:
+
+      - name: Checkout the repository
+        uses: actions/[email protected]
+
+      - name: Retrieve the coverage reports
+        uses: actions/[email protected]
+        with:
+          merge-multiple: true
+          name: coverage-report
+
+      - name: Process the coverage reports
+        id: coverage_processing
+        uses: py-cov-action/[email protected]
+        with:
+          COVERAGE_DATA_BRANCH: 'COVERAGE-REPORT'
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Store the pull request coverage comment for later posting
+        if: steps.coverage_processing.outputs.COMMENT_FILE_WRITTEN == 'true'
+        uses: actions/[email protected]
+        with:
+          name: python-coverage-comment-action
+          path: python-coverage-comment-action.txt
+
+  build:
+
+    runs-on: ubuntu-latest
+    container: archlinux:latest
+
+    steps:
+
+      - name: Install dependencies
+        env:
+          packages: >
+            git
+            make
+            pkgconf
+            python
+            sequoia-sq
+            systemd
+        run: |
+          pacman-key --init
+          pacman -Syu --needed --noconfirm ${packages}
+
+      - name: Checkout repository
+        uses: actions/[email protected]
+
+      - name: Build and install
+        run: |
+          make
+          make install PREFIX=/usr
+
+  keyring_check:
+
+    runs-on: ubuntu-latest
+    container: archlinux:latest
+
+    steps:
+
+      - name: Install dependencies
+        env:
+          packages: >
+            git
+            make
+            python
+            sequoia-sq
+        run: |
+          pacman-key --init
+          pacman -Syu --needed --noconfirm ${packages}
+
+      - name: Checkout repository
+        uses: actions/[email protected]
+
+      - name: Check keyring
+        run: |
+          chown root:root .
+          ./keyringctl check
+          ./keyringctl ci
+
+  package:
+
+    runs-on: ubuntu-latest
+    container: archlinux:base-devel
+
+    steps:
+
+      - name: Install dependencies
+        run: |
+          pacman-key --init
+          pacman -Syu --needed --noconfirm git
+
+      - name: Checkout repository
+        uses: actions/[email protected]
+
+      - name: Set up build user
+        run: |
+          groupadd -r packager
+          useradd -g packager -mr packager
+          echo "packager ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
+
+      - name: Build package
+        run: |
+          chown -R packager:packager .
+          sudo -u packager makepkg --dir package --noconfirm --skipinteg --syncdeps
diff --git a/.github/workflows/coverage-comment.yml b/.github/workflows/coverage-comment.yml
@@ -0,0 +1,29 @@
+---
+name: Post a coverage report comment on pull requests
+
+on:  # yamllint disable-line rule:truthy
+  workflow_run:
+    workflows:
+      - 'CI'
+    types:
+      - 'completed'
+
+jobs:
+
+  comment:
+
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
+    permissions:
+      pull-requests: write
+      contents: write
+      actions: read
+
+    steps:
+
+      - name: Post the stored pull request coverage comment
+        uses: py-cov-action/[email protected]
+        with:
+          COVERAGE_DATA_BRANCH: 'COVERAGE-REPORT'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}
diff --git a/package/PKGBUILD b/package/PKGBUILD
@@ -0,0 +1,28 @@
+pkgname=archzfs-keyring
+pkgver=20241022
+pkgrel=1
+pkgdesc='ArchZFS PGP keyring'
+arch=('any')
+url='https://github.com/archzfs/archzfs-keyring'
+license=('GPL-3.0-or-later')
+install=$pkgname.install
+depends=('pacman')
+makedepends=('git' 'python' 'sequoia-sq' 'pkgconf' 'systemd')
+checkdepends=('python-coverage' 'python-pytest')
+source=("archzfs-keyring::git+file://$(pwd)/..")
+
+build() {
+  cd "${pkgname}"
+  make build
+}
+
+check() {
+  cd "${pkgname}"
+  make check
+}
+
+package() {
+  cd "${pkgname}"
+  make PREFIX='/usr' DESTDIR="${pkgdir}" install
+}
+
diff --git a/package/archzfs-keyring.install b/package/archzfs-keyring.install
@@ -0,0 +1,25 @@
+#!/usr/bin/env sh
+
+populate_archzfs() {
+	if usr/bin/pacman-key -l >/dev/null 2>&1; then
+		usr/bin/pacman-key --populate archzfs
+	fi
+}
+
+post_upgrade() {
+	# Older versions of pacman (before 6.1.0) disabled locking by default:
+	# https://gitlab.archlinux.org/pacman/pacman/-/commit/1d1bb6fa1a8247242fbdd226f50265a278a12ac8
+	#
+	# This still causes lots of problems, so force to remove that option.
+	if grep -qx 'lock-never' etc/pacman.d/gnupg/gpg.conf 2>/dev/null; then
+		sed -i '/^lock-never$/d' etc/pacman.d/gnupg/gpg.conf
+	fi
+
+	populate_archzfs
+}
+
+post_install() {
+	if [ -x usr/bin/pacman-key ]; then
+		populate_archzfs
+	fi
+}