Fix apk-publish workflow: run abuild as non-root user

2026-04-02 02:50:33 +02:00
parent 58b8fef731
commit aa5f124b5f
1 changed files with 17 additions and 12 deletions
--- a/.gitea/workflows/apk-publish.yml
+++ b/.gitea/workflows/apk-publish.yml
@@ -13,20 +13,24 @@ jobs:
    steps:
      - name: Install build dependencies
        run: |
-          apk add --no-cache git go abuild make nodejs curl openssl
+          apk add --no-cache git go abuild make nodejs curl openssl sudo
+      
+      - name: Create build user
+        run: |
+          adduser -D -G abuild build
+          echo "build ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+          chown -R build:abuild .
      
      - name: Checkout repository
        uses: actions/checkout@v4
      
      - name: Setup abuild for package signing
        run: |
-          mkdir -p ~/.abuild
-          echo "PACKAGER_PRIVKEY=$HOME/.abuild/private_key.rsa" > ~/.abuild/abuild.conf
-          echo "PACKAGER_PUBKEY=$HOME/.abuild/private_key.rsa.pub" >> ~/.abuild/abuild.conf
-          openssl genrsa -out ~/.abuild/private_key.rsa 2048
-          openssl rsa -pubout -in ~/.abuild/private_key.rsa -out ~/.abuild/private_key.rsa.pub
-          cp ~/.abuild/private_key.rsa.pub /etc/apk/keys/
-          abuild-keygen -a -n
+          su build -c "mkdir -p ~/.abuild"
+          su build -c "openssl genrsa -out ~/.abuild/private_key.rsa 2048"
+          su build -c "openssl rsa -pubout -in ~/.abuild/private_key.rsa -out ~/.abuild/private_key.rsa.pub"
+          cp ~build/.abuild/private_key.rsa.pub /etc/apk/keys/
+          su build -c "abuild-keygen -a -n"
      
      - name: Prepare source
        run: |
@@ -34,26 +38,27 @@ jobs:
          pkgver=$(echo "${{ github.ref_name }}" | sed 's/^v//')
          sed -i "s/pkgver=.*/pkgver=$pkgver/" APKBUILD
          sed -i "s|source=.*|source=\"\$pkgname-\$pkgver.tar.gz::${{ github.server_url }}/${{ github.repository }}/archive/\$pkgver.tar.gz\"|" APKBUILD
+          chown -R build:abuild .
      
      - name: Generate checksums
        run: |
          cd packaging/alpine
-          abuild checksum
+          su build -c "abuild checksum"
      
      - name: Build package
        run: |
          cd packaging/alpine
-          abuild -r
+          su build -c "abuild -r"
      
      - name: Find built package
        id: find_package
        run: |
-          find "$HOME/packages" -name "*.apk" -type f > packages.txt
+          find ~build/packages -name "*.apk" -type f > packages.txt
          echo "package_path=$(head -1 packages.txt)" >> $GITHUB_OUTPUT
      
      - name: Publish to Gitea Registry
        run: |
-          apk_file=$(find "$HOME/packages" -name "*.apk" -type f | head -1)
+          apk_file=$(find ~build/packages -name "*.apk" -type f | head -1)
          branch=$(echo "${{ github.ref_name }}" | sed 's/^v//')
          curl -X PUT \
            -H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \