eliaskohout/ax
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix apk-publish workflow: run abuild as non-root user
Some checks failed
Build and Publish APK Package / build-apk (push) Failing after 17s
Details
Build and Push Docker Container / build-and-push (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Elias Kohout
2026-04-02 02:50:33 +02:00
parent 58b8fef731
commit aa5f124b5f
1 changed files with 17 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.gitea/workflows/apk-publish.yml
View File

@@ -13,20 +13,24 @@ jobs:
steps: steps:
- name: Install build dependencies - name: Install build dependencies
run: | run: |
apk add --no-cache git go abuild make nodejs curl openssl apk add --no-cache git go abuild make nodejs curl openssl sudo
- name: Create build user
run: |
adduser -D -G abuild build
echo "build ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
chown -R build:abuild .
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Setup abuild for package signing - name: Setup abuild for package signing
run: | run: |
mkdir -p ~/.abuild su build -c "mkdir -p ~/.abuild"
echo "PACKAGER_PRIVKEY=$HOME/.abuild/private_key.rsa" > ~/.abuild/abuild.conf su build -c "openssl genrsa -out ~/.abuild/private_key.rsa 2048"
echo "PACKAGER_PUBKEY=$HOME/.abuild/private_key.rsa.pub" >> ~/.abuild/abuild.conf su build -c "openssl rsa -pubout -in ~/.abuild/private_key.rsa -out ~/.abuild/private_key.rsa.pub"
openssl genrsa -out ~/.abuild/private_key.rsa 2048 cp ~build/.abuild/private_key.rsa.pub /etc/apk/keys/
openssl rsa -pubout -in ~/.abuild/private_key.rsa -out ~/.abuild/private_key.rsa.pub su build -c "abuild-keygen -a -n"
cp ~/.abuild/private_key.rsa.pub /etc/apk/keys/
abuild-keygen -a -n
- name: Prepare source - name: Prepare source
run: | run: |
@@ -34,26 +38,27 @@ jobs:
pkgver=$(echo "${{ github.ref_name }}" | sed 's/^v//') pkgver=$(echo "${{ github.ref_name }}" | sed 's/^v//')
sed -i "s/pkgver=.*/pkgver=$pkgver/" APKBUILD sed -i "s/pkgver=.*/pkgver=$pkgver/" APKBUILD
sed -i "s|source=.*|source=\"\$pkgname-\$pkgver.tar.gz::${{ github.server_url }}/${{ github.repository }}/archive/\$pkgver.tar.gz\"|" APKBUILD sed -i "s|source=.*|source=\"\$pkgname-\$pkgver.tar.gz::${{ github.server_url }}/${{ github.repository }}/archive/\$pkgver.tar.gz\"|" APKBUILD
chown -R build:abuild .
- name: Generate checksums - name: Generate checksums
run: | run: |
cd packaging/alpine cd packaging/alpine
abuild checksum su build -c "abuild checksum"
- name: Build package - name: Build package
run: | run: |
cd packaging/alpine cd packaging/alpine
abuild -r su build -c "abuild -r"
- name: Find built package - name: Find built package
id: find_package id: find_package
run: | run: |
find "$HOME/packages" -name "*.apk" -type f > packages.txt find ~build/packages -name "*.apk" -type f > packages.txt
echo "package_path=$(head -1 packages.txt)" >> $GITHUB_OUTPUT echo "package_path=$(head -1 packages.txt)" >> $GITHUB_OUTPUT
- name: Publish to Gitea Registry - name: Publish to Gitea Registry
run: | run: |
apk_file=$(find "$HOME/packages" -name "*.apk" -type f | head -1) apk_file=$(find ~build/packages -name "*.apk" -type f | head -1)
branch=$(echo "${{ github.ref_name }}" | sed 's/^v//') branch=$(echo "${{ github.ref_name }}" | sed 's/^v//')
curl -X PUT \ curl -X PUT \
-H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \ -H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \