Stuple-Networks/hyprarch-repo
1
0
Fork 0
Code Pull Requests Actions Activity

Update .github/workflows/update-repo.yml

Browse Source
This commit is contained in:
Mitsuba100
2026-04-14 21:21:14 +02:00
parent 9a3ffff7c7
commit 4c40f57455
1 changed files with 21 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
.github/workflows/update-repo.yml vendored
View File

@@ -1,4 +1,4 @@
name: Update Arch Repository (Host stui)
name: Update Arch Repository (Binary Sigs)
on:
push:
@@ -14,10 +14,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
- name: Ensure Tools
run: |
sudo apt-get update && sudo apt-get install -y libarchive-tools gpg
- name: Import GPG Key
run: |
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import --yes
@@ -25,102 +21,51 @@ jobs:
- name: Build and Sign Repository
run: |
cd x86_64
# Clean up old database files
rm -f hyprarch-repo.db* hyprarch-repo.files*
mkdir -p db_temp
# Export Public Key for the landing page link
# We still use --armor for the public key (that's for humans)
gpg --export --armor 236328A7F2C2001E > pubkey.gpg
for pkg in *.pkg.tar.zst; do
# 1. Generate detached signature file (.sig)
echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --no-armor "$pkg"
# 1. Create BINARY detached signature (REMOVED --armor)
echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --output "$pkg.sig" "$pkg"
# 2. Extract Metadata for DB
pkgname=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgname =" | cut -d' ' -f3)
pkgver=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgver =" | cut -d' ' -f3)
pkgdesc=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgdesc =" | cut -d' ' -f3- | sed "s/['\"]//g")
# 2. Extract Metadata
pkgname=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgname =" | cut -d' ' -f3 | tr -d '\r')
pkgver=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgver =" | cut -d' ' -f3 | tr -d '\r')
pkgdesc=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgdesc =" | cut -d' ' -f3- | sed "s/['\"]//g" | tr -d '\r')
pkgsize=$(stat -c%s "$pkg")
instsize=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^size =" | cut -d' ' -f3)
instsize=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^size =" | cut -d' ' -f3 | tr -d '\r')
mkdir -p "db_temp/$pkgname-$pkgver"
# 3. Create the 'desc' file (The heart of the .db)
# 3. Build 'desc' with internal PGP SIG (Base64 of the binary sig)
{
echo "%NAME%"
echo "$pkgname"
echo ""
echo "%VERSION%"
echo "$pkgver"
echo ""
echo "%DESC%"
echo "$pkgdesc"
echo ""
echo "%FILENAME%"
echo "$pkg"
echo ""
echo "%CSIZE%"
echo "$pkgsize"
echo ""
echo "%ISIZE%"
echo "$instsize"
echo ""
echo "%NAME%"; echo "$pkgname"; echo ""
echo "%VERSION%"; echo "$pkgver"; echo ""
echo "%DESC%"; echo "$pkgdesc"; echo ""
echo "%FILENAME%"; echo "$pkg"; echo ""
echo "%CSIZE%"; echo "$pkgsize"; echo ""
echo "%ISIZE%"; echo "$instsize"; echo ""
echo "%PGPSIG%"
# Pipe the signature directly into the DB as a base64 string
echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --no-armor --output - "$pkg" | base64 | tr -d '\n'
base64 -w 0 "$pkg.sig"
echo ""
echo ""
} > "db_temp/$pkgname-$pkgver/desc"
done
# 4. Bundle everything into the .db file
# 4. Pack and Sign DB (Signatures here should also be binary)
cd db_temp
tar -c * | gzip -9 > ../hyprarch-repo.db.tar.gz
tar --owner=0 --group=0 -c * | gzip -n -9 > ../hyprarch-repo.db.tar.gz
cd ..
# 5. Sign the database itself
echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --no-armor hyprarch-repo.db.tar.gz
# 6. Finalize symlinks/copies
cp hyprarch-repo.db.tar.gz hyprarch-repo.db
cp hyprarch-repo.db.tar.gz.sig hyprarch-repo.db.sig
cp hyprarch-repo.db.tar.gz hyprarch-repo.files
echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --output hyprarch-repo.db.sig hyprarch-repo.db
rm -rf db_temp
- name: Generate Landing Page
- name: Deploy
run: |
cat <<EOF > index.html
<!DOCTYPE html>
<html>
<head>
<title>HyprArch Repo</title>
<style>
body { font-family: sans-serif; background: #2e3440; color: #eceff4; padding: 40px; }
.container { max-width: 800px; margin: auto; background: #3b4252; padding: 30px; border-radius: 10px; }
pre { background: #2e3440; padding: 15px; border-radius: 5px; color: #ebcb8b; border: 1px solid #4c566a; }
h1 { color: #81a1c1; }
a { color: #88c0d0; text-decoration: none; }
</style>
</head>
<body>
<div class="container">
<h1>🚀 HyprArch Pi Repository</h1>
<p>Trust Key:</p>
<pre>curl -s https://repo.stuple.net/x86_64/pubkey.gpg | sudo pacman-key -a - && sudo pacman-key --lsign-key 236328A7F2C2001E</pre>
<p>Add to /etc/pacman.conf:</p>
<pre>[hyprarch-repo]
SigLevel = Required DatabaseOptional
Server = https://repo.stuple.net/\$arch</pre>
<hr>
<p><a href="./x86_64/">📂 Browse File Index</a></p>
</div>
</body>
</html>
EOF
- name: Deploy to Local Web Folder
run: |
# Use sudo (configured in visudo previously) to move to Nginx root
sudo mkdir -p /var/www/hyprarch-repo/x86_64
sudo cp -rf . /var/www/hyprarch-repo/
sudo chown -R www-data:www-data /var/www/hyprarch-repo