diff --git a/.github/workflows/update-gpg-keys.yml b/.github/workflows/update-gpg-keys.yml new file mode 100644 index 00000000000..02cb7dffbfb --- /dev/null +++ b/.github/workflows/update-gpg-keys.yml @@ -0,0 +1,70 @@ +name: Update GPG keys +permissions: + contents: write + +on: + workflow_dispatch: + +jobs: + update-gpg-keys: + runs-on: ubuntu-24.04-arm + strategy: + matrix: + branch: + - frawhide + - f44 + - f43 + - f42 + - el10 + container: + image: ghcr.io/terrapkg/builder:frawhide + options: --cap-add=SYS_ADMIN --privileged + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + fetch-depth: 0 + ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }} + + - name: Install SSH signing key & set up Git repository + run: | + mkdir -p ${{ runner.temp }} + echo "${{ secrets.SSH_SIGNING_KEY }}" > ${{ runner.temp }}/signing_key + chmod 0700 ${{ runner.temp }}/signing_key + git config --global --add safe.directory "$GITHUB_WORKSPACE" + + - name: Update GPG keys + env: ${{ secrets.GITHUB_TOKEN }} + run: | + for branch in $(sed -n 's/- \(f.*\)/\1/p;s/- \(el.*\)/\1/p' .github/workflows/update-branch.yml | tr -d ' '); do + if [[ $branch == f* ]]; then + export releasever=${branch/f/} + else + export releasever=$branch + fi + + curl -s https://repos.fyralabs.com/terra$releasever/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever + curl -s https://repos.fyralabs.com/terra$releasever-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source + if [[ $releasever != el* ]]; then + curl -s https://repos.fyralabs.com/terra$releasever-extras/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras + curl -s https://repos.fyralabs.com/terra$releasever-extras-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source + curl -s https://repos.fyralabs.com/terra$releasever-mesa/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa + curl -s https://repos.fyralabs.com/terra$releasever-mesa-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source + curl -s https://repos.fyralabs.com/terra$releasever-multimedia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia + curl -s https://repos.fyralabs.com/terra$releasever-multimedia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source + curl -s https://repos.fyralabs.com/terra$releasever-nvidia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia + curl -s https://repos.fyralabs.com/terra$releasever-nvidia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source + fi + done + anda update --filters keys=1 --labels branch=${{ matrix.branch }} + + - name: Save + run: | + if [[ `git status --porcelain` ]]; then + git config user.name "Raboneko" + git config user.email "raboneko@fyralabs.com" + git config gpg.format "ssh" + git config user.signingkey "${{ runner.temp }}/signing_key" + git commit -S -a -m "bump(manual): terra-gpg-keys" + git push -u origin --all + fi diff --git a/anda/terra/gpg-keys/RELEASE.txt b/anda/terra/gpg-keys/RELEASE.txt deleted file mode 100644 index d00099938ae..00000000000 --- a/anda/terra/gpg-keys/RELEASE.txt +++ /dev/null @@ -1 +0,0 @@ -F45 \ No newline at end of file diff --git a/anda/terra/gpg-keys/anda.hcl b/anda/terra/gpg-keys/anda.hcl index 97f5a29b38a..109c714a6f8 100644 --- a/anda/terra/gpg-keys/anda.hcl +++ b/anda/terra/gpg-keys/anda.hcl @@ -5,5 +5,6 @@ project pkg { } labels { updbranch = 1 + keys = 1 } } diff --git a/anda/terra/gpg-keys/pre.rhai b/anda/terra/gpg-keys/pre.rhai new file mode 100644 index 00000000000..88c68b5f4b4 --- /dev/null +++ b/anda/terra/gpg-keys/pre.rhai @@ -0,0 +1,2 @@ +let dir = sub(`/[^/]+$`, "", __script_path); +sh(`tar -czf keys.tar.gz RPM-GPG-KEY-terra*`, #{ "cwd": dir }); diff --git a/anda/terra/gpg-keys/terra-gpg-keys.spec b/anda/terra/gpg-keys/terra-gpg-keys.spec index 66e2773f484..fba57e8f5f6 100644 --- a/anda/terra/gpg-keys/terra-gpg-keys.spec +++ b/anda/terra/gpg-keys/terra-gpg-keys.spec @@ -9,48 +9,7 @@ Requires: filesystem >= 3.18-6 License: MIT URL: https://terra.fyralabs.com # We aren't pulling keys from the origin URLs, since they shouldn't change and this is easier to audit. -Source0: RPM-GPG-KEY-terrarawhide -Source1: RPM-GPG-KEY-terrarawhide-extras -Source2: RPM-GPG-KEY-terrarawhide-extras-source -Source3: RPM-GPG-KEY-terrarawhide-mesa -Source4: RPM-GPG-KEY-terrarawhide-mesa-source -Source5: RPM-GPG-KEY-terrarawhide-multimedia -Source6: RPM-GPG-KEY-terrarawhide-multimedia-source -Source7: RPM-GPG-KEY-terrarawhide-nvidia -Source8: RPM-GPG-KEY-terrarawhide-nvidia-source -Source9: RPM-GPG-KEY-terrarawhide-source -Source10: RPM-GPG-KEY-terra42 -Source11: RPM-GPG-KEY-terra42-extras -Source12: RPM-GPG-KEY-terra42-extras-source -Source13: RPM-GPG-KEY-terra42-mesa -Source14: RPM-GPG-KEY-terra42-mesa-source -Source15: RPM-GPG-KEY-terra42-multimedia -Source16: RPM-GPG-KEY-terra42-multimedia-source -Source17: RPM-GPG-KEY-terra42-nvidia -Source18: RPM-GPG-KEY-terra42-nvidia-source -Source19: RPM-GPG-KEY-terra42-source -Source20: RPM-GPG-KEY-terra43 -Source21: RPM-GPG-KEY-terra43-extras -Source22: RPM-GPG-KEY-terra43-extras-source -Source23: RPM-GPG-KEY-terra43-mesa -Source24: RPM-GPG-KEY-terra43-mesa-source -Source25: RPM-GPG-KEY-terra43-multimedia -Source26: RPM-GPG-KEY-terra43-multimedia-source -Source27: RPM-GPG-KEY-terra43-nvidia -Source28: RPM-GPG-KEY-terra43-nvidia-source -Source29: RPM-GPG-KEY-terra43-source -Source30: RPM-GPG-KEY-terra44 -Source31: RPM-GPG-KEY-terra44-extras -Source32: RPM-GPG-KEY-terra44-extras-source -Source33: RPM-GPG-KEY-terra44-mesa -Source34: RPM-GPG-KEY-terra44-mesa-source -Source35: RPM-GPG-KEY-terra44-multimedia -Source36: RPM-GPG-KEY-terra44-multimedia-source -Source37: RPM-GPG-KEY-terra44-nvidia -Source38: RPM-GPG-KEY-terra44-nvidia-source -Source39: RPM-GPG-KEY-terra44-source -Source40: RPM-GPG-KEY-terrael10 -Source41: RPM-GPG-KEY-terrael10-source +Source0: keys.tar.gz BuildArch: noarch Packager: Terra Packaging Team @@ -65,12 +24,13 @@ Summary: Terra GPG keys for Mock Terra GPG key copies for use in Mock. %prep +%autosetup -D -n . %build %install install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpg -install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ +install -m 644 ./RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ install -d -m 755 $RPM_BUILD_ROOT/etc/pki/mock install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/mock/ diff --git a/anda/terra/gpg-keys/update-gpg-keys.sh b/anda/terra/gpg-keys/update-gpg-keys.sh new file mode 100755 index 00000000000..03028221f72 --- /dev/null +++ b/anda/terra/gpg-keys/update-gpg-keys.sh @@ -0,0 +1,25 @@ +#!/usr/bin/bash + +for branch in $(sed -n 's/- \(f.*\)/\1/p;s/- \(el.*\)/\1/p' .github/workflows/update-branch.yml | tr -d ' '); do + +if [[ $branch == f* ]]; then + export releasever=${branch/f/} +else + export releasever=$branch +fi + +# Begin check hell to not strain our servers or waste CI time if a key already exists +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever ] && curl -s https://repos.fyralabs.com/terra$releasever/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source ] && curl -s https://repos.fyralabs.com/terra$releasever-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source +if [[ $releasever != el* ]]; then +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras ] && curl -s https://repos.fyralabs.com/terra$releasever-extras/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source ] && curl -s https://repos.fyralabs.com/terra$releasever-extras-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa ] && curl -s https://repos.fyralabs.com/terra$releasever-mesa/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source ] && curl -s https://repos.fyralabs.com/terra$releasever-mesa-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia ] && curl -s https://repos.fyralabs.com/terra$releasever-multimedia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source ] && curl -s https://repos.fyralabs.com/terra$releasever-multimedia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia ] && curl -s https://repos.fyralabs.com/terra$releasever-nvidia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia +[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source ] && curl -s https://repos.fyralabs.com/terra$releasever-nvidia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source +fi + +done diff --git a/anda/terra/gpg-keys/update.rhai b/anda/terra/gpg-keys/update.rhai index c8c73671741..150524eee49 100644 --- a/anda/terra/gpg-keys/update.rhai +++ b/anda/terra/gpg-keys/update.rhai @@ -1,8 +1,21 @@ import "andax/bump_extras.rhai" as bump; +import "andax/spec.rhai" as spec; -open_file("anda/terra/gpg-keys/RELEASE.txt", "w").write(bump::as_bodhi_ver(labels.branch)); +let branch = bump::as_bodhi_ver(labels.branch); +if branch.starts_with("F") { + branch.crop(1); + let releasever = branch; +} else if branch.starts_with("EPEL") { + let releasever = labels.branch; + releasever.crop(2); +} + +rpm.version(releasever); + +sh(`anda/terra/gpg-keys/update-gpg-keys.sh`, #{}); let dir = sub(`/[^/]+$`, "", __script_path); if sh("[[ `git status " + dir + " --porcelain` ]] && exit 1 || exit 0", #{}).ctx.rc == 1 { - rpm.release(); + let rel = spec::get_release(rpm).parse_int(); + rpm.release(rel + 1); }