innernet-debian/.github/workflows/main.yml

name: Update Repository

# Controls when the workflow will run
on:
  #push:
    # If the configuration has changed, this ensures we apply updates.
    #branches: [ main ]

  schedule:
    # Upstream releases around once per month, so twice a week should be fine.
    - cron:  '23 14 * * mon,thu'

  workflow_dispatch:

jobs:
  check-upstream:
    name: Check for a new releases upstream
    runs-on: ubuntu-latest

    outputs:
      innernet_release: ${{ steps.check-latest-release.outputs.innernet_release }}
      innernet_version: ${{ steps.check-latest-release.outputs.innernet_version }}
      tarball_url: ${{ steps.check-latest-release.outputs.tarball_url }}
      new_release_exists: ${{ steps.check-repo-release.outputs.new_release_exists }}

    steps:
      - name: Install Distro Dependencies
        run: sudo env DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes jq liblzma-dev reprepro

      - name: Set Ubuntu Release Name
        id: set-ubuntu-release-name
        run: |
          echo "ubuntu_release=$(lsb_release --short --codename)" >>"$GITHUB_OUTPUT"

      - name: Check Latest Release
        id: check-latest-release
        run: |
          wget -O- \
               -H'Accept: application/json' \
               "https://api.github.com/repos/tonarino/innernet/releases/latest" \
              | jq -r '(.name + " " + .tarball_url)' \
              | (
                read release tarball_url
                echo "innernet_release=$release" >>"$GITHUB_OUTPUT"
                echo "innernet_version=${release#v}" >>"$GITHUB_OUTPUT"
                echo "tarball_url=$tarball_url" >>"$GITHUB_OUTPUT"
                echo "Latest release: $release"
              )

      - name: Checkout
        uses: actions/checkout@v3
        with:
          # See https://github.com/marketplace/actions/github-push
          persist-credentials: false
          fetch-depth: 0

      - name: Check Repo Release
        id: check-repo-release
        run: |
          new_release_exists=
          for ver_codename in ubuntu-22.04/jammy ubuntu-20.04/focal; do
            ver=${ver_codename%/*}
            codename=${ver_codename##*/}
            # Note the leading v to match the Git tag.
            indexed=v$(reprepro -b debian --list-format '${version}\n' listmatched "$codename" innernet)
            upstream="${{ steps.check-latest-release.outputs.innernet_release }}-0ubuntu0~$codename"
            echo "Repo release in $codename: $indexed"
            if [ "x$indexed" != "x$upstream" ]; then
              new_release_exists="${new_release_exists:+$new_release_exists,}\"$ver\""
            fi
          done
          echo "new_release_exists=[$new_release_exists]" >>"$GITHUB_OUTPUT"

      - name: Show Output
        id: show-output
        run: |
          echo "## Job Outputs" >>"$GITHUB_STEP_SUMMARY"
          echo "* \`innernet_release=${{ steps.check-latest-release.outputs.innernet_release }}\`" >>"$GITHUB_STEP_SUMMARY"
          echo "* \`innernet_version=${{ steps.check-latest-release.outputs.innernet_version }}\`" >>"$GITHUB_STEP_SUMMARY"
          echo "* \`new_release_exists=${{ steps.check-repo-release.outputs.new_release_exists }}\`" >>"$GITHUB_STEP_SUMMARY"

  build-deb:
    name: Build DEB Packages
    needs: [check-upstream]
    if: "fromJson(needs.check-upstream.outputs.new_release_exists)[0] != null"
    runs-on: ${{ matrix.os }}

    strategy:
      matrix:
        os: ${{ fromJson(needs.check-upstream.outputs.new_release_exists) }}

    steps:
      - name: Install Distro Dependencies
        run: sudo env DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes dpkg-dev liblzma-dev

      - name: Translate Codename
        id: translate-codename
        run: |
          case "${{ matrix.os }}" in
          ubuntu-22.04) codename=jammy ;;
          ubuntu-20.04) codename=focal ;;
          *)
            echo "Unknown OS: ${{ matrix.os }}" >&2
            exit 1
            ;;
          esac
          echo "codename=$codename" >>"$GITHUB_OUTPUT"

      - name: Download Latest Release
        id: download-release
        run: |
          wget -O- "${{ needs.check-upstream.outputs.tarball_url }}" | tar xz
          mv tonarino-innernet-*/* .
          rm -fr tonarino-innernet-*

      - name: Install Rust
        uses: actions-rs/toolchain@v1
        with:
          toolchain: stable
          profile: minimal
          override: true

      - name: Install cargo-deb
        run: |
          type -p cargo-deb || cargo install cargo-deb

      - name: Set Up Rust Cache
        uses: Swatinem/rust-cache@v1
        with:
          key: ${{ matrix.os }}

      - name: Build Client DEB
        uses: actions-rs/cargo@v1
        with:
          command: deb
          args: -p client --deb-version=${{ needs.check-upstream.outputs.innernet_version }}-0ubuntu0~${{ steps.translate-codename.outputs.codename }}

      - name: Build Server DEB
        uses: actions-rs/cargo@v1
        with:
          command: deb
          args: -p server --deb-version=${{ needs.check-upstream.outputs.innernet_version }}-0ubuntu0~${{ steps.translate-codename.outputs.codename }}

      - name: Upload DEBs
        uses: actions/upload-artifact@v3
        with:
          name: deb-${{ matrix.os }}
          path: target/debian/*.deb

      - name: Show Output
        id: show-output
        run: |
          echo "## Job Outputs" >>"$GITHUB_STEP_SUMMARY"
          echo "* \`codename=${{ steps.translate-codename.outputs.codename }}\`" >>"$GITHUB_STEP_SUMMARY"

  release:
    needs: [check-upstream, build-deb]
    # Avoid push conflicts.
    concurrency: update_repository
    if: "matrix.os[0] != null"
    runs-on: ${{ matrix.os }}

    strategy:
      matrix:
        os: ${{ fromJson(needs.check-upstream.outputs.new_release_exists) }}

    steps:
      - name: Install Distro Dependencies
        run: sudo env DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes git gpg reprepro

      - name: Set Up GPG Keys
        run: |
          mkdir -p -m 0700 "$HOME/.gnupg"
          echo 'pinentry-mode loopback' >>"$HOME/.gnupg/gpg.conf"
          echo 'allow-loopback-pinentry' >>"$HOME/.gnupg/gpg-agent.conf"
          echo 'allow-preset-passphrase' >>"$HOME/.gnupg/gpg-agent.conf"
          gpgconf --reload gpg-agent
          echo "${{ secrets.GPG_SIGNING_KEY }}" | gpg --quiet --batch --yes --import
          echo '${{ secrets.GPG_SIGNING_PASSPHRASE }}' | /usr/lib/gnupg/gpg-preset-passphrase --preset 57F0E65446A301CC19914FD61167922350A2D8B2

      - name: Translate Codename
        id: translate-codename
        run: |
          case "${{ matrix.os }}" in
          ubuntu-22.04) codename=jammy ;;
          ubuntu-20.04) codename=focal ;;
          *)
            echo "Unknown OS: ${{ matrix.os }}" >&2
            exit 1
            ;;
          esac
          echo "codename=$codename" >>"$GITHUB_OUTPUT"

      - name: Checkout
        uses: actions/checkout@v3
        with:
          # See https://github.com/marketplace/actions/github-push
          persist-credentials: false
          fetch-depth: 0

      - name: Download DEBs
        uses: actions/download-artifact@v3
        with:
          name: deb-${{ matrix.os }}
          path: ./artifacts

      - name: Import DEBs
        run: |
          cd artifacts
          for name in *.deb; do
            reprepro --export=silent-never -b ../debian includedeb "${{ steps.translate-codename.outputs.codename }}" "$name"
          done

      - name: Update Repository
        run: |
          has_changes() {
            git status --porcelain "$@" | grep -q .
          }

          if has_changes debian/pool; then
              reprepro -b debian export "${{ steps.translate-codename.outputs.codename }}"
          fi

          if has_changes debian/{db,dists,pool}; then
              git add debian/{db,dists,pool}
              git \
                  -c 'user.email=41898282+github-actions[bot]@users.noreply.github.com' \
                  -c 'user.name=github-actions[bot]' \
                  commit -m "Included release tonarino/innernet@${{ needs.check-upstream.outputs.innernet_release }} in ${{ steps.translate-codename.outputs.codename }}."
          else
              echo 'No updates to commit.'
          fi

      - name: Push changes
        uses: ad-m/github-push-action@master
        if: github.ref_name == 'main'
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ github.ref }}

      # GitHub shows an inconsistent delay with pulling right after pushing. Since we push
      # for multiple distributions, we have to make sure the next checkout doesn't conflict
      # with the current.
      - name: Delay 30 seconds for pushed changes to be visible
        run: sleep 30s
        shell: bash