mirror of
https://github.com/novatiq/packages.git
synced 2026-06-22 21:30:27 +01:00
Jeffery To
acd48ceeb7
It appears snapshot target builds have switched from GPG signatures (sha256sums.asc) to usign signatures (sha256sums.sig). This adds support for verifying these usign signatures. (GPG signatures will also be verified if found.) This also restores the alphabetical ordering of packages to be installed by apt-get. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
165 lines
6.0 KiB
YAML
165 lines
6.0 KiB
YAML
version: 2.0
|
|
jobs:
|
|
build:
|
|
docker:
|
|
- image: docker.io/openwrtorg/packages-cci:v1.0.3
|
|
environment:
|
|
- SDK_HOST: "downloads.openwrt.org"
|
|
- SDK_PATH: "snapshots/targets/ath79/generic"
|
|
- SDK_FILE: "openwrt-sdk-ath79-generic_*.Linux-x86_64.tar.xz"
|
|
- BRANCH: "master"
|
|
steps:
|
|
- checkout:
|
|
path: ~/openwrt_packages
|
|
|
|
- run:
|
|
name: Check changes / verify commits
|
|
working_directory: ~/openwrt_packages
|
|
command: |
|
|
cat >> $BASH_ENV <<EOF
|
|
echo_red() { printf "\033[1;31m\$*\033[m\n"; }
|
|
echo_green() { printf "\033[1;32m\$*\033[m\n"; }
|
|
echo_blue() { printf "\033[1;34m\$*\033[m\n"; }
|
|
EOF
|
|
source $BASH_ENV
|
|
|
|
RET=0
|
|
for commit in $(git rev-list HEAD ^origin/$BRANCH); do
|
|
echo_blue "=== Checking commit '$commit'"
|
|
if git show --format='%P' -s $commit | grep -qF ' '; then
|
|
echo_red "Pull request should not include merge commits"
|
|
RET=1
|
|
fi
|
|
|
|
author="$(git show -s --format=%aN $commit)"
|
|
if echo $author | grep -q '\S\+\s\+\S\+'; then
|
|
echo_green "Author name ($author) seems ok"
|
|
else
|
|
echo_red "Author name ($author) need to be your real name 'firstname lastname'"
|
|
RET=1
|
|
fi
|
|
|
|
subject="$(git show -s --format=%s $commit)"
|
|
if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_-]\+: ' -e '^Revert '; then
|
|
echo_green "Commit subject line seems ok ($subject)"
|
|
else
|
|
echo_red "Commit subject line MUST start with '<package name>: ' ($subject)"
|
|
RET=1
|
|
fi
|
|
|
|
body="$(git show -s --format=%b $commit)"
|
|
sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)"
|
|
if echo "$body" | grep -qF "$sob"; then
|
|
echo_green "Signed-off-by match author"
|
|
else
|
|
echo_red "Signed-off-by is missing or doesn't match author (should be '$sob')"
|
|
RET=1
|
|
fi
|
|
done
|
|
|
|
exit $RET
|
|
|
|
- run:
|
|
name: Download the SDK
|
|
working_directory: ~/sdk
|
|
command: |
|
|
curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
|
|
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
|
|
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
|
|
if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
|
|
echo_red "Missing sha256sums signature files"
|
|
exit 1
|
|
fi
|
|
[ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
|
|
if [ -f sha256sums.sig ]; then
|
|
VERIFIED=
|
|
for KEY in ~/usign/*; do
|
|
echo "Trying $KEY..."
|
|
if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
|
|
echo "...verified"
|
|
VERIFIED=1
|
|
break
|
|
fi
|
|
done
|
|
if [ -z "$VERIFIED" ]; then
|
|
echo_red "Could not verify usign signature"
|
|
exit 1
|
|
fi
|
|
fi
|
|
rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
|
|
sha256sum -c --ignore-missing sha256sums
|
|
|
|
- run:
|
|
name: Prepare build_dir
|
|
working_directory: ~/build_dir
|
|
command: |
|
|
tar Jxf ~/sdk/$SDK_FILE --strip=1
|
|
cat > feeds.conf <<EOF
|
|
src-git base https://github.com/openwrt/openwrt.git;$BRANCH
|
|
src-link packages $HOME/openwrt_packages
|
|
src-git luci https://github.com/openwrt/luci.git;$BRANCH
|
|
EOF
|
|
cat feeds.conf
|
|
./scripts/feeds update -a > /dev/null
|
|
make defconfig > /dev/null
|
|
# enable BUILD_LOG
|
|
sed -i 's/# CONFIG_BUILD_LOG is not set/CONFIG_BUILD_LOG=y/' .config
|
|
|
|
- run:
|
|
name: Install & download source, check package, compile
|
|
working_directory: ~/build_dir
|
|
command: |
|
|
set +o pipefail
|
|
PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/$BRANCH..." | grep 'Makefile$' | grep -Ev '/files/|/src/' | awk -F/ '{ print $(NF-1) }')
|
|
if [ -z "$PKGS" ] ; then
|
|
echo_blue "WARNING: No new or modified packages found!"
|
|
exit 0
|
|
fi
|
|
|
|
echo_blue "=== Found new/modified packages: $PKGS"
|
|
for PKG in $PKGS ; do
|
|
echo_blue "===+ Install: $PKG"
|
|
./scripts/feeds install "$PKG"
|
|
|
|
echo_blue "===+ Download: $PKG"
|
|
make "package/$PKG/download" V=s
|
|
|
|
echo_blue "===+ Check package: $PKG"
|
|
make "package/$PKG/check" V=s 2>&1 | tee logtmp
|
|
RET=${PIPESTATUS[0]}
|
|
|
|
if [ $RET -ne 0 ]; then
|
|
echo_red "=> Package check failed: $RET)"
|
|
exit $RET
|
|
fi
|
|
|
|
badhash_msg="HASH does not match "
|
|
badhash_msg+="|HASH uses deprecated hash,"
|
|
badhash_msg+="|HASH is missing,"
|
|
if grep -qE "$badhash_msg" logtmp; then
|
|
echo_red "=> Package HASH check failed"
|
|
exit 1
|
|
fi
|
|
echo_green "=> Package check OK"
|
|
done
|
|
|
|
for PKG in $PKGS ; do
|
|
echo_blue "===+ Building: $PKG"
|
|
make "package/$PKG/compile" -j3 V=s
|
|
done
|
|
|
|
- store_artifacts:
|
|
path: ~/build_dir/logs
|
|
|
|
- store_artifacts:
|
|
path: ~/build_dir/bin
|
|
|
|
workflows:
|
|
version: 2
|
|
buildpr:
|
|
jobs:
|
|
- build:
|
|
filters:
|
|
branches:
|
|
ignore: master
|