feat: Add terra-gpg-keys to bootstrap

2026-05-31 09:01:55 +00:00 · 2026-03-01 12:59:01 -06:00
1 changed files with 51 additions and 7 deletions
@@ -1,6 +1,6 @@
 name: Bootstrap Andaman and Subatomic
 permissions:
-  contents: read
+  contents: write
 on:
  workflow_dispatch:

@@ -19,22 +19,46 @@ jobs:
      - name: Install repositories
        run: |
          dnf5 swap -y --setopt=install_weak_deps=False systemd-standalone-sysusers systemd
-          dnf5 install -y --setopt=install_weak_deps=False curl wget git-core openssl-devel cargo podman fuse-overlayfs dnf5-plugins rpmbuild script
+          dnf5 install -y --repo=rawhide --setopt=install_weak_deps=False curl wget git-core openssl-devel cargo podman fuse-overlayfs dnf5-plugins rpmbuild script

      - uses: actions/checkout@v6
        with:
          ref: f${{ matrix.version }}
          fetch-depth: 1
+          ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }}
+
+      - name: Fetch new keys
+        run: |
+          export releasever="${{ matrix.version }}"
+
+          [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever ] && curl -s https://repos.fyralabs.com/terra$releasever/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever
+          [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source ] && curl -s https://repos.fyralabs.com/terra$releasever-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source
+          if [[ $releasever != el* ]]; then
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras ] && curl -s https://repos.fyralabs.com/terra$releasever-extras/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source ] && curl -s https://repos.fyralabs.com/terra$releasever-extras-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa ] && curl -s https://repos.fyralabs.com/terra$releasever-mesa/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source ] && curl -s https://repos.fyralabs.com/terra$releasever-mesa-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia ] && curl -s https://repos.fyralabs.com/terra$releasever-multimedia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source ] && curl -s https://repos.fyralabs.com/terra$releasever-multimedia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia ] && curl -s https://repos.fyralabs.com/terra$releasever-nvidia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia
+            [ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source ] && curl -s https://repos.fyralabs.com/terra$releasever-nvidia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source
+          fi
+     - name: Build terra-gpg-keys
+        run: |
+          mkdir -p anda-build/rpm/rpms
+          rpmbuild -bb anda/terra/gpg-keys/pkg/*.spec --undefine=_disable_source_fetch -D "vendor Terra" -D "_sourcedir $(pwd)/anda/terra/gpg-keys/" -D "_rpmdir $(pwd)/anda-build/rpm/rpms/"
+          mv ./anda-build/rpm/rpms/*/anda-*.rpm ./anda-build/rpm/rpms/
+      - name: Install terra-gpg-keys
+        run: dnf5 install -y anda-build/rpm/rpms/terra-gpg-keys*.rpm

      - name: Build anda-srpm-macros
        run: |
-          mkdir -p anda-build/rpm/rpms
-          rpmbuild -bb anda/terra/srpm-macros/*.spec --undefine=_disable_source_fetch -D "_sourcedir $(pwd)/anda/terra/srpm-macros/" -D "_rpmdir $(pwd)/anda-build/rpm/rpms/"
+          rpmbuild -bb anda/terra/srpm-macros/*.spec --undefine=_disable_source_fetch -D "vendor Terra" -D "_sourcedir $(pwd)/anda/terra/srpm-macros/" -D "_rpmdir $(pwd)/anda-build/rpm/rpms/"
          mv ./anda-build/rpm/rpms/*/anda-*.rpm ./anda-build/rpm/rpms/
          dnf5 install -y ./anda-build/rpm/rpms/anda-*.rpm

      - name: Install build dependencies
-        run: dnf5 builddep -y anda/terra/{mock-configs,srpm-macros}/*.spec anda/tools/buildsys/{anda,subatomic}/*.spec
+        run: dnf5 builddep -y anda/terra/{mock-configs,srpm-macros}/*.spec anda/tools/buildsys/{anda,subatomic}/*.spec anda/terra/appstream-helper/*.spec

      - name: Install Anda
        run: |
@@ -55,7 +79,7 @@ jobs:
        run: anda build -D "vendor Terra" -rrpmbuild anda/terra/release/pkg

      - name: Build terra-appstream-helper
-        run: anda build -D "vendor Terra" -D "__python %{__python3}" -rrpmbuild anda/terra/appstream-helper/pkg
+        run: anda build -D "vendor Terra" -rrpmbuild anda/terra/appstream-helper/pkg

      - name: Build Subatomic
        run: anda build -D "vendor Terra" -rrpmbuild anda/tools/buildsys/subatomic/pkg
@@ -63,7 +87,27 @@ jobs:
        run: dnf5 install -y ./anda-build/rpm/rpms/subatomic-*.rpm

      - name: Tidy up output directory
-        run: rmdir anda-build/rpm/rpms/{noarch,aarch64,x86_64} | true
+        run: |
+          rmdir anda-build/rpm/rpms/{noarch,aarch64,x86_64} | true
+          rm anda-build/rpm/rpms/terra-gpg-keys* | true
+
+      - name: Update terra-gpg-keys
+        run: anda update --filters keys=1 --labels branch=${{ matrix.version }}
+
+      - name: Commit terra-gpg-keys update
+        run: |
+          mkdir -p ${{ runner.temp }}
+          echo "${{ secrets.SSH_SIGNING_KEY }}" > ${{ runner.temp }}/signing_key
+          chmod 0700 ${{ runner.temp }}/signing_key
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git config user.name "Raboneko"
+          git config user.email "raboneko@fyralabs.com"
+          git config gpg.format "ssh"
+          git config user.signingkey "${{ runner.temp }}/signing_key"
+          msg="bump(bootstrap): terra-gpg-keys"
+          git commit -S -a -m "$msg"
+          git add anda/terra/gpg-keys
+          git push -u origin

      - name: Upload packages to subatomic
        run: |