Scheduled Batch Updates #2066
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scheduled Batch Updates | |
| on: | |
| schedule: | |
| - cron: "0 */12 * * *" # Runs every 12 hours | |
| workflow_dispatch: # Allows manual triggering | |
| jobs: | |
| arch-task: | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: checkupdates | |
| cancel-in-progress: true | |
| container: | |
| image: archlinux:latest | |
| options: --privileged # Required for system-level changes like useradd, pacman | |
| env: | |
| AUR_MAINTAINER_NAME: envolution | |
| GIT_USERNAME: envolution | |
| GIT_EMAIL: involution@gmail.com | |
| ACTIONS_STEP_SUMMARY: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}#step:${{ github.job }}:markdown-summary | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize pacman, Update System, and Configure Makepkg | |
| run: | | |
| set -e | |
| echo "::group::Initialize pacman, Update System, and Configure Makepkg" | |
| echo "Initializing pacman keyring..." | |
| mkdir -p /etc/pacman.d/gnupg | |
| pacman-key --init | |
| pacman-key --populate archlinux | |
| echo "Enabling multilib repository..." | |
| echo -e "\n[multilib]\nInclude = /etc/pacman.d/mirrorlist" >> /etc/pacman.conf | |
| echo "Updating system and installing core dependencies..." | |
| pacman -Sy --noconfirm --needed archlinux-keyring | |
| pacman -Syu --noconfirm | |
| echo "Installing necessary packages..." | |
| pacman -S --noconfirm --needed \ | |
| git base-devel pacman-contrib openssh github-cli jq expac \ | |
| ruby-rdoc ruby-pkg-config gnupg \ | |
| python python-pip \ | |
| pyalpm python-awesomeversion python-packaging python-lxml \ | |
| python-gobject python-requests libnotify nvchecker \ | |
| binutils multilib-devel python-aiohttp clang python-jq \ | |
| sudo | |
| echo "Configuring makepkg for parallel compilation..." | |
| # Check if MAKEFLAGS is already set and uncommented | |
| if grep -q -E '^#?\s*MAKEFLAGS=' /etc/makepkg.conf; then | |
| # If found (commented or uncommented), replace the line | |
| sed -i "s|^#*\s*MAKEFLAGS=.*|MAKEFLAGS=\"-j$(nproc)\"|g" /etc/makepkg.conf | |
| echo "Updated existing MAKEFLAGS in /etc/makepkg.conf." | |
| else | |
| # If not found, append it | |
| echo "MAKEFLAGS=\"-j$(nproc)\"" >> /etc/makepkg.conf | |
| echo "Appended MAKEFLAGS to /etc/makepkg.conf." | |
| fi | |
| echo "Current MAKEFLAGS setting in /etc/makepkg.conf:" | |
| grep --color=auto MAKEFLAGS /etc/makepkg.conf || echo "MAKEFLAGS not found after attempting to set." | |
| sed -i '/^BUILDENV=/ s/\bcheck\b/!check/' /etc/makepkg.conf | |
| grep --color=auto BUILDENV /etc/makepkg.conf || echo "BUILDENV not found after attempting to set." | |
| echo "::endgroup::" | |
| - name: Setup non-root user for AUR operations | |
| shell: bash | |
| run: | | |
| set -e | |
| echo "::group::Setup non-root user 'builder'" | |
| echo "Creating build user 'builder'..." | |
| useradd -m -s /bin/bash builder | |
| echo "builder ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/builder | |
| chmod 0440 /etc/sudoers.d/builder | |
| echo "Setting up directories for builder..." | |
| install -d -o builder -g builder -m 700 /home/builder/.gnupg | |
| install -d -o builder -g builder -m 755 /home/builder/.cache | |
| install -d -o builder -g builder -m 755 /home/builder/.local | |
| install -d -o builder -g builder -m 755 /home/builder/.local/share | |
| install -d -o builder -g builder -m 755 /home/builder/.cache/paru | |
| install -d -o builder -g builder -m 755 /home/builder/.local/share/paru | |
| echo "$GPG_PRIVATE_KEY" > private.key.asc | |
| sudo mv private.key.asc /home/builder/private.key.asc | |
| sudo chown builder:builder /home/builder/private.key.asc | |
| sudo -u builder env HOME=/home/builder gpg --batch --yes --import /home/builder/private.key.asc | |
| rm /home/builder/private.key.asc | |
| echo "Builder user setup complete." | |
| echo "::endgroup::" | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY}} | |
| - name: Export GPG signature if key is present | |
| if: env.GPG_PRIVATE_KEY != '' | |
| run: | | |
| echo "::group::Exporting GPG_SIGNATURE short key" | |
| SHORT_KEY=$(sudo -u builder env HOME=/home/builder \ | |
| gpg --with-colons --import-options show-only --import <<< "$GPG_PRIVATE_KEY" \ | |
| | awk -F: '/^fpr:/ { print $10; exit }') | |
| echo "GPG_SIGNATURE = $SHORT_KEY" | |
| echo "GPG_SIGNATURE=${SHORT_KEY}" >> "$GITHUB_ENV" | |
| echo "::endgroup::" | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| - name: Install paru (AUR helper) | |
| run: | | |
| set -e | |
| echo "::group::Install paru (AUR helper)" | |
| echo "Installing paru for 'builder' user..." | |
| cd /tmp | |
| sudo -u builder mkdir -p paru-bin && cd paru-bin | |
| sudo -u builder git clone --depth 1 --filter=blob:none --sparse --branch paru-bin https://github.com/archlinux/aur.git | |
| cd aur && sudo -u builder makepkg -si --noconfirm | |
| cd ../.. && rm -rf paru-bin | |
| echo "::endgroup::" | |
| - name: Setup SSH key for AUR | |
| run: | | |
| set -e | |
| echo "::group::Setup SSH key for AUR" | |
| echo "Setting up SSH key for AUR access..." | |
| SSH_DIR="/home/builder/.ssh" | |
| mkdir -p "${SSH_DIR}" | |
| echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > "${SSH_DIR}/aur" | |
| #ssh-keyscan aur.archlinux.org >> "${SSH_DIR}/known_hosts" | |
| echo 'aur.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKF9vAFWdgm9Bi8uc+tYRBmXASBb5cB5iZsB7LOWWFeBrLp3r14w0/9S2vozjgqY5sJLDPONWoTTaVTbhe3vwO8CBKZTEt1AcWxuXNlRnk9FliR1/eNB9uz/7y1R0+c1Md+P98AJJSJWKN12nqIDIhjl2S1vOUvm7FNY43fU2knIhEbHybhwWeg+0wxpKwcAd/JeL5i92Uv03MYftOToUijd1pqyVFdJvQFhqD4v3M157jxS5FTOBrccAEjT+zYmFyD8WvKUa9vUclRddNllmBJdy4NyLB8SvVZULUPrP3QOlmzemeKracTlVOUG1wsDbxknF1BwSCU7CmU6UFP90kpWIyz66bP0bl67QAvlIc52Yix7pKJPbw85+zykvnfl2mdROsaT8p8R9nwCdFsBc9IiD0NhPEHcyHRwB8fokXTajk2QnGhL+zP5KnkmXnyQYOCUYo3EKMXIlVOVbPDgRYYT/XqvBuzq5S9rrU70KoI/S5lDnFfx/+lPLdtcnnEPk=' \ | |
| >> "${SSH_DIR}/known_hosts" | |
| echo "Host aur.archlinux.org" >> "${SSH_DIR}/config" | |
| echo " IdentityFile ${SSH_DIR}/aur" >> "${SSH_DIR}/config" | |
| echo " User aur" >> "${SSH_DIR}/config" | |
| echo " StrictHostKeyChecking yes" >> "${SSH_DIR}/config" | |
| chown -R builder:builder "${SSH_DIR}" | |
| chmod 700 "${SSH_DIR}" | |
| chmod 600 "${SSH_DIR}/aur" | |
| chmod 600 "${SSH_DIR}/config" | |
| chmod 644 "${SSH_DIR}/known_hosts" | |
| echo "SSH key setup complete. Permissions:" | |
| ls -ldn "${SSH_DIR}" "${SSH_DIR}/aur" "${SSH_DIR}/config" "${SSH_DIR}/known_hosts" # Use -n to show numeric UID/GID | |
| echo "::endgroup::" | |
| - name: Configure Git for builder user | |
| run: | | |
| set -e | |
| echo "::group::Configure Git for builder user" | |
| echo "Configuring Git for 'builder' user..." | |
| sudo -u builder git config --global user.name "${{ env.GIT_USERNAME }}" | |
| sudo -u builder git config --global user.email "${{ env.GIT_EMAIL }}" | |
| sudo -u builder git config --global init.defaultBranch 'master' | |
| echo "Git configuration complete." | |
| echo "::endgroup::" | |
| - name: Run AUR Package Build and Update Task | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GIT_COMMIT_USER_NAME: envolution | |
| GIT_COMMIT_USER_EMAIL: involution@gmail.com | |
| PKGBUILD_ROOT: ${{ github.workspace }}/maintain | |
| SECRET_GHUK_VALUE: ${{ secrets.GHuK }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| GITHUB_RUNID: ${{ github.run_id }} | |
| ACTIONS_STEP_DEBUG: true | |
| run: | | |
| echo "::notice::Attempting to execute external script main_task_script.py" | |
| # Ensure the script is executable inside the container if permissions were lost | |
| mkdir -p task | |
| cp ${GITHUB_WORKSPACE}/scripts/main_task_script.py task/ | |
| chmod +x task/main_task_script.py | |
| python3 ./task/main_task_script.py | |
| - name: Upload build logs and artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts-${{ github.run_id }} | |
| path: ${{ github.workspace }}/artifacts/ | |
| retention-days: 7 |