From 5b75dc53a1eecfdd429c0769daa9aaaa634d0f1e Mon Sep 17 00:00:00 2001 From: "Victor M. Varela" Date: Sat, 14 Mar 2026 20:55:07 +0100 Subject: [PATCH 1/3] feat(packaging): add .deb package generation via nfpm (#38) Add Debian/Ubuntu package support using nfpm: - packaging/nfpm.yaml: declarative nfpm config (binary, man page, license) - release.yml: new package-deb job with matrix for amd64/arm64/armhf/386 - README.md: add .deb installation instructions, remove duplicate section --- .github/workflows/release.yml | 66 +++++++++++++++++++++++++++++++++++ README.md | 11 +++--- packaging/nfpm.yaml | 38 ++++++++++++++++++++ 3 files changed, 108 insertions(+), 7 deletions(-) create mode 100644 packaging/nfpm.yaml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc792e8..dcb3051 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -313,3 +313,69 @@ jobs: commit_email: vmvarela@gmail.com ssh_private_key: ${{ secrets.AUR_SSH_KEY }} commit_message: "Update to ${{ github.ref_name }}" + + # ── Build and upload .deb packages ───────────────────────────────── + # Generates Debian packages for amd64, arm64, armhf and 386 using nfpm. + # Each arch is independent — one failing arch does not block the others. + package-deb: + name: Package DEB (${{ matrix.goarch }}) + needs: release + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - goarch: amd64 + asset: sql-pipe-x86_64-linux + - goarch: arm64 + asset: sql-pipe-aarch64-linux + - goarch: armhf + asset: sql-pipe-armv7-linux + - goarch: "386" + asset: sql-pipe-x86-linux + + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + + - name: Download all artifacts + uses: actions/download-artifact@v8 + with: + path: artifacts/ + merge-multiple: true + + - name: Install nfpm + run: | + curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh \ + | sh -s -- -b /usr/local/bin + + - name: Stage files for packaging + run: | + mkdir -p pkg-work + cp artifacts/${{ matrix.asset }} pkg-work/sql-pipe + cp artifacts/sql-pipe.1.gz pkg-work/sql-pipe.1.gz + cp LICENSE pkg-work/LICENSE + + - name: Build .deb + working-directory: pkg-work + env: + VERSION: ${{ github.ref_name }} + GOARCH: ${{ matrix.goarch }} + run: | + VERSION="${VERSION#v}" + mkdir -p dist + VERSION="$VERSION" GOARCH="$GOARCH" \ + nfpm package -p deb \ + -f "$GITHUB_WORKSPACE/packaging/nfpm.yaml" \ + -t dist/ + + - name: Upload .deb to GitHub Release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + working-directory: pkg-work + run: | + gh release upload "${{ github.ref_name }}" dist/*.deb \ + --repo "${{ github.repository }}" \ + --clobber diff --git a/README.md b/README.md index b1e623a..164693a 100644 --- a/README.md +++ b/README.md @@ -35,17 +35,14 @@ By default it installs to `/usr/local/bin`. Override with `INSTALL_DIR`: curl -sSL https://raw.githubusercontent.com/vmvarela/sql-pipe/master/install.sh | INSTALL_DIR="$HOME/.local/bin" sh ``` -**Shell installer (Linux/macOS):** +**Debian / Ubuntu (.deb package):** ```sh -curl -sSL https://raw.githubusercontent.com/vmvarela/sql-pipe/master/install.sh | sh +wget https://github.com/vmvarela/sql-pipe/releases/latest/download/sql-pipe_VERSION_amd64.deb +sudo dpkg -i sql-pipe_VERSION_amd64.deb ``` -By default it installs to `/usr/local/bin`. Override with `INSTALL_DIR`: - -```sh -curl -sSL https://raw.githubusercontent.com/vmvarela/sql-pipe/master/install.sh | INSTALL_DIR="$HOME/.local/bin" sh -``` +Replace `VERSION` with the release version (e.g. `0.2.0`) and `amd64` with your architecture (`arm64`, `armhf`, or `386`). **Arch Linux (AUR):** install with your preferred AUR helper: diff --git a/packaging/nfpm.yaml b/packaging/nfpm.yaml new file mode 100644 index 0000000..58207fd --- /dev/null +++ b/packaging/nfpm.yaml @@ -0,0 +1,38 @@ +# nfpm package configuration for sql-pipe +# Used by the CI release workflow to generate .deb (and .rpm) packages. +# +# Variables injected by the CI environment before invoking nfpm: +# VERSION — semver without leading "v" (e.g. "0.2.0") +# GOARCH — nfpm architecture token: +# amd64 → x86_64 binaries +# arm64 → aarch64 binaries +# armhf → armv7 binaries +# 386 → x86 binaries +# +# Invocation (from the CI working directory that contains the staged files): +# VERSION=0.2.0 GOARCH=amd64 nfpm package -p deb -f packaging/nfpm.yaml -t dist/ + +name: sql-pipe +arch: "${GOARCH}" +version: "${VERSION}" +maintainer: vmvarela +description: Read CSV from stdin, query with SQL, write CSV to stdout +homepage: https://github.com/vmvarela/sql-pipe +license: MIT + +contents: + # Binary — installed into /usr/bin and made executable + - src: ./sql-pipe + dst: /usr/bin/sql-pipe + file_info: + mode: 0755 + + # Man page — Debian convention: gzipped under /usr/share/man/man1/ + - src: ./sql-pipe.1.gz + dst: /usr/share/man/man1/sql-pipe.1.gz + packager: deb + + # License — Debian policy requires the copyright file under /usr/share/doc// + - src: ./LICENSE + dst: /usr/share/doc/sql-pipe/copyright + packager: deb From e2db5621874da1432421d15684f57cd104354f43 Mon Sep 17 00:00:00 2001 From: "Victor M. Varela" Date: Sat, 14 Mar 2026 21:27:35 +0100 Subject: [PATCH 2/3] fix(packaging): fix nfpm install, chmod and armhf arch token - Replace deprecated install.goreleaser.com URL with direct binary download from GitHub Releases (nfpm v2.45.1, pinned version) - Add chmod +x on staged binary to ensure execute bit is set - Fix armhf -> arm7 arch token (nfpm input, maps to armhf output for deb) --- .github/workflows/release.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dcb3051..fae3715 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -315,7 +315,7 @@ jobs: commit_message: "Update to ${{ github.ref_name }}" # ── Build and upload .deb packages ───────────────────────────────── - # Generates Debian packages for amd64, arm64, armhf and 386 using nfpm. + # Generates Debian packages for amd64, arm64, arm7 and 386 using nfpm. # Each arch is independent — one failing arch does not block the others. package-deb: name: Package DEB (${{ matrix.goarch }}) @@ -329,7 +329,7 @@ jobs: asset: sql-pipe-x86_64-linux - goarch: arm64 asset: sql-pipe-aarch64-linux - - goarch: armhf + - goarch: arm7 asset: sql-pipe-armv7-linux - goarch: "386" asset: sql-pipe-x86-linux @@ -348,13 +348,16 @@ jobs: - name: Install nfpm run: | - curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh \ - | sh -s -- -b /usr/local/bin + NFPM_VERSION=2.45.1 + curl -sfL -o /tmp/nfpm.tar.gz \ + "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_linux_amd64.tar.gz" + tar -xzf /tmp/nfpm.tar.gz -C /usr/local/bin nfpm - name: Stage files for packaging run: | mkdir -p pkg-work cp artifacts/${{ matrix.asset }} pkg-work/sql-pipe + chmod +x pkg-work/sql-pipe cp artifacts/sql-pipe.1.gz pkg-work/sql-pipe.1.gz cp LICENSE pkg-work/LICENSE From 85f8e627239ab37b5fca0669a9824a8734b3f810 Mon Sep 17 00:00:00 2001 From: "Victor M. Varela" Date: Sat, 14 Mar 2026 21:33:40 +0100 Subject: [PATCH 3/3] fix(release): generate sha256sums.txt after all assets are uploaded Move SHA256 checksum generation to a dedicated 'checksums' job that runs after both 'release' and 'package-deb', so sha256sums.txt covers binaries, man page and .deb packages consistently. --- .github/workflows/release.yml | 39 +++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fae3715..fc1e68a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -129,10 +129,6 @@ jobs: path: artifacts/ merge-multiple: true - - name: Generate SHA256 checksums - working-directory: artifacts - run: sha256sum * | tee sha256sums.txt - - name: Create or update GitHub Release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -382,3 +378,38 @@ jobs: gh release upload "${{ github.ref_name }}" dist/*.deb \ --repo "${{ github.repository }}" \ --clobber + + # ── Generate final SHA256 checksums ──────────────────────────────── + # Runs after both release and package-deb so sha256sums.txt covers + # all assets: binaries, man page AND .deb packages. + checksums: + name: Generate SHA256 checksums + needs: [release, package-deb] + if: ${{ always() && needs.release.result == 'success' }} + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Download all release assets + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + mkdir -p assets + gh release download "${{ github.ref_name }}" \ + --repo "${{ github.repository }}" \ + --dir assets + + - name: Generate SHA256 checksums + working-directory: assets + run: | + # Exclude any pre-existing sha256sums.txt to avoid self-referencing + sha256sum $(ls | grep -v sha256sums.txt) | tee sha256sums.txt + + - name: Upload sha256sums.txt to GitHub Release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh release upload "${{ github.ref_name }}" assets/sha256sums.txt \ + --repo "${{ github.repository }}" \ + --clobber