Skip to content

GH org rename

GH org rename #222

name: Build Anon Packages
on:
push:
tags:
- 'v*'
- '*beta*'
branches:
- main
- development
pull_request:
branches:
- main
- development
env:
DEBIAN_FRONTEND: noninteractive
# tags (v*): live
# tags (*beta*): beta
# main: stage
# development: dev
# everything else (pull request, etc.): unstable-dev
PKG_ENV: ${{ github.ref_type == 'tag' && (contains(github.ref, 'beta') && 'beta' || 'live') || github.ref == 'refs/heads/main' && 'stage' || github.ref == 'refs/heads/development' && 'dev' || 'unstable-dev' }}
jobs:
#
# Debian Packages
#
build-deb-source:
runs-on: ubuntu-latest
container:
image: debian:bookworm
steps:
- name: Install Dependencies
run: |
apt-get -y update
apt-get -y dist-upgrade
apt-get -y install sudo git build-essential devscripts gpg
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Setup
run: |
apt-get -y install $(cat debian/.debian-ci/build_source/build-depends)
git config --global --add safe.directory $(realpath .)
- name: Build Source
run: |
$(pwd)/debian/.debian-ci/build_source/build-script
- name: Sign Source Package
run: |
echo "${{ secrets.DEBIAN_PRIVATE_KEY }}" | base64 -d > debian-private.gpg
gpg --allow-secret-key-import --import debian-private.gpg
debsign -k ${{ secrets.DEBIAN_FINGERPRINT }} source-packages/anon_*.changes
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-source-packages
path: source-packages/
build-deb-package:
runs-on: ${{ matrix.build.runner }}
needs: build-deb-source
container:
image: ${{ matrix.build.os }}:${{ matrix.build.suite }}
strategy:
fail-fast: false
matrix:
build:
# Debian Bookworm
- os: debian
suite: bookworm
arch: amd64
runner: ubuntu-latest
- os: debian
suite: bookworm
arch: arm64
runner: arm64
# Debian Bullseye
- os: debian
suite: bullseye
arch: amd64
runner: ubuntu-latest
- os: debian
suite: bullseye
arch: arm64
runner: arm64
# Ubuntu Noble
- os: ubuntu
suite: noble
arch: amd64
runner: ubuntu-latest
- os: ubuntu
suite: noble
arch: arm64
runner: arm64
# Ubuntu Lunar
- os: ubuntu
suite: lunar
arch: amd64
runner: ubuntu-latest
- os: ubuntu
suite: lunar
arch: arm64
runner: arm64
# Ubuntu Jammy
- os: ubuntu
suite: jammy
arch: amd64
runner: ubuntu-latest
- os: ubuntu
suite: jammy
arch: arm64
runner: arm64
# Ubuntu Focal
- os: ubuntu
suite: focal
arch: amd64
runner: ubuntu-latest
- os: ubuntu
suite: focal
arch: arm64
runner: arm64
steps:
- name: Install Dependencies
run: |
apt-get -y update
apt-get -y dist-upgrade
apt-get -y install build-essential devscripts gpg reprepro fakeroot
- name: Download Artifact
uses: actions/download-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-source-packages
path: source-packages/
- name: Build Package
run: |
set -x
find source-packages
upstream_version="$(head -n1 source-packages/version.txt)"
if [ -z "$upstream_version" ]; then echo >&2 "Did not get package version from artifact."; exit 1; fi
echo $upstream_version
srcchanges="$(ls -1 source-packages/anon_"$upstream_version"*${{ matrix.build.suite }}+*_src.changes)"
echo "srcchanges: $srcchanges"
if [ "$(echo "$srcchanges" | wc -l)" != 1 ] || [ -z "$srcchanges" ] ; then echo >&2 "Weird number of changes files found."; exit 1; fi
case "${{ matrix.build.arch }}" in
amd64) build_selector="-b";;
*) build_selector="-B";;
esac
echo "source changes file:"
cat "$srcchanges"
dsc="$(dcmd --dsc "$srcchanges")"
echo "dsc file is ${dsc}"
cat "$dsc"
mkdir build-tree
cd build-tree
dpkg-source -x ../${dsc}
cd anon-${upstream_version}
apt-get -y build-dep .
debuild -rfakeroot -uc -us -j4 "$build_selector"
cd ..
binchanges="$(ls -1 *.changes)"
if [ "$(echo "$binchanges" | wc -l)" != 1 ] || [ -z "$binchanges" ] ; then echo >&2 "Weird number of changes files produced."; exit 1; fi
cd ..
mkdir RESULT
dcmd ln -v "build-tree/${binchanges}" RESULT
mv -v --no-target-directory RESULT binary-packages/
- name: Sign Binary Package
run: |
echo "${{ secrets.DEBIAN_PRIVATE_KEY }}" | base64 -d > debian-private.gpg
gpg --allow-secret-key-import --import debian-private.gpg
debsign -k ${{ secrets.DEBIAN_FINGERPRINT }} binary-packages/anon_*.changes
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-${{ matrix.build.os }}-${{ matrix.build.suite }}-${{ matrix.build.arch }}
path: binary-packages/
#
# Linux Build
#
build-linux-binary:
runs-on: ${{ matrix.build.runner }}
container:
image: debian:bookworm
env:
OPENSSL_VERSION: "1.1.1w"
strategy:
fail-fast: false
matrix:
build:
# Linux amd64
- runner: ubuntu-latest
arch: amd64
libarch: x86_64
# Linux arm64
- runner: arm64
arch: arm64
libarch: aarch64
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
path: ator-protocol
fetch-depth: 1
- name: Install dependencies
run: |
apt-get update && \
apt_build_deps="libssl-dev zlib1g-dev libevent-dev ca-certificates dh-apparmor libseccomp-dev debhelper" && \
apt_runtime_deps="iputils-ping curl pwgen" && \
apt_temps="build-essential automake git wget" && \
apt-get -y --no-install-recommends install $apt_build_deps $apt_runtime_deps $apt_temps
- name: Build anon
run: |
cd ator-protocol
./scripts/ci/update-env.sh ${{ env.PKG_ENV }}
./autogen.sh
./configure \
--disable-asciidoc \
--disable-zstd \
--disable-lzma \
--enable-static-zlib \
--enable-static-libevent \
--enable-static-openssl \
--enable-static-tor \
--with-libevent-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \
--with-openssl-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \
--with-zlib-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \
--disable-tool-name-check \
--disable-gcc-hardening
make
- name: Copy executables to artifact directory
run: |
mkdir -p package
cp ator-protocol/src/app/anon package
cp ator-protocol/src/tools/anon-gencert package
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-linux-${{ matrix.build.arch }}
path: package/
#
# MacOS Build
#
build-macos-binary:
runs-on: ${{ matrix.build.runner }}
strategy:
fail-fast: false
matrix:
build:
# MacOS Intel
- runner: macos-13
arch: amd64
# MacOS Apple Silicon
- runner: macos-14
arch: arm64
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
path: ator-protocol
fetch-depth: 1
- name: Set variables
run: |
echo "ANON_BREW_PREFIX=$(brew --prefix)" >> $GITHUB_ENV
- name: Install dependencies
run: |
brew install gsed automake docbook docbook-xsl zlib libevent openssl@3
- name: Build anon
run: |
cd ator-protocol
./scripts/ci/update-env.sh ${{ env.PKG_ENV }}
./autogen.sh
./configure --prefix=/usr/local \
--disable-asciidoc \
--disable-zstd \
--disable-lzma \
--with-zlib-dir=${{ env.ANON_BREW_PREFIX }}/opt/zlib \
--with-libevent-dir=${{ env.ANON_BREW_PREFIX }}/opt/libevent \
--with-openssl-dir=${{ env.ANON_BREW_PREFIX }}/opt/openssl@3 \
--enable-static-zlib \
--enable-static-libevent \
--enable-static-openssl \
--disable-tool-name-check \
--disable-gcc-hardening
make
- name: Copy executables to artifact directory
run: |
mkdir -p package
cp ator-protocol/src/app/anon package
cp ator-protocol/src/tools/anon-gencert package
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-macos-${{ matrix.build.arch }}
path: package/
#
# Windows Build
#
build-windows-64-binary:
runs-on: ubuntu-latest
container:
image: ubuntu:latest
env:
OPENSSL_VERSION: "1.1.1w"
LIBEVENT_VERSION: "2.1.12-stable"
ZLIB_VERSION: "1.3.1"
BUILD_TYPE: "64"
CROSS_HOST: "x86_64-w64-mingw32"
MINGW: "mingw64"
MINGW_DEB: "gcc-mingw-w64-x86-64"
steps:
- name: Set variables
run: |
echo "ANON_JOBS=$((`nproc`+1))"
- name: Checkout Repository
uses: actions/checkout@v4
with:
path: ator-protocol
fetch-depth: 1
- name: Install dependencies
run: |
apt-get update -qq
apt-get upgrade -qy
apt-get install -qy autoconf automake libtool make wget git
apt-get install -qy ${MINGW_DEB}
- name: Build openssl
run: |
wget --quiet https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
tar zxf openssl-${OPENSSL_VERSION}.tar.gz
rm openssl-${OPENSSL_VERSION}.tar.gz
cd openssl-${OPENSSL_VERSION}
./Configure ${MINGW} shared --cross-compile-prefix=${CROSS_HOST}- --prefix="/build/openssl-${BUILD_TYPE}-prefix/"
make -j${{ env.ANON_JOBS }}
make install
cd ..
rm -rf openssl-${OPENSSL_VERSION}
- name: Build libevent
run: |
wget --quiet https://github.com/libevent/libevent/releases/download/release-${LIBEVENT_VERSION}/libevent-${LIBEVENT_VERSION}.tar.gz
tar zxf libevent-${LIBEVENT_VERSION}.tar.gz
rm libevent-${LIBEVENT_VERSION}.tar.gz
cd libevent-${LIBEVENT_VERSION}
./configure --host=${CROSS_HOST} --disable-openssl --disable-shared --disable-samples --disable-libevent-regress --enable-static --prefix="/build/libevent-${BUILD_TYPE}-prefix/"
make -j${{ env.ANON_JOBS }}
make install
cd ..
rm -rf libevent-${LIBEVENT_VERSION}
- name: Build zlib
run: |
wget --quiet https://www.zlib.net/fossils/zlib-${ZLIB_VERSION}.tar.gz
tar zxf zlib-${ZLIB_VERSION}.tar.gz
rm zlib-${ZLIB_VERSION}.tar.gz
cd zlib-${ZLIB_VERSION}
CHOST=${CROSS_HOST} ./configure --static --prefix="/build/zlib-${BUILD_TYPE}-prefix/"
make -j${{ env.ANON_JOBS }}
make install
cd ..
rm -rf zlib-${ZLIB_VERSION}
- name: Build anon
run: |
cd ator-protocol
./scripts/ci/update-env.sh ${{ env.PKG_ENV }}
./autogen.sh
./configure --host=${CROSS_HOST} \
--disable-asciidoc \
--disable-zstd \
--disable-lzma \
--enable-static-libevent --with-libevent-dir="/build/libevent-${BUILD_TYPE}-prefix/" \
--enable-static-openssl --with-openssl-dir="/build/openssl-${BUILD_TYPE}-prefix/" \
--enable-static-zlib --with-zlib-dir="/build/zlib-${BUILD_TYPE}-prefix/" \
--disable-tool-name-check \
--disable-gcc-hardening \
--enable-static-tor \
--prefix="/build/anon-prefix"
make -j${{ env.ANON_JOBS }}
make install
- name: Copy executables to artifact directory
run: |
mkdir -p package
cp ator-protocol/src/app/anon.exe package
cp ator-protocol/src/tools/anon-gencert.exe package
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-windows-amd64
path: package/
sign-windows-64-binary:
runs-on: windows-latest
needs: build-windows-64-binary
steps:
- name: Download raw artifacts
uses: actions/download-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-windows-amd64
path: build/
- name: Sign
run: |
dotnet tool install --global AzureSignTool
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "build/anon.exe"
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "build/anon-gencert.exe"
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: anon-${{ env.PKG_ENV }}-windows-signed-amd64
path: build/
#
# Release
#
release-deb:
runs-on: ubuntu-latest
needs: build-deb-package
container:
image: debian:bookworm
steps:
- name: Install Dependencies
run: |
apt-get -y update
apt-get -y dist-upgrade
apt-get -y install devscripts zip gpg dput openssh-client
- name: Download raw artifacts
uses: actions/download-artifact@v4
with:
path: raw-artifacts/
- name: Distribute signed .deb packages
run: |
mkdir -p /root/.ssh
ssh-keyscan ${{ secrets.DEBIAN_HOST }} > /root/.ssh/known_hosts
echo "${{ secrets.DEBIAN_ID_RSA }}" | base64 -d > /root/.ssh/id_rsa
chmod 600 /root/.ssh/id_rsa
echo "${{ secrets.DEBIAN_PRIVATE_KEY }}" | base64 -d > debian-private.gpg
gpg --allow-secret-key-import --import debian-private.gpg
cat << EOF > ~/.dput.cf
[anon]
fqdn = ${{ secrets.DEBIAN_HOST }}
incoming = /data/debian/incoming
method = scp
login = reprepro
allow_unsigned_uploads = 0
post_upload_command = ssh %(login)s@%(fqdn)s reprepro processincoming incoming
EOF
echo "Uploading packages"
dput anon raw-artifacts/anon-*/anon_*.changes
echo "Processing incoming packages"
ssh reprepro@${{ secrets.DEBIAN_HOST }} "reprepro processincoming incoming || exit 1"
release-github:
runs-on: ubuntu-latest
needs: [build-deb-package, build-macos-binary, sign-windows-64-binary]
if: ${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'beta') }}
steps:
- name: Download raw artifacts
uses: actions/download-artifact@v4
with:
path: raw-artifacts/
- name: Copy release artifacts
run: |
mkdir -p release-artifacts/
cp raw-artifacts/anon-*/anon_*.deb release-artifacts/
chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64/*
chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64/*
chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64/*
chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64/*
zip -j release-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64/*
zip -j release-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64/*
zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64/*
zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64/*
zip -j release-artifacts/anon-${{ env.PKG_ENV }}-windows-signed-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-windows-signed-amd64/*
ls -la -R release-artifacts/
- name: Checkout Repository
uses: actions/checkout@v4
with:
path: ator-protocol
fetch-depth: 1
- name: Publish release artifacts
uses: ncipollo/release-action@v1
with:
artifacts: "release-artifacts/anon*"
bodyFile: "ator-protocol/doc/RELEASE.md"