Build Vaultwarden .deb packages #504
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Vaultwarden .deb packages | |
concurrency: ci-build | |
on: | |
- push | |
- workflow_dispatch | |
- workflow_call | |
jobs: | |
check-version: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.12 | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r requirements.txt | |
- name: Get latest versions | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
run: | | |
python generate-files.py | |
if grep -q VW_HAS_UPDATE=true ${GITHUB_ENV} ; then | |
echo "Upstream changes detected." | |
exit 1 | |
fi | |
build-debs: | |
runs-on: ubuntu-latest | |
needs: check-version | |
strategy: | |
matrix: | |
debian: ["buster", "bullseye", "bookworm"] | |
debian-arch: ["amd64"] | |
steps: | |
- name: Install dependencies | |
run: | | |
sudo apt-get -q update | |
sudo apt-get -qy install debhelper dpkg-sig | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.12 | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r requirements.txt | |
- name: Import GPG key | |
id: import_gpg | |
uses: gvtulder/ghaction-import-gpg@master | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
- name: Get latest versions | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
run: | | |
python generate-files.py | |
- name: Download previous deb files | |
env: | |
AWS_S3_ENDPOINT: ${{ secrets.AWS_S3_ENDPOINT }} | |
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: auto | |
run: | | |
mkdir -p repo/dists/${{ matrix.debian }}/main/binary-${{ matrix.debian-arch }} | |
./sync-s3.sh s3://${{ secrets.AWS_S3_BUCKET }}/dists/${{ matrix.debian }} repo/dists/${{ matrix.debian }} | |
- name: Build vaultwarden .deb | |
env: | |
DEBIAN_TARGET_VERSION: ${{ matrix.debian }} | |
VW_SERVER_VERSION: ${{ env.VW_SERVER_VERSION }} | |
VW_WEB_VERSION: ${{ env.VW_WEB_VERSION }} | |
VW_SERVER_VERSION_DEB: ${{ env.VW_SERVER_VERSION_DEB }} | |
VW_WEB_VERSION_DEB: ${{ env.VW_WEB_VERSION_DEB }} | |
run: | | |
if [[ ! -f repo/dists/${{ matrix.debian }}/main/binary-${{ matrix.debian-arch }}/vaultwarden_${{ env.VW_SERVER_VERSION_DEB }}_${{ matrix.debian-arch }}.deb ]] ; then | |
cd vaultwarden/ | |
./build-in-docker.sh | |
dpkg-sig -k ${{ steps.import_gpg.outputs.keyid }} --sign builder vaultwarden_*.deb | |
mv vaultwarden_*.deb ../repo/dists/${{ matrix.debian }}/main/binary-${{ matrix.debian-arch }}/ | |
cd .. | |
fi | |
- name: Build vaultwarden-web-vault .deb | |
run: | | |
if [[ ! -f repo/dists/${{ matrix.DEBIAN }}/main/binary-${{ matrix.debian-arch }}/vaultwarden-web-vault_${{ env.VW_WEB_VERSION_DEB }}_all.deb ]] ; then | |
cd vaultwarden-web-vault/ | |
make deb | |
dpkg-sig -k ${{ steps.import_gpg.outputs.keyid }} --sign builder ../vaultwarden-web-vault_*.deb | |
mv ../vaultwarden-web-vault_*.deb ../repo/dists/${{ matrix.debian }}/main/binary-${{ matrix.debian-arch }}/ | |
cd .. | |
fi | |
- name: Export public key | |
run: | | |
gpg --export ${{ steps.import_gpg.outputs.keyid }} > repo/vaultwarden-deb-repo-keyring.gpg | |
gpg --armor --export ${{ steps.import_gpg.outputs.keyid }} > repo/vaultwarden-deb-repo-keyring.asc | |
- name: Create APT repository | |
run: | | |
cd repo/ | |
apt-ftparchive packages dists/${{ matrix.debian }}/main/binary-${{ matrix.debian-arch }} > dists/${{ matrix.debian }}/main/binary-${{ matrix.debian-arch }}/Packages | |
bzip2 -kf dists/${{ matrix.debian }}/main/binary-${{ matrix.debian-arch }}/Packages | |
apt-ftparchive -o APT::FTPArchive::AlwaysStat="true" \ | |
-o APT::FTPArchive::Release::Codename=${{ matrix.debian }} \ | |
-o APT::FTPArchive::Release::Architectures="${{ matrix.debian-arch }}" \ | |
-o APT::FTPArchive::Release::Components="main" \ | |
-o APT::FTPArchive::DoByHash=true \ | |
release dists/${{ matrix.debian }} > dists/${{ matrix.debian }}/Release | |
gpg --yes -abs -u ${{ steps.import_gpg.outputs.keyid }} \ | |
-o dists/${{ matrix.debian }}/Release.gpg \ | |
--digest-algo sha256 dists/${{ matrix.debian }}/Release | |
gpg --yes -abs -u ${{ steps.import_gpg.outputs.keyid }} \ | |
--clearsign -o dists/${{ matrix.debian }}/InRelease \ | |
--digest-algo sha256 dists/${{ matrix.debian }}/Release | |
cd .. | |
- name: Upload updated repo | |
env: | |
AWS_S3_ENDPOINT: ${{ secrets.AWS_S3_ENDPOINT }} | |
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: auto | |
run: | | |
./sync-s3.sh repo/ s3://${{ secrets.AWS_S3_BUCKET }}/ | |
- name: Archive .deb files, public keys, APT files | |
uses: actions/upload-artifact@v4 | |
with: | |
name: output-${{ matrix.debian }} | |
path: repo/ | |
build-repo: | |
runs-on: ubuntu-latest | |
needs: build-debs | |
steps: | |
- name: Install dependencies | |
run: | | |
sudo apt-get -q update | |
sudo apt-get -qy install debhelper dpkg-sig | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.9 | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r requirements.txt | |
- name: Import GPG key | |
id: import_gpg | |
uses: gvtulder/ghaction-import-gpg@master | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
- name: Download all workflow run artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: repo-src/ | |
- name: Show all files | |
run: | | |
find | |
- name: Create combined repository | |
run: | | |
mkdir -p repo/dists | |
for release_dir in repo-src/output-*/dists ; do | |
cp -r $release_dir/* repo/dists | |
done | |
- name: Export public key | |
run: | | |
gpg --export ${{ steps.import_gpg.outputs.keyid }} > repo/vaultwarden-deb-repo-keyring.gpg | |
gpg --armor --export ${{ steps.import_gpg.outputs.keyid }} > repo/vaultwarden-deb-repo-keyring.asc | |
- name: Upload updated repo | |
env: | |
AWS_S3_ENDPOINT: ${{ secrets.AWS_S3_ENDPOINT }} | |
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: auto | |
run: | | |
./sync-s3.sh repo/dists/${{ matrix.debian }} s3://${{ secrets.AWS_S3_BUCKET }}/dists/${{ matrix.debian }} | |
- name: Archive repository files | |
uses: actions/upload-artifact@v4 | |
with: | |
name: combined-repository | |
path: repo/ | |
deploy: | |
runs-on: ubuntu-latest | |
needs: build-repo | |
steps: | |
- name: Deploy to Cloudflare | |
env: | |
CLOUDFLARE_DEPLOY_HOOK: ${{ secrets.CLOUDFLARE_DEPLOY_HOOK }} | |
run: | | |
curl -X POST "${CLOUDFLARE_DEPLOY_HOOK}" |