feat: add GPG-signed Arch Linux package repository CI/CD pipeline#145
Open
lenucksi wants to merge 4 commits into
Open
feat: add GPG-signed Arch Linux package repository CI/CD pipeline#145lenucksi wants to merge 4 commits into
lenucksi wants to merge 4 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat: add GPG-signed Arch Linux package repository CI/CD pipeline
This PR adds three GitHub Actions workflows that build, GPG-sign, and deploy
Arch Linux SELinux packages to GitHub Pages as a fully signed pacman repository.
Result can be seen here: https://lenucksi.github.io/selinux/
Workflows
1.
hello-go.yml— PoC signed repository (229 lines)A minimal end-to-end signed repository workflow for a single
hello-gopackage.hello-go+hello-go-debugpackagesnightly-hello-worldprerelease with tarballTrigger:
pushtohello-go/**,workflow_dispatch, orworkflow_call2.
main-signed.yml— Full SELinux signed repository (397 lines)The main production workflow that builds all SELinux packages.
using
build_and_install_all.sh, with SRCDEST/actions/cache for VCS sourcereuse and
--holdverto avoid git refetch on repeated builds.pkg.tar.zstwith GPG on the host runnerrepo-add --include-sigsto create thepacman database, adds
.db/.filessymlinks for compat, uploads to artifact*.db.tar.zstand*.files.tar.zst,creates real copies of
.db.sig/.files.sig(GitHub Pages doesn't followsymlinks), publishes
nightlyprerelease with tarballinstalls the SELinux system, runs
restoreconandsestatusTrigger:
pushtomaster,workflow_dispatch,schedule(weekly),or
workflow_call3.
deploy-pages.yml— GitHub Pages deployment (191 lines)Triggered by
workflow_runonmain-signed.ymlsuccess (orworkflow_dispatch).nightly(main-signed) and optionallynightly-hello-worldreleasesgo-hello-world→hello-worldindex.htmlfor each repo directory with package listing tables.db.sigcopies (real files, not symlinks)upload-pages-artifactRequired Configuration
1. GitHub Pages
Enable GitHub Pages for the repository:
index.htmltemplates referencehttps://<owner>.github.io/<repo>/— update if using a different Pages setup
2. GPG Key
The signing key should be an Ed25519 key (small, fast, modern):
Add to repository secrets:
GPG_PRIVATE_KEY: the full ASCII-armored private keyGPG_PASSPHRASE: the key's passphraseThe public key is exported automatically during the workflow and placed
in each repo's
x86_64/public.ascfor user import viapacman-key --add.3. Workflow Permissions
Settings → Actions → General → Workflow permissions:
GITHUB_TOKENis sufficient — no additional tokens needed.Getting Started
GPG_PRIVATE_KEYandGPG_PASSPHRASEto repository secretsmasteror triggermain-signed.ymlviaworkflow_dispatchmain-signed.ymlcompletes,deploy-pages.ymlwill deploy to PagesThe
hello-go.ymlworkflow can be tested independently (triggers onhello-go/**pushes) — useful for verifying the GPG setup withoutbuilding all 60+ packages.
Key Decisions
gh release create nightlywith--prerelease+--cleanup-tag. Single tarball per release avoids artifactretention limits and makes external consumption possible.
gh releaseCLI: No third-party release actions.--repo ${{ github.repository }}used in jobs without git context(e.g.
workflow_run).SigLevel = Required: DB signing enforced via.db.sigfiles.Users must
pacman-key --lsign-keythe repo key. Stricter than Arch'sown
DatabaseOptionaldefault but viable for a controlled signing setup.content (the target path string), not the target file.
.db.sig/.files.sigare created as real file copies after GPG signing.
archlinux:base-develcontainers.GPG signing runs on the host runner where
gpghas access to$HOME/.gnupg.