Keyrings update #41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Download latest keyrings for Debian & Ubuntu" | |
| on: | |
| workflow_dispatch: | |
| repository_dispatch: | |
| types: ["Keyrings update"] | |
| concurrency: | |
| group: redirector | |
| cancel-in-progress: false | |
| jobs: | |
| generate-keyring-data: | |
| runs-on: ubuntu-24.04 | |
| name: "Download Keyring Data" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| path: armbian.github.io | |
| - name: "Find and download latest keyrings" | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| retry_curl() { | |
| # Usage: retry_curl <url> [output] | |
| local url="$1" | |
| local out="${2:-}" | |
| if [[ -n "$out" ]]; then | |
| curl --max-time 60 --retry 3 --retry-all-errors --compressed -fL "$url" -o "$out" | |
| else | |
| curl --max-time 60 --retry 3 --retry-all-errors --compressed -fL "$url" | |
| fi | |
| } | |
| workdir="$(mktemp -d)" | |
| echo "Workdir: $workdir" | |
| # --- Ubuntu: detect newest suite --- | |
| NEWEST_SUITE=$(retry_curl "https://changelogs.ubuntu.com/meta-release" \ | |
| | grep '^Dist:' | awk '{print $NF}' | tail -n 1) | |
| [[ -z "${NEWEST_SUITE:-}" ]] && { echo "ERROR: Unable to detect Ubuntu newest suite" >&2; exit 1; } | |
| echo "Newest Ubuntu suite: $NEWEST_SUITE" | |
| # --- Ubuntu: collect possible keyring packages (ports is optional) --- | |
| declare -a UB_PKGS=(ubuntu-keyring ubuntu-keyring-ports) | |
| declare -A PKG_URLS=() # pkg -> url | |
| declare -A PKG_FILES=() # pkg -> filename we downloaded | |
| for p in "${UB_PKGS[@]}"; do | |
| UB_PAGE_URL="https://packages.ubuntu.com/${NEWEST_SUITE}/all/${p}/download" | |
| if page="$(retry_curl "$UB_PAGE_URL" 2>/dev/null || true)"; then | |
| url="$(printf '%s' "$page" \ | |
| | grep -oP 'https?://\S+archive\.ubuntu\.com/ubuntu/pool/main/u/\S+\.deb' \ | |
| | tail -n 1 \ | |
| | sed -E 's#://[a-z][a-z][0-9]?\.#://#' || true)" | |
| if [[ -n "${url:-}" ]]; then | |
| PKG_URLS["$p"]="$url" | |
| echo "Ubuntu $p URL: ${PKG_URLS[$p]}" | |
| else | |
| echo "Ubuntu package not found on page for $p (may not exist in ${NEWEST_SUITE}), skipping." | |
| fi | |
| else | |
| echo "Ubuntu page missing for $p (may not exist), skipping." | |
| fi | |
| done | |
| # Ensure we found at least ubuntu-keyring | |
| [[ -n "${PKG_URLS[ubuntu-keyring]:-}" ]] || { echo "ERROR: ubuntu-keyring URL not found"; exit 1; } | |
| # --- Debian keyrings (sid pages list the latest available versions) --- | |
| declare -a DEB_PKGS=(debian-archive-keyring debian-ports-archive-keyring) | |
| for p in "${DEB_PKGS[@]}"; do | |
| DEB_PAGE_URL="https://packages.debian.org/sid/all/${p}/download" | |
| page="$(retry_curl "$DEB_PAGE_URL")" | |
| url="$(printf '%s' "$page" \ | |
| | grep -oP 'https?://(deb|ftp)\.debian\.org/debian/pool/main/d/[^/]+/[^"]+\.deb' \ | |
| | head -n 1 || true)" | |
| [[ -z "${url:-}" ]] && { echo "ERROR: Unable to find ${p} package URL from $DEB_PAGE_URL" >&2; exit 1; } | |
| PKG_URLS["$p"]="$url" | |
| echo "Debian $p URL: ${PKG_URLS[$p]}" | |
| done | |
| # --- Download all files to the temp workdir (track filenames per package) --- | |
| for p in "${!PKG_URLS[@]}"; do | |
| url="${PKG_URLS[$p]}" | |
| f="$(basename "$url")" | |
| retry_curl "$url" "$workdir/$f" | |
| PKG_FILES["$p"]="$f" | |
| echo "Downloaded $p -> $f" | |
| done | |
| # --- Stage into repo folder armbian.github.io/data/keyrings --- | |
| pushd armbian.github.io >/dev/null | |
| # Ensure we're on the 'data' branch | |
| if ! git rev-parse --verify data >/dev/null 2>&1; then | |
| git fetch origin data || true | |
| fi | |
| git checkout data | |
| mkdir -p data/keyrings | |
| # Move files in (overwrite existing versions) | |
| for p in "${!PKG_FILES[@]}"; do | |
| f="${PKG_FILES[$p]}" | |
| mv -f "$workdir/$f" "data/keyrings/$f" | |
| done | |
| # --- Create/update per-variant symlinks using the just-downloaded filenames --- | |
| link_if_present() { | |
| local pkg="$1" | |
| local linkname="$2" | |
| local f="${PKG_FILES[$pkg]:-}" | |
| if [[ -n "$f" ]]; then | |
| ln -sfn "$f" "data/keyrings/$linkname" | |
| echo "Linked ${linkname} -> ${f}" | |
| else | |
| echo "No fresh download for ${pkg}; skipping ${linkname}" | |
| fi | |
| } | |
| # Ubuntu: main + ports (ports only if fetched) | |
| link_if_present "ubuntu-keyring" "latest-ubuntu-keyring.deb" | |
| link_if_present "ubuntu-keyring-ports" "latest-ubuntu-keyring-ports.deb" | |
| # Debian: archive + ports | |
| link_if_present "debian-archive-keyring" "latest-debian-archive-keyring.deb" | |
| link_if_present "debian-ports-archive-keyring" "latest-debian-ports-archive-keyring.deb" | |
| popd >/dev/null | |
| - name: Commit changes if any | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| cd armbian.github.io | |
| git checkout data | |
| git config --global user.name "github-actions" | |
| git config --global user.email "[email protected]" | |
| git add data/keyrings/ | |
| if ! git diff --cached --quiet; then | |
| git commit -m "Update keyrings: downloaded and linked per-variant under data/keyrings/" | |
| git push | |
| else | |
| echo "No changes to commit." | |
| fi | |
| - name: "Run Bigin update action" | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| event-type: "Bigin update" |