pkg: arch: Move to script based workflow

.github/scripts/package/arch.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [ -z "${1:-}" ]; then
+    $0 setup-builddeps
+    $0 setup-secureboot
+    $0 build-packages
+    $0 sign-packages
+    exit
+fi
+
+pacman()
+{
+    command pacman --noconfirm "$@"
+}
+
+case "${1:-}" in
+setup-builddeps)
+    # Update the container
+    pacman -Syu
+
+    # Install makepkg deps
+    pacman -S sudo binutils fakeroot base-devel git
+
+    # Install tools for singing the kernel for secureboot
+    pacman -S sbsigntools
+    ;;
+setup-secureboot)
+    if [ -z "${SB_KEY:-}" ]; then
+        echo "WARNING: No secureboot key configured, skipping signing."
+        exit
+    fi
+
+    # Install the surface secureboot certificate
+    echo "${SB_KEY}" | base64 -d > pkg/arch/kernel/MOK.key
+    cp pkg/keys/surface.crt pkg/arch/kernel/MOK.crt
+    ;;
+build-packages)
+    pushd pkg/arch/kernel || exit 1
+
+    # Fix permissions (can't makepkg as root)
+    echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
+    chown -R nobody .
+
+    # Package compression settings (Matches latest Arch)
+    export PKGEXT='.pkg.tar.zst'
+    export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
+    export MAKEFLAGS="-j2"
+
+    # Build
+    su nobody --pty -p -s /bin/bash -c 'makepkg -sf --skippgpcheck --noconfirm'
+
+    # Prepare release
+    mkdir release
+    find . -name '*.pkg.tar.zst' -type f -exec mv {} release \;
+
+    popd || exit 1
+    ;;
+sign-packages)
+    if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then
+        echo "WARNING: No GPG key configured, skipping signing."
+        exit
+    fi
+
+    pushd pkg/arch/kernel/release || exit 1
+
+    # import GPG key
+    echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes
+
+    # sign packages
+    find . -name '*.pkg.tar.zst' -type f -exec \
+        gpg --detach-sign --batch --no-tty -u "${GPG_KEY_ID}" {} \;
+
+    popd || exit 1
+    ;;
+esac

.github/scripts/repository/arch.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+pacman()
+{
+    command pacman --noconfirm "$@"
+}
+
+if [ -z "${GIT_REF:-}" ]; then
+	echo "GIT_REF is unset!"
+	exit 1
+fi
+
+if [ -z "${GITHUB_REPOSITORY:-}" ]; then
+	echo "GITHUB_REPOSITORY is unset!"
+	exit 1
+fi
+
+if [ -z "${SURFACEBOT_TOKEN:-}" ]; then
+	echo "SURFACEBOT_TOKEN is unset!"
+	exit 1
+fi
+
+if [ -z "${BRANCH_STAGING:-}" ]; then
+	echo "BRANCH_STAGING is unset!"
+	exit 1
+fi
+
+REPONAME="$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)"
+REPO="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
+
+# parse git tag from ref
+GIT_TAG="${GIT_REF#refs/tags/}"
+
+# Install dependencies
+pacman -Syu
+pacman -S base-devel git
+
+# clone package repository
+git clone -b "${BRANCH_STAGING}" "${REPO}" repo
+
+# copy packages
+find arch-latest -type f -exec cp {} repo/arch \;
+pushd repo/arch || exit 1
+
+# convert packages into references
+while read -rd $'\n' FILE; do
+    echo "${REPONAME}:${GIT_TAG}/$(basename "${FILE}")" > "${FILE}.blob"
+    rm "${FILE}"
+done <<< "$(find . -name '*.pkg.tar.zst')"
+
+RAND="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)"
+BRANCH="${BRANCH_STAGING}-${RAND}"
+
+# set git identity
+git config --global user.name "surfacebot"
+git config --global user.email "surfacebot@users.noreply.github.com"
+
+# commit and push
+git checkout -b "${BRANCH}"
+git add .
+git commit -m "Update Arch Linux ${REPONAME} package"
+git push --set-upstream origin "${BRANCH}"
+
+popd || exit 1

.github/workflows/arch.yml

@@ -1,146 +1,120 @@
-on:
-  push:
-    tags:
-      - 'arch-*'
-
 name: Arch
 
 env:
   GPG_KEY_ID: 56C464BAAC421453
 
+on:
+  push:
+    tags:
+      - 'arch-*'
+  
 jobs:
   build:
     name: Build Kernel
     runs-on: ubuntu-latest
-    container: archlinux
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Install build dependencies
-      run: |
-        # Install makepkg deps
-        pacman -Syu --noconfirm
-        pacman -S --noconfirm sudo binutils fakeroot grep base-devel git sbsigntools libffi python
-
-    - name: Setup secureboot certificate
-      env:
-        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
-      run: |
-        cd pkg
-
-        # Install the surface secureboot certificate
-        echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key
-        cp keys/surface.crt arch/kernel/MOK.crt
-
-    - name: Build
-      run: |
-        cd pkg/arch/kernel
-
-        # Fix permissions (can't makepkg as root)
-        echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
-        chown -R nobody .
-
-        # Package compression settings (Matches latest Arch)
-        export PKGEXT='.pkg.tar.zst'
-        export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
-        export MAKEFLAGS="-j2"
-
-        # Build
-        su nobody --pty -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
-
-    - name: Prepare release
-      run: |
-        mkdir release
-        mv pkg/arch/kernel/*.pkg.tar.zst release
-
-    - name: Sign packages
-      env:
-        GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
-      run: |
-        cd release
-
-        # import GPG key
-        echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
-        export GPG_TTY=$(tty)
-
-        # sign packages
-        ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID
-
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: arch-latest
-        path: release
+      - name: Maximize disk space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 5120
+          remove-dotnet: true
+          remove-android: true
+          remove-docker-images: true
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            archlinux
+
+      - name: Install build dependencies
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/arch.sh setup-builddeps
+
+      - name: Setup secureboot certificate
+        env:
+          SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SB_KEY \
+            -- \
+            bash ./.github/scripts/package/arch.sh setup-secureboot
+
+      - name: Build packages
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -- \
+            bash ./.github/scripts/package/arch.sh build-packages
+
+      - name: Sign packages
+        env:
+          GPG_KEY: ${{ secrets.LINUX_SURFACE_GPG_KEY }}
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e GPG_KEY \
+            -e GPG_KEY_ID \
+            -- \
+            bash ./.github/scripts/package/arch.sh sign-packages
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: arch-latest
+          path: pkg/arch/kernel/release
 
   release:
     name: Publish release
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: arch-latest
-        path: arch-latest
-
-    - name: Upload assets
-      uses: svenstaro/upload-release-action@v2
-      with:
-        repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        file: ./*-latest/*
-        tag: ${{ github.ref }}
-        overwrite: true
-        file_glob: true
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: arch-latest
+          path: arch-latest
+
+      - name: Upload assets
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          file: ./*-latest/*
+          tag: ${{ github.ref }}
+          overwrite: true
+          file_glob: true
 
   repo:
     name: Update package repository
     needs: [release]
     runs-on: ubuntu-latest
-    container: archlinux
     steps:
-    - name: Install dependencies
-      run: |
-        pacman -Syu --noconfirm
-        pacman -S --noconfirm base-devel git
-
-    - name: Download artifacts
-      uses: actions/download-artifact@v3
-      with:
-        name: arch-latest
-        path: arch-latest
-
-    - name: Update repository
-      env:
-        SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
-        BRANCH_STAGING: u/staging
-        GIT_REF: ${{ github.ref }}
-      run: |
-        repo="https://surfacebot:${SURFACEBOT_TOKEN}@github.com/linux-surface/repo.git"
-
-        # clone package repository
-        git clone -b "${BRANCH_STAGING}" "${repo}" repo
-
-        # copy packages
-        cp arch-latest/* repo/arch/
-        cd repo/arch
-
-        # parse git tag from ref
-        GIT_TAG=$(echo $GIT_REF | sed 's|^refs/tags/||g')
-
-        # convert packages into references
-        for pkg in $(find . -name '*.pkg.tar.zst'); do
-          echo "linux-surface:$GIT_TAG/$(basename $pkg)" > $pkg.blob
-          rm $pkg
-        done
-
-        # set git identity
-        git config --global user.email "surfacebot@users.noreply.github.com"
-        git config --global user.name "surfacebot"
-
-        # commit and push
-        update_branch="${BRANCH_STAGING}-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
-        git switch -c "${update_branch}"
-        git add .
-        git commit -m "Update Arch Linux kernel"
-        git push --set-upstream origin "${update_branch}"
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: arch-latest
+          path: arch-latest
+
+      - name: Initialize containers
+        run: |
+          bash ./.github/scripts/container/create.sh \
+            archlinux
+
+      - name: Update repository
+        env:
+          SURFACEBOT_TOKEN: ${{ secrets.LINUX_SURFACE_BOT_TOKEN }}
+          GIT_REF: ${{ github.ref }}
+          BRANCH_STAGING: u/staging
+        run: |
+          bash ./.github/scripts/container/exec.sh \
+            -e SURFACEBOT_TOKEN \
+            -e GIT_REF \
+            -e BRANCH_STAGING \
+            -e GITHUB_REPOSITORY \
+            -- \
+            bash ./.github/scripts/repository/arch.sh