feat: refactor overall pipeline, add pkg signing and repo database

BREAKING CHANGE: the build script and its options were heavily changed

.github/workflows/build-publish.yml

@@ -26,49 +26,40 @@ jobs:
         run: |
           pacman -Syu --noconfirm
 
-      - name: Build greetd
+      - name: Import builder private key for package signing
         run: |
-          source ./packages
-          sudo -u builder ./build.sh $GREETD_URL $GREETD_VER
+          echo -e "${{ secrets.GPG_PRIVATE_KEY }}" | sudo -u builder gpg --import --batch --no-tty
 
-      - name: Build greetd-gtkgreet
+      - name: Initialize pacman secret key, import and trust builder public key
         run: |
-          source ./packages
-          sudo -u builder ./build.sh $GREETD_GTKGREET_URL $GREETD_GTKGREET_VER
+          pacman-key --init
+          pacman-key --add builder_public_key.asc
+          pacman-key --lsign-key 25267573FD638312C5EBE4C40C758F9503EDE7AF
 
-      - name: Build wf-config
+      - name: Build packages
         run: |
-          source ./packages
-          sudo -u builder ./build.sh $WF_CONFIG_URL $WF_CONFIG_VER
-
-      - name: Build wayfire
-        run: |
-          pacman -U /tmp/*pkgbuild/wf-config*.zst --noconfirm
-          source ./packages
-          sudo -u builder ./build.sh $WAYFIRE_URL $WAYFIRE_VER
-
-      - name: Prepare artifacts
-        run: |
-          mkdir ~/build
-          mv /tmp/*pkgbuild/*.zst ~/build/
+          sudo -u builder \
+            PACKAGE_AUTHOR="Builder <[email protected]>" \
+            PACKAGE_GPG_ID=25267573FD638312C5EBE4C40C758F9503EDE7AF \
+            ./build.sh
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v2
         with:
           name: packages
-          path: ~/build/*.zst
+          path: /home/builder/build/*
 
       - name: Add packages to new release
         if: github.event_name == 'release' && github.event.action == 'created'
         run: |
           pacman -S curl jq --noconfirm
           RELEASE=$(jq --raw-output '.release.id' "$GITHUB_EVENT_PATH")
 
-          for PACKAGE in ~/build/*.zst; do
+          for FILE in /home/builder/build/*; do
             curl -sSL \
                  -X POST \
                  -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-                 -T ${PACKAGE} \
+                 -T ${FILE} \
                  --header "Content-Type: application/octet-stream" \
-                 https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${RELEASE}/assets?name=${PACKAGE##*/}
+                 https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${RELEASE}/assets?name=${FILE##*/}
           done

README.md

@@ -2,21 +2,46 @@
 
 Arch Linux AUR package builds, published via GitHub Releases.
 
-![GitHub](https://github.com/karras/aur-package-builds/workflows/Build%20&%20Publish/badge.svg?branch=main)
+[![Build & Publish](https://github.com/karras/aur-package-builds/actions/workflows/build-publish.yml/badge.svg)](https://github.com/karras/aur-package-builds/actions/workflows/build-publish.yml)
 
 ## Packages
 
-The following packages are covered:
+The following packages are covered (see [package.lst](./package.lst)):
 
 * [greetd](https://aur.archlinux.org/packages/greetd/)
 * [greetd-gtkgreet](https://aur.archlinux.org/packages/greetd-gtkgreet/)
 * [wayfire](https://aur.archlinux.org/packages/wayfire/)
 * [wf-config](https://aur.archlinux.org/packages/wf-config/)
 
-## Builds
+## Usage
 
 The actual package builds can be found in the latest
-[Releases](https://github.com/karras/aur-package-builds/releases).
+[Releases](https://github.com/karras/aur-package-builds/releases). All releases
+also include the required repository database in order to install them directly
+via pacman:
+
+* Import and trust the [package signing key](./builder_public_key.asc):
+  ```sh
+  pacman-key --add builder_public_key.asc
+  pacman-key --lsign-key 25267573FD638312C5EBE4C40C758F9503EDE7AF
+  ```
+
+* Add the repository to `/etc/pacman.conf` (replace `$RELEASE` in the URL with
+  the desired version):
+  ```ini
+  [karras]
+  Server = https://github.com/karras/aur-package-builds/releases/download/$RELEASE
+  ```
+
+* Refresh the local repository databases:
+  ```sh
+  pacman -Sy
+  ```
+
+* Install the required packages (e.g. `wayfire`):
+  ```sh
+  pacman -S wayfire
+  ```
 
 ## License
 

build.sh

@@ -1,42 +1,105 @@
-#!/bin/sh
+#!/bin/sh -
 #
-# Creates a directory in /tmp, clones the AUR repository into it and finally
-# builds the package. Definitely not gold, lots of room for improvement.
+# Creates a temporary build directory in /tmp and builds all packages in there
+# based on the provided package list file. Also supports signing the packages
+# and creates an appropriate repository database. The articats are finally
+# stored in one build directory.
 #
-# ./build.sh GIT_URL [COMMIT_HASH]
+# Supported environment variables:
+#
+#   PACKAGE_AUTHOR:      Defines who is the packager, set to 'John Doe
+#                        <[email protected]>' if not defined
+#
+#   PACKAGE_BASE_URL:    Base URL where the source repositories are located,
+#                        set to 'https://aur.archlinux.org' if not defined
+#
+#   PACKAGE_CONFIG:      File containing the package list to build, set to
+#                        'packages.lst' if not defined
+#
+#   PACKAGE_DESTINATION: Defines where to store the built packages, set to
+#                        '$HOME/build' if not defined
+#
+#   PACKAGE_GPG_ID:      GPG ID of the private key to use for signing the
+#                        packages, if not set the packages will not be signed
+#
+# USAGE: ./build.sh
 
 set -eo pipefail
 
-# Required tools
-DEPENDENCIES="mktemp git"
+readonly DEPENDENCIES="id git makepkg pacman-key repo-add"
+
+readonly PKG_BASE_URL="${PACKAGE_BASE_URL:-https://aur.archlinux.org}"
+readonly PKG_CFG="${PACKAGE_CONFIG:-packages.lst}"
+
+# Specific options for makepkg and repo-add, see their respective man pages
+export GPGKEY="${PACKAGE_GPG_ID:-}"
+export PKGDEST="${PACKAGE_DESTINATION:-${HOME}/build}"
+export PACKAGER="${PACKAGE_AUTHOR:-John Doe <john@example.com>}"
 
-# Test if dependencies are available
+# Required by makepkg to ensure signature files are stored along the packages
+export SRCPKGDEST="${PKGDEST}"
+
+# Check if all dependencies are available
 for DEPENDENCY in ${DEPENDENCIES}; do
   if [[ ! $(type "${DEPENDENCY}" 2> /dev/null) ]]; then
     echo "Dependency '${DEPENDENCY}' not found in PATH, exiting..."
     exit 1
   fi
 done
 
-if [[ -z "${1}" ]]; then
-  echo "No AUR git URL provided as the first parameter, exiting..."
+# Check if we are executed as root which does not work with makepkg
+if [[ "$(id -u)" -eq 0 ]]; then
+  echo "Script must not be executed as root, exiting..."
+  exit 1
+fi
+
+echo $HOME
+# Check if package config file exists
+if [[ ! -f "${PKG_CFG}" ]]; then
+  echo "No file named '${PKG_CFG}' found at script location, exiting..."
   exit 1
 fi
 
 # Create temporary build directory
-BUILD_DIR=$(mktemp --directory --suffix=pkgbuild)
+readonly TMP_BUILD_DIR=$(mktemp --directory --suffix=pkgbuild)
+
+# Create package destination directory if required
+echo "All packages will be placed in '${PKGDEST}'"
+if [[ ! -d "${PKGDEST}" ]]; then
+  mkdir "${PKGDEST}"
+fi
+
+# Build all packages
+while read -r PACKAGE; do
+  # Skip all lines starting with a hashtag
+  [[ "${PACKAGE}" =~ ^#.*$ ]] && continue
+
+  echo "Starting build process for package '${PACKAGE}'"
+
+  # Clone source repository
+  git clone "${PKG_BASE_URL}/${PACKAGE}" "${TMP_BUILD_DIR}/${PACKAGE}"
+
+  # Build package
+  cd "${TMP_BUILD_DIR}/${PACKAGE}"
+  if [[ ! -z "${GPGKEY}" ]]; then
+    echo "Package will be built and signed with the GPG key '${GPGKEY}'"
+    makepkg --noconfirm --syncdeps --install --sign
+  else
+    echo "Package will be built without signing it"
+    makepkg --noconfirm --syncdeps --install
+  fi
+done < "${PKG_CFG}"
 
-# Clone (AUR) repository
-git clone "${1}" "${BUILD_DIR}"
+echo "Finished building all packages, check the '${PKGDEST}' directory"
 
-# Switch to build directory
-cd "${BUILD_DIR}"
+ls -al "${PKGDEST}"
 
-# Optionally checkout specific commit (i.e. AUR version pinning)
-if [[ ! -z "${2}" ]]; then
-  echo "Checking out commit '${2}'"
-  git checkout --quiet "${2}"
+if [[ ! -z "${GPGKEY}" ]]; then
+  echo "Creating package repository database and sign it with the GPG key '${GPGKEY}'"
+  repo-add --sign "${PKGDEST}/karras.db.tar.xz" ${PKGDEST}/*.zst
+else
+  echo "Creating package repository database without signing it"
+  repo-add "${PKGDEST}/karras.db.tar.xz" ${PKGDEST}/*.zst
 fi
 
-# Build package
-makepkg --noconfirm --syncdeps
+echo "Finished generating repository database, check the '${PKGDEST}' directory"

builder_public_key.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGHcgawBEADeSzF9MuJ4K92RX6Es/fMd9bNS+4LTettXxkZXu1hI6u0Zy1Tw
+x8j+kVI6HOEC3FCxQF5d6gyaqiMfxXtobTcVIbMVqoCsHplSuV6MunBYbdc8ETm6
+VkLoslJOdgOYsH2DoKkJsGoG2r195yuVyF/yH8Si2tHW1qAIv/YrWxlpmjITqMIF
+xPQrruwXLNCu/LTsQ7xqXgAvqL++2LGyIlmtWMTQzcrcUCkMbo7jFDLcj3tjhDDP
+Z0iwvLtnwG70xtssSH5zvEga6IAeC8cR1daTT2XEwrALiu2MpaWFfWfF2LoJMTSn
+dyPyBlQEsHW/2lyo9NIJogGtlY+5qHnPD88Dol5Aawb0F+ti82ByDa9FpiF5ZQyr
+8UOEY8XBeu7A/CfG6ubbLjZXMo6jOYNxfk3lJDpkXULQKHKRocIYuyPa/D6t2ugA
+UpPSeA7jjxpyAQAVASXxmwA6dDcow7z6rADqxMMaQh6oB2GssYO8AXG8IFtunl+A
+pZFWDtalW8jSlQ+DjCR5AiVU0wtOsshiMCr0mqHgVO5Von/GKWWAGzJ7Imnx9djF
+3hWcKySg9XfuHqYOmOo2yZ+6kqRu5nVGNyQzctFpRyu7LVr0bH4p/UbaaOmvnGH0
+Ak2VetI590T9avG2GHEFyhyHjCyLMZbYtEcB7g8imudO6xKy3z/KXhHgpQARAQAB
+tBpCdWlsZGVyIDxidWlsZGVyQDB4NTM5LmNoPokCTgQTAQgAOBYhBCUmdXP9Y4MS
+xevkxAx1j5UD7eevBQJh3IGsAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
+EAx1j5UD7eevElYQAICpQ0I9xuiFPNhIfSU7XEqwUyVS+ynqqdqyzsDHC0Dyhu8O
+3qztwOm4hBQEs0Bad46b1PK9nMiLruY6PATHoIO1SyM4KNTd5Lp0J0mQ9aalxwwB
+gXsxKvJPyx0MhEVGNKzTgWw5r9vqg4vH2dscFjV8FhaaE7f145KgmgR1RlniNb/I
+l+RbnBWTMYMu4z+Ur+iZrrW9/58yRY9LU5ncqqdqsYAQEVRIUkKLDR0tpfA2ncNk
+9K5hXCEdNlTP+Brc/zovfGS5HAFYWS7BB9X6q0dVpCxmiSw5rtIMd7DpO0jaU25U
+2FCDHQsLMj2DCkL0s4wrt0+eKocFrYmMCLFeeOXDIBRY09UigtNNCefkAVq0l2//
+zwci7T8ql+K6YLVE/b779/2qwmDPsNIldumjwfM/hA7Y7xG9l6hYiDenvThze3Us
+4hzFu5HrbDwXH8PF7ycdFImrfkFcCk7p4QWUd1xBxS4U4+geK3UL/Ur6g+9Fg980
+na5Zo2S2D7x0DwIr2iLjTv+M/HKZj1aE5Tk5j342jjFVCmXDagqehHOp0CqtUkcy
+07UyElyQk74AZTzVrBm+fOi4tlm6IjUxn16CT91fq2yzUACRcOxFf9prQEIQEPcw
+dfAWHBe3Jskda690Gd+atk2woAsJZ8T+lx/uG2kp9Z7VoOAo8rPP6FO2a+dW
+=7ndg
+-----END PGP PUBLIC KEY BLOCK-----

packages.lst

@@ -0,0 +1,6 @@
+# List of packages to build, each line contains a new package name. Order is
+# relevant if there are dependencies between the to be built packages.
+greetd
+greetd-gtkgreet
+wf-config
+wayfire