Enable Debian Build,Sign,Publish via GH Actions

.github/workflows/debian.yml

@@ -0,0 +1,205 @@
+name: Debian Packages
+on: [push]
+
+jobs:
+  debian-build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            arch: amd64
+            packages_allarch: "cartesi-machine-linux-image cartesi-machine-rootfs-image"
+          - runner: ubuntu-24.04-arm
+            arch: arm64
+            packages_allarch: ""
+          - runner: ubuntu-24.04-riscv
+            arch: riscv64
+            packages_allarch: ""
+
+    runs-on: ${{ matrix.runner }}
+    name: Debian Build
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - name: Setup up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+
+      - name: Make builder container image
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: debian
+          file: debian/Dockerfile
+          platforms: linux/${{ matrix.arch }}
+          tags: cartesi/deb-builder-${{ matrix.arch }}
+          load: true
+          push: false
+          cache-from: type=gha,scope=${{ matrix.arch }}
+          cache-to: type=gha,scope=${{ matrix.arch }},mode=max
+
+      - name: Restore cached packages
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: cdn/apt
+          key: apt-packages-${{ matrix.arch }}-${{ github.sha }}
+          restore-keys: apt-packages-${{ matrix.arch }}-
+
+      - name: Build packages
+        working-directory: debian
+        run: |
+            make packages \
+              TARGET_ARCH=${{ matrix.arch }} \
+              PACKAGES_ALLARCH="${{ matrix.packages_allarch }}"
+
+      - name: Export builder container image
+        run: docker save cartesi/deb-builder-${{ matrix.arch }} | gzip > /tmp/deb-builder-${{ matrix.arch }}.tar.gz
+
+      - name: Upload builder container image
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: image-deb-builder-${{ matrix.arch }}
+          path: /tmp/deb-builder-${{ matrix.arch }}.tar.gz
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: artifacts-apt-${{ matrix.arch }}
+          path: cdn/apt
+
+  debian-test:
+    name: Debian Test
+    runs-on: ubuntu-24.04
+    needs: debian-build
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - name: Download apt artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: artifacts-apt-*
+          path: cdn/apt/
+          merge-multiple: true
+
+      - name: Download builder images
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: image-deb-builder-*
+          path: /tmp/images
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Import builder images
+        run: find /tmp/images -name '*.tar.gz' | xargs -I {} docker image load --input {}
+
+      - name: Make index
+        working-directory: debian
+        run: make index
+
+      - name: Test
+        working-directory: debian
+        run: |
+          make test-packages TARGET_ARCH=amd64
+          make test-packages TARGET_ARCH=arm64
+          make test-packages TARGET_ARCH=riscv64
+
+  debian-sign:
+    runs-on: ubuntu-24.04
+    name: Debian Signing
+    needs: [ debian-build, debian-test ]
+    #FIXME: uncoment when have final signing key
+    #if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
+    environment: signing
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - name: Download apt artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: artifacts-apt-*
+          path: cdn/apt/
+          merge-multiple: true
+
+      - name: Download builder images
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: image-deb-builder-amd64
+          path: /tmp/images
+
+      - name: Import builder images
+        run: find /tmp/images -name '*.tar.gz' | xargs -I {} docker image load --input {}
+
+      - name: Import GPG signing key
+        working-directory: debian
+        env:
+          DEB_KEY: ${{ secrets.DEB_KEY }}
+        run: |
+          mkdir -p key
+          chmod 700 key
+          echo "$DEB_KEY" | gpg --homedir "$(pwd)/key" --import
+
+      - name: Make index
+        working-directory: debian
+        run: make index
+
+      - name: Sign repository
+        working-directory: debian
+        run: make sign
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: signed-artifacts-apt
+          path: cdn
+
+  publish:
+    name: Debian Publish
+    needs: debian-sign
+    #FIXME: uncoment when process is validated
+    #if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-24.04
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    permissions:
+      pages: write
+      id-token: write
+    steps:
+      - name: Download signed archives
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: signed-artifacts-apt
+          path: _site/
+
+      - name: Create GPG Public Key from variable
+        env:
+          DEB_PUB_KEY: ${{ vars.DEB_PUB_KEY }}
+        run: |
+          mkdir -p _site/apt/keys
+          echo "$DEB_PUB_KEY" > _site/apt/keys/cartesi-deb-key.gpg
+
+      - name: Setup Pages
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v5.0.0
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.gitignore

@@ -0,0 +1,2 @@
+cdn
+key

README.md

@@ -1,2 +1,12 @@
-# linux-packages
-Cartesi Linux Packages Repository
+# Cartesi Linux Packages
+
+Cartesi Linux packages repository, containing packaging for:
+
+- Debian 12 (Bookworm) - Host
+- Ubuntu 24.04 LTS (Noble) - Guest
+- Alpine Linux 3.23 - Host and Guest
+
+Debian/Ubuntu packages are available in [debian](debian) subdirectory.
+Alpine packages are available in [alpine](alpine) subdirectory.
+
+You can find instructions on the sub directories.

alpine/Dockerfile

@@ -0,0 +1,13 @@
+ARG BASE_IMAGE=alpine
+FROM ${BASE_IMAGE}
+
+# Install build essential
+RUN apk update && \
+    apk upgrade && \
+    apk add alpine-sdk
+
+# List local apk repository
+RUN echo /root/packages/work >> /etc/apk/repositories && \
+    adduser -D builder
+
+WORKDIR /work

alpine/Makefile

@@ -0,0 +1,125 @@
+# List of packages to compile for any architecture
+PACKAGES_ANYARCH=\
+cartesi-machine-linux-image \
+cartesi-machine-rootfs-image \
+cartesi-machine-emulator \
+xgenext2fs
+
+# List of packages to compile for riscv64
+PACKAGES_RISCV64=\
+cartesi-machine-guest-linux-headers \
+cartesi-machine-guest-tools
+
+# Target architecture to compile packages
+TARGET_ARCH?=$(shell uname -m)
+
+# Docker platform architecture (maps uname -m names to Docker platform names)
+DOCKER_ARCH_x86_64=amd64
+DOCKER_ARCH_aarch64=arm64
+DOCKER_ARCH_riscv64=riscv64
+DOCKER_ARCH=$(DOCKER_ARCH_$(TARGET_ARCH))
+
+# Docker base image used for building packages
+BASE_IMAGE=alpine:3.23
+IMAGE=cartesi/apk-builder-$(DOCKER_ARCH)
+
+# Repository path to save built packages
+REPO_PATH=$(abspath ../cdn)/apk
+REPO_NAME=stable
+KEY_NAME=cartesi-apk-key
+
+# Package list to build
+PACKAGES=$(PACKAGES_ANYARCH)
+ifeq ($(TARGET_ARCH),riscv64)
+PACKAGES+=$(PACKAGES_RISCV64)
+endif
+
+all: ## Generate a key (if needed) and build all packages
+	@$(MAKE) --no-print-directory image
+	@$(MAKE) --no-print-directory key
+	@$(MAKE) --no-print-directory packages-all
+
+packages-all: ## Build packages for all architectures (x86_64/aarch64/riscv64)
+	@$(MAKE) --no-print-directory image TARGET_ARCH=x86_64
+	@$(MAKE) --no-print-directory packages TARGET_ARCH=x86_64
+	@$(MAKE) --no-print-directory image TARGET_ARCH=aarch64
+	@$(MAKE) --no-print-directory packages TARGET_ARCH=aarch64
+	@$(MAKE) --no-print-directory image TARGET_ARCH=riscv64
+	@$(MAKE) --no-print-directory packages TARGET_ARCH=riscv64
+
+packages: $(patsubst %,%.apk,$(PACKAGES)) ## Build packages for given TARGET_ARCH
+
+%.apk: ## Build a package for given TARGET_ARCH
+	@$(MAKE) --no-print-directory exec COMMAND="\
+	cd $* && \
+	export SOURCE_DATE_EPOCH=\\\`stat -c %Y APKBUILD\\\` && \
+    abuild -rF && \
+    chown -R $(shell id -u):$(shell id -g) /root/packages/work"
+
+key: ## Generate package signature key
+	echo "NOTICE: Generating new key!"
+	@mkdir -p $(REPO_PATH)/keys key
+	docker run --platform=linux/$(DOCKER_ARCH) \
+		--volume ./key:/root/.abuild \
+		--volume $(REPO_PATH):/apk \
+		--rm $(IMAGE) \
+		ash -c "\
+	abuild-keygen -n && \
+	mv /root/.abuild/*.rsa.pub /root/.abuild/$(KEY_NAME).rsa.pub && \
+	mv /root/.abuild/*.rsa /root/.abuild/$(KEY_NAME).rsa && \
+	echo 'PACKAGER_PRIVKEY=/root/.abuild/$(KEY_NAME).rsa' > /root/.abuild/abuild.conf && \
+	cp /root/.abuild/$(KEY_NAME).rsa.pub /apk/keys/$(KEY_NAME).rsa.pub && \
+	chown -R $(shell id -u):$(shell id -g) /root/.abuild /apk/keys"
+
+shell: ## Spawn an image shell for given TARGET_ARCH
+	@$(MAKE) --no-print-directory exec  DOCKER_FLAGS="-it" COMMAND="ash"
+
+exec: ## Execute a COMMAND inside an image for given TARGET_ARCH
+	docker run --platform=linux/$(DOCKER_ARCH) \
+		--volume ./key:/key \
+		--volume $(REPO_PATH)/$(REPO_NAME):/root/packages/work \
+		--volume .:/work \
+		--workdir /work \
+		$(DOCKER_FLAGS) --rm $(IMAGE) \
+		ash -c "\
+	cp /key/*.rsa.pub /etc/apk/keys/ && \
+	cp -a /key /root/.abuild && \
+	chown -R root:root /root/.abuild && \
+	$(COMMAND)"
+
+image: ## Build Docker image for building packages for given TARGET_ARCH
+	docker build --platform=linux/$(DOCKER_ARCH) \
+		--build-arg=BASE_IMAGE=$(BASE_IMAGE) \
+		--tag=$(IMAGE) \
+		--progress=plain \
+		--file Dockerfile .
+
+test: ## Test built packages for all architectures (x86_64/aarch64/riscv64)
+	@$(MAKE) --no-print-directory test-packages TARGET_ARCH=x86_64
+	@$(MAKE) --no-print-directory test-packages TARGET_ARCH=aarch64
+	@$(MAKE) --no-print-directory test-packages TARGET_ARCH=riscv64
+
+ifeq ($(TARGET_ARCH),riscv64)
+test-packages:
+	@$(MAKE) --no-print-directory exec COMMAND="\
+	apk add $(PACKAGES) && \
+	rollup --help && \
+	cartesi-machine --final-hash"
+else
+test-packages: ## Test built packages for given TARGET_ARCH
+	@$(MAKE) --no-print-directory exec COMMAND="\
+	apk add $(PACKAGES) && \
+	cartesi-machine --final-hash"
+endif
+
+distclean: ## Remove everything from APK repository directory
+	rm -rf $(REPO_PATH)/$(REPO_NAME)
+
+help: ## Show this help
+	@sed \
+		-e '/^[a-zA-Z0-9_\-]*:.*##/!d' \
+		-e 's/:.*##\s*/:/' \
+		-e 's/^\(.\+\):\(.*\)/$(shell tput setaf 6)\1$(shell tput sgr0):\2/' \
+		$(MAKEFILE_LIST) | column -c2 -t -s :
+
+.PHONY: all packages-all packages shell exec image test test-packages distclean help