ci: validate package signatures #40

Workflow file for this run

	name: Build package
	on: [ push, pull_request]
	jobs:
	build-meta:
	name: build-meta
	runs-on: ubuntu-24.04
	outputs:
	build-meta-output: >-
	${{ steps.build-metadata.outputs.build-meta-output }}
	firmware-version: >-
	${{ steps.build-metadata.outputs.firmware-version }}
	create-release: >-
	${{ steps.build-metadata.outputs.create-release }}
	sdk-name:
	${{ steps.build-metadata.outputs.sdk-name }}
	sdk-url:
	${{ steps.build-metadata.outputs.sdk-url }}
	imagebuilder-name:
	${{ steps.build-metadata.outputs.imagebuilder-name }}
	imagebuilder-url:
	${{ steps.build-metadata.outputs.imagebuilder-url }}
	cache-key:
	${{ steps.cache-key.outputs.cache-key }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-tags: true
	fetch-depth: 0
	submodules: true
	- name: Determine Version
	id: build-metadata
	run: bash $GITHUB_WORKSPACE/contrib/get-version.sh
	- name: Determine Cache-Key
	id: cache-key
	run: >
	echo "cache-key=$(bash $GITHUB_WORKSPACE/contrib/cache-key.sh
	$GITHUB_WORKSPACE ${{ steps.build-metadata.outputs.sdk-url }})" >> "$GITHUB_OUTPUT"
	- name: Create Artifact of build-meta
	uses: actions/upload-artifact@v4
	with:
	name: build-meta
	path: ${{ steps.build-metadata.outputs.build-meta-output }}
	build-packages:
	name: build-packages
	runs-on: ubuntu-24.04
	needs: build-meta
	outputs:
	usign-private-key:
	${{ steps.build-keypair.outputs.usign-private-key }}
	usign-public-key:
	${{ steps.build-keypair.outputs.usign-public-key }}
	usign-fingerprint:
	${{ steps.build-keypair.outputs.usign-singerprint }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-tags: true
	fetch-depth: 0
	submodules: true
	- name: Install dependencies
	run: \|
	$GITHUB_WORKSPACE/contrib/install-deps.sh
	- name: Determine Cache-Key
	id: cache-key-sdk
	run: >
	echo "cache-key=sdk-${{ needs.build-meta.outputs.cache-key }}" >> "$GITHUB_OUTPUT"
	- name: Restore Cache
	id: restore-cache-sdk
	uses: actions/cache/restore@v4
	with:
	path: /tmp/openwrt-sdk
	key: ${{ steps.cache-key-sdk.outputs.cache-key }}
	- name: Download SDK
	if: steps.restore-cache-sdk.outputs.cache-hit != 'true'
	run: \|
	curl -o /tmp/openwrt-sdk.tar.xz ${{ needs.build-meta.outputs.sdk-url }}
	- name: Extract SDK
	if : steps.restore-cache-sdk.outputs.cache-hit != 'true'
	run: \|
	tar -xf /tmp/openwrt-sdk.tar.xz -C /tmp
	ls /tmp
	mv /tmp/${{ needs.build-meta.outputs.sdk-name }} /tmp/openwrt-sdk
	- name: Create feeds.conf
	if: steps.restore-cache-sdk.outputs.cache-hit != 'true'
	run: \|
	cp /tmp/openwrt-sdk/feeds.conf.default /tmp/openwrt-sdk/feeds.conf
	echo "src-link oobfw $GITHUB_WORKSPACE/openwrt" >> /tmp/openwrt-sdk/feeds.conf
	echo "src-link oobpkgs $GITHUB_WORKSPACE/packages" >> /tmp/openwrt-sdk/feeds.conf
	- name: Install SDK feeds
	if: steps.restore-cache-sdk.outputs.cache-hit != 'true'
	run: \|
	cd /tmp/openwrt-sdk
	./scripts/feeds update -a
	./scripts/feeds install -a
	- name: Save cache
	id: save-cache-sdk
	if: steps.restore-cache-sdk.outputs.cache-hit != 'true'
	uses: actions/cache/save@v4
	with:
	path: /tmp/openwrt-sdk
	key: ${{ steps.cache-key-sdk.outputs.cache-key }}
	- name: Get build keypair
	id: build-keypair
	env:
	GHA_PRIVATE_KEY: ${{ secrets.USIGN_PRIVATE_KEY }}
	GHA_PUBLIC_KEY: ${{ vars.USIGN_PUBLIC_KEY }}
	run: \|
	bash $GITHUB_WORKSPACE/contrib/build-key.sh /tmp/openwrt-sdk/staging_dir/host/bin/usign
	- name: Save secret build-key
	run: \|
	echo ${{ steps.build-keypair.outputs.usign-private-key }} > /tmp/openwrt-sdk/build-key
	- name: Create SDK configuration
	run: \|
	cd /tmp/openwrt-sdk
	echo CONFIG_FFDA_OOB_FIRMWARE_VERSION=\"${{ needs.build-meta.outputs.firmware-version }}\" >> /tmp/openwrt-sdk/.config
	make defconfig
	- name: Build packages
	run: \|
	cd /tmp/openwrt-sdk
	make package/ffda-oob-firmware/compile V=s -j4
	make package/index
	- name: Show binary output directory structure
	run: \|
	tree /tmp/openwrt-sdk/bin
	- name: Upload oobfw packages
	uses: actions/upload-artifact@v4
	with:
	name: packages-oobfw
	path: /tmp/openwrt-sdk/bin/packages/mips_24kc/oobfw
	- name: Upload oobpkgs packages
	uses: actions/upload-artifact@v4
	with:
	name: packages-oobpkgs
	path: /tmp/openwrt-sdk/bin/packages/mips_24kc/oobpkgs
	build-firmware:
	name: build-firmware
	runs-on: ubuntu-24.04
	needs: [build-packages, build-meta]
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	path: /tmp/packages
	- name: Show binary output directory structure
	run: \|
	tree /tmp/packages
	- name: Determine Cache-Key
	id: cache-key-ib
	run: >
	echo "cache-key=ib-${{ needs.build-meta.outputs.cache-key }}" >> "$GITHUB_OUTPUT"
	- name: Install dependencies
	run: \|
	$GITHUB_WORKSPACE/contrib/install-deps.sh
	- name: Restore Cache
	id: restore-cache-ib
	uses: actions/cache/restore@v4
	with:
	path: /tmp/openwrt-imagebuilder
	key: ${{ steps.cache-key-ib.outputs.cache-key }}
	- name: Download Imagebuilder
	if: steps.restore-cache-ib.outputs.cache-hit != 'true'
	run: \|
	curl -o /tmp/openwrt-imagebuilder.tar.xz ${{ needs.build-meta.outputs.imagebuilder-url }}
	- name: Extract Imagebuilder
	if: steps.restore-cache-ib.outputs.cache-hit != 'true'
	run: \|
	tar -xf /tmp/openwrt-imagebuilder.tar.xz -C /tmp
	mv /tmp/${{ needs.build-meta.outputs.imagebuilder-name }} /tmp/openwrt-imagebuilder
	- name: Save cache
	if: steps.restore-cache-ib.outputs.cache-hit != 'true'
	id: save-cache-ib
	uses: actions/cache/save@v4
	with:
	path: /tmp/openwrt-imagebuilder
	key: ${{ steps.cache-key-ib.outputs.cache-key }}
	- name: Save pulic build-key
	run: \|
	echo ${{ needs.build-packages.outputs.usign-public-key }} > /tmp/openwrt-imagebuilder/keys/${{ needs.build-packages.outputs.usign-fingerprint }}
	- name: Link repositories
	run: \|
	echo "src oobfw file:///tmp/packages/packages-oobfw" >> /tmp/openwrt-imagebuilder/repositories.conf
	echo "src oobpkgs file:///tmp/packages/packages-oobpkgs" >> /tmp/openwrt-imagebuilder/repositories.conf
	- name: Set Version information
	run: \|
	sed -i "s/^CONFIG_VERSION_NUMBER.*/CONFIG_VERSION_NUMBER=\"${{ needs.build-meta.outputs.firmware-version }}\"/g" /tmp/openwrt-imagebuilder/.config
	sed -i "s/^CONFIG_VERSION_DIST.*/CONFIG_VERSION_DIST=\"ffda-oob\"/g" /tmp/openwrt-imagebuilder/.config
	- name: Build images
	run: \|
	cd /tmp/openwrt-imagebuilder
	$GITHUB_WORKSPACE/contrib/build-image.sh
	- name: Upload firmware images
	uses: actions/upload-artifact@v4
	with:
	name: firmware-images
	path: /tmp/openwrt-imagebuilder/bin/targets/ath79/nand
	create-release:
	name: create-release
	runs-on: ubuntu-24.04
	permissions:
	contents: write
	needs: [build-packages, build-firmware, build-meta]
	if: ${{ needs.build-meta.outputs.create-release == '1' }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	- name: Download artifacts
	uses: actions/download-artifact@v4
	with:
	path: /tmp/artifacts
	- name: Show binary output directory structure
	run: \|
	tree /tmp/artifacts
	- name:
	run: \|
	mkdir -p /tmp/artifacts-upload
	cp /tmp/artifacts/firmware-images/*.bin /tmp/artifacts-upload
	cp /tmp/artifacts/firmware-images/*.img /tmp/artifacts-upload
	cp /tmp/artifacts/packages-oobfw/*.ipk /tmp/artifacts-upload
	cp /tmp/artifacts/packages-oobpkgs/*.ipk /tmp/artifacts-upload
	- name: Create GitHub Release
	uses: softprops/action-gh-release@v1
	with:
	body: ${{ github.ref_name }}
	files: \|
	/tmp/artifacts-upload/*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: validate package signatures #40

Workflow file

ci: validate package signatures #40

Jobs

Run details

Workflow file for this run