.github/workflows/publish-aur.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

   name: Publish to AUR

   on:
     push:
       tags:
         - 'v*'
     workflow_dispatch:
       inputs:
         tag:
           description: 'Tag (v开头)'
           required: false
           type: string

   jobs:
     aur:
       runs-on: ubuntu-latest
       container:
         image: archlinux:latest
       steps:
         - name: Install dependencies
           run: |
             pacman -Sy --noconfirm git openssh base-devel aurpublish sudo
             # 创建 builder 用户
             useradd -m builder
             # 允许 builder 无密码 sudo
             echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

         - name: Set up SSH for AUR
           run: |
             # SSH key 必须属于 builder 用户
             mkdir -p /home/builder/.ssh
             echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > /home/builder/.ssh/id_ed25519
             chmod 600 /home/builder/.ssh/id_ed25519
             chmod 700 /home/builder/.ssh

             # 扫描 host key (尝试运行，忽略错误，依靠 StrictHostKeyChecking=no)
             ssh-keyscan -t ed25519 aur.archlinux.org >> /home/builder/.ssh/known_hosts || true
             chmod 644 /home/builder/.ssh/known_hosts

             # 修正所有权
             chown -R builder:builder /home/builder/.ssh

         - name: Clone AUR repo
           run: |
             # 切换到 builder 用户运行 git clone
             # 使用 StrictHostKeyChecking=no 跳过 host key 检查
             sudo -u builder bash -c 'GIT_SSH_COMMAND="ssh -i /home/builder/.ssh/id_ed25519 -o UserKnownHostsFile=/home/builder/.ssh/known_hosts -o StrictHostKeyChecking=no" git clone ssh://aur@aur.archlinux.org/soon.git /home/builder/aur-push'

         - name: Set git user
           run: |
             # 为 builder 用户配置 git
             sudo -u builder git config --global user.name "github-actions[bot]"
             sudo -u builder git config --global user.email "github-actions[bot]@users.noreply.github.com"
             sudo -u builder git config --global --add safe.directory /home/builder/aur-push

         - name: Update PKGBUILD and .SRCINFO
           run: |
             # 确定 TAG
             if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.tag }}" ]; then
               TAG="${{ github.event.inputs.tag }}"
             else
               TAG="${GITHUB_REF##*/}"
             fi
             VERSION="${TAG#v}"
             echo "Updating to version: $VERSION"

             # 切换到 builder 用户执行构建和提交
             # 我们把逻辑写在一个 script block 里传给 sudo -u builder bash -c
             sudo -u builder bash -c "
               cd /home/builder/aur-push

               # 修改版本号
               sed -i 's/^pkgver=.*/pkgver=${VERSION}/' PKGBUILD

               # 生成 .SRCINFO (现在是 builder 用户，makepkg 可以运行了)
               makepkg --printsrcinfo > .SRCINFO

               git add PKGBUILD .SRCINFO

               if ! git diff --cached --quiet; then
                 git commit -m 'release: $VERSION'
               else
                 echo 'No changes to commit'
               fi
             "

         - name: Publish to AUR with aurpublish
           run: |
             # 切换到 builder 用户发布
             sudo -u builder bash -c '
               cd /home/builder/aur-push
               GIT_SSH_COMMAND="ssh -i /home/builder/.ssh/id_ed25519 -o UserKnownHostsFile=/home/builder/.ssh/known_hosts -o StrictHostKeyChecking=no" aurpublish soon