Fix to drop "setuid" bit from "jk_chrootsh" #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "virtualmin.dev: virtualmin/jailkit" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| release: | |
| types: | |
| - prereleased | |
| - released | |
| env: | |
| TZ: Europe/Nicosia | |
| JK_SHA256: "aa27dc1b2dbbbfcec2b970731f44ced7079afc973dc066757cea1beb4e8ce59c" | |
| IS_RELEASE: ${{ github.event_name == 'release' }} | |
| IS_PRERELEASE: ${{ github.event.release.prerelease || false }} | |
| BUILD_BOOTSTRAP: "https://raw.githubusercontent.com/webmin/webmin-ci-cd/main/build/bootstrap.bash" | |
| BUILD_DEPS: "git tar curl gzip coreutils openssh-client gnupg" | |
| jobs: | |
| build-x86_64: | |
| name: Build RPM (x86_64) | |
| runs-on: ubuntu-latest | |
| container: | |
| image: rockylinux:8 | |
| if: ${{ !contains(github.event.head_commit.message, '[no-build]') }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install build deps | |
| run: | | |
| dnf -y install rpm-build make gcc autoconf automake \ | |
| glibc-devel libcap-devel python3 \ | |
| curl tar bzip2 patch findutils | |
| ln -sf /usr/bin/python3 /usr/bin/python || true | |
| ln -snf /usr/share/zoneinfo/$TZ /etc/localtime || true | |
| - name: Read version from spec | |
| run: | | |
| JK_VER="$(rpmspec -q --qf '%{VERSION}\n' SPECS/jailkit.spec | head -n1)" | |
| echo "JK_VER=$JK_VER" >> "$GITHUB_ENV" | |
| echo "Building JK_VER=$JK_VER" | |
| - name: Prepare rpmbuild tree | |
| run: | | |
| mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} | |
| cp -v SPECS/jailkit.spec rpmbuild/SPECS/ | |
| cp -v SOURCES/* rpmbuild/SOURCES/ 2>/dev/null || true | |
| - name: Fetch upstream tarball + verify sha256 | |
| run: | | |
| curl -fsSL -o rpmbuild/SOURCES/jailkit-${JK_VER}.tar.bz2 \ | |
| "https://olivier.sessink.nl/jailkit/jailkit-${JK_VER}.tar.bz2" | |
| echo "${JK_SHA256} rpmbuild/SOURCES/jailkit-${JK_VER}.tar.bz2" | sha256sum -c - | |
| - name: Build RPM | |
| run: | | |
| rpmbuild --define "_topdir $PWD/rpmbuild" --define "dist %{nil}" \ | |
| -ba rpmbuild/SPECS/jailkit.spec | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: jailkit-rpm-x86_64 | |
| path: | | |
| rpmbuild/RPMS/**/*.rpm | |
| rpmbuild/SRPMS/*.src.rpm | |
| build-aarch64: | |
| name: Build RPM (aarch64) | |
| runs-on: ubuntu-24.04-arm | |
| container: | |
| image: rockylinux:8 | |
| if: ${{ !contains(github.event.head_commit.message, '[no-build]') }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install build deps | |
| run: | | |
| dnf -y install rpm-build make gcc autoconf automake \ | |
| glibc-devel libcap-devel python3 \ | |
| curl tar bzip2 patch findutils | |
| ln -sf /usr/bin/python3 /usr/bin/python || true | |
| ln -snf /usr/share/zoneinfo/$TZ /etc/localtime || true | |
| - name: Read version from spec | |
| run: | | |
| JK_VER="$(rpmspec -q --qf '%{VERSION}\n' SPECS/jailkit.spec | head -n1)" | |
| echo "JK_VER=$JK_VER" >> "$GITHUB_ENV" | |
| echo "Building JK_VER=$JK_VER" | |
| - name: Prepare rpmbuild tree | |
| run: | | |
| mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} | |
| cp -v SPECS/jailkit.spec rpmbuild/SPECS/ | |
| cp -v SOURCES/* rpmbuild/SOURCES/ 2>/dev/null || true | |
| - name: Fetch upstream tarball + verify sha256 | |
| run: | | |
| curl -fsSL -o rpmbuild/SOURCES/jailkit-${JK_VER}.tar.bz2 \ | |
| "https://olivier.sessink.nl/jailkit/jailkit-${JK_VER}.tar.bz2" | |
| echo "${JK_SHA256} rpmbuild/SOURCES/jailkit-${JK_VER}.tar.bz2" | sha256sum -c - | |
| - name: Build RPM | |
| run: | | |
| rpmbuild --define "_topdir $PWD/rpmbuild" --define "dist %{nil}" \ | |
| -ba rpmbuild/SPECS/jailkit.spec | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: jailkit-rpm-aarch64 | |
| path: rpmbuild/RPMS/**/*.rpm | |
| collect: | |
| name: Collect (single artifact) | |
| needs: [build-x86_64, build-aarch64] | |
| runs-on: ubuntu-latest | |
| if: ${{ !contains(github.event.head_commit.message, '[no-build]') }} | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: packages | |
| merge-multiple: true | |
| - run: find packages -type f -name "jailkit-*.rpm" | sort | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: jailkit-rpms | |
| path: packages | |
| retention-days: 30 | |
| publish: | |
| name: Publish to cloud + rebuild repos | |
| needs: [collect] | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name != 'pull_request' && !contains(github.event.head_commit.message, '[no-build]') }} | |
| steps: | |
| - name: Install deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y ${{ env.BUILD_DEPS }} | |
| sudo timedatectl set-timezone ${{ env.TZ }} | |
| - name: Download packages artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: jailkit-rpms | |
| path: packages | |
| - name: Fetch bootstrap | |
| run: curl -fsSLO ${{ env.BUILD_BOOTSTRAP }} | |
| - name: Upload only main RPMs + sign + build repos | |
| env: | |
| CLOUD__IP_ADDR: ${{ secrets.DEV_IP_ADDR }} | |
| CLOUD__IP_KNOWN_HOSTS: ${{ secrets.DEV_IP_KNOWN_HOSTS }} | |
| CLOUD__UPLOAD_SSH_USER: ${{ secrets.DEV_UPLOAD_SSH_USER }} | |
| CLOUD__UPLOAD_SSH_DIR: ${{ env.IS_RELEASE == 'true' && secrets.PRERELEASE_UPLOAD_SSH_DIR || secrets.DEV_UPLOAD_SSH_DIR }} | |
| CLOUD__SSH_PRV_KEY: ${{ secrets.DEV_SSH_PRV_KEY }} | |
| CLOUD__GPG_PH2: ${{ secrets.ALL_GPG_PH2 }} | |
| CLOUD__GH_TOKEN: ${{ github.token }} | |
| run: |- | |
| source bootstrap.bash \ | |
| $([[ "${{ env.IS_RELEASE }}" == "true" ]] && echo "--release" || echo "--testing") \ | |
| $([[ "${{ env.IS_PRERELEASE }}" == "true" ]] && echo "--prerelease") | |
| mkdir -p "$ROOT_REPOS" | |
| find packages -type f -name 'jailkit-[0-9]*.[0-9]*-[0-9]*.x86_64.rpm' -exec cp -v {} "$ROOT_REPOS/" \; | |
| find packages -type f -name 'jailkit-[0-9]*.[0-9]*-[0-9]*.aarch64.rpm' -exec cp -v {} "$ROOT_REPOS/" \; | |
| upload_list=("$ROOT_REPOS/"*) | |
| cloud_upload upload_list | |
| cloud_sign_and_build_repos_auto virtualmin.dev |