fix(ci): inline APK repo generation to avoid glibc binary on Alpine

The mage-static binary is compiled with glibc which can't run on
Alpine's musl. Instead of fighting compatibility, inline the APK
repo generation as shell commands since the logic is simple.
This commit is contained in:
kolaente 2026-04-13 15:03:52 +02:00
parent 1eafd31a2a
commit a110642093
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
2 changed files with 26 additions and 71 deletions

View File

@ -318,23 +318,38 @@ jobs:
echo "${{ secrets.APK_SIGNING_KEY }}" > ~/.abuild/vikunja-apk.rsa
echo "PACKAGER_PRIVKEY=$HOME/.abuild/vikunja-apk.rsa" > ~/.abuild/abuild.conf
- name: Debug mage-static binary
if: matrix.format == 'apk'
run: |
ls -la ./mage-static || true
file ./mage-static || true
readelf -l ./mage-static 2>/dev/null | grep -i interpreter || echo "no interpreter"
ldd ./mage-static 2>&1 || true
- name: Generate repo metadata
if: matrix.format != 'apk'
env:
RELEASE_GPG_KEY: ${{ matrix.format != 'apk' && '7D061A4AA61436B40713D42EFF054DACD908493A' || '' }}
RELEASE_GPG_PASSPHRASE: ${{ matrix.format != 'apk' && secrets.RELEASE_GPG_PASSPHRASE || '' }}
APK_SIGNING_KEY_PATH: ${{ matrix.format == 'apk' && '~/.abuild/vikunja-apk.rsa' || '' }}
RELEASE_GPG_KEY: 7D061A4AA61436B40713D42EFF054DACD908493A
RELEASE_GPG_PASSPHRASE: ${{ secrets.RELEASE_GPG_PASSPHRASE }}
run: |
chmod +x ./mage-static
./mage-static ${{ matrix.mage_target }}
- name: Generate APK repo metadata
if: matrix.format == 'apk'
run: |
incoming=dist/repo-work/incoming
output_base=dist/repo-output/apk/$REPO_SUITE/main
signing_key=~/.abuild/vikunja-apk.rsa
for arch in x86_64 aarch64 armv7; do
repo_dir="$output_base/$arch"
mkdir -p "$repo_dir"
# Symlink matching packages
found=false
for pkg in "$incoming"/*-"$arch".apk; do
[ -f "$pkg" ] || continue
found=true
ln -sf "$(realpath "$pkg")" "$repo_dir/$(basename "$pkg")"
done
$found || continue
# Create index and sign
apk index --allow-untrusted -o "$repo_dir/APKINDEX.tar.gz" "$repo_dir"/*.apk
abuild-sign -k "$signing_key" "$repo_dir/APKINDEX.tar.gz"
done
echo "APK repo metadata generated in $output_base"
- name: Debug - repo output structure
run: find dist/repo-output -type f 2>/dev/null || ls -laR dist/repo-output/ || true

View File

@ -67,7 +67,6 @@ var (
"release:os-package": Release.OsPackage,
"release:prepare-nfpm-config": Release.PrepareNFPMConfig,
"release:repo-apt": Release.RepoApt,
"release:repo-apk": Release.RepoApk,
"release:repo-rpm": Release.RepoRpm,
"release:repo-pacman": Release.RepoPacman,
"dev:make-migration": Dev.MakeMigration,
@ -1364,65 +1363,6 @@ func (Release) RepoRpm(ctx context.Context) error {
return nil
}
// RepoApk generates Alpine APK repository index for all .apk files in the work directory.
// Expects .apk files in <DIST>/repo-work/incoming/ and outputs to <DIST>/repo-output/apk/<suite>/main/.
// Environment: APK_SIGNING_KEY_PATH must point to an RSA private key for abuild-sign.
// Environment: REPO_SUITE controls the target suite (default: "stable").
func (Release) RepoApk(ctx context.Context) error {
mg.Deps(initVars)
suite := repoSuite()
incomingDir := filepath.Join(DIST, "repo-work", "incoming")
outputBase := filepath.Join(DIST, "repo-output", "apk", suite, "main")
signingKey := os.Getenv("APK_SIGNING_KEY_PATH")
archMap := map[string]string{
"x86_64": "x86_64",
"aarch64": "aarch64",
"armv7": "armv7",
}
for pkgArch, repoArch := range archMap {
repoDir := filepath.Join(outputBase, repoArch)
if err := os.MkdirAll(repoDir, 0o755); err != nil {
return err
}
pattern := filepath.Join(incomingDir, "*-"+pkgArch+".apk")
apks, _ := filepath.Glob(pattern)
if len(apks) == 0 {
continue
}
for _, apk := range apks {
abs, _ := filepath.Abs(apk)
dst := filepath.Join(repoDir, filepath.Base(apk))
os.Remove(dst)
if err := os.Symlink(abs, dst); err != nil {
return err
}
}
// Collect all .apk paths in repo dir for apk index
repoApks, _ := filepath.Glob(filepath.Join(repoDir, "*.apk"))
indexArgs := append([]string{"index", "--allow-untrusted", "-o", filepath.Join(repoDir, "APKINDEX.tar.gz")}, repoApks...)
if err := runAndStreamOutput(ctx, "apk", indexArgs...); err != nil {
return fmt.Errorf("apk index for %s: %w", repoArch, err)
}
// Sign with abuild-sign
if err := runAndStreamOutput(ctx, "abuild-sign",
"-k", signingKey,
filepath.Join(repoDir, "APKINDEX.tar.gz"),
); err != nil {
return fmt.Errorf("abuild-sign for %s: %w", repoArch, err)
}
}
fmt.Println("APK repo metadata generated in", outputBase)
return nil
}
// RepoPacman generates Pacman repository database for all .archlinux files in the work directory.
// Expects .archlinux files in <DIST>/repo-work/incoming/ and outputs to <DIST>/repo-output/pacman/<suite>/.
// Environment: RELEASE_GPG_KEY, RELEASE_GPG_PASSPHRASE must be set for signing.