bybrooklyn/openbitdo
1
0
Fork 0
mirror of https://github.com/bybrooklyn/openbitdo.git synced 2026-03-19 12:12:57 -04:00
Code Issues Packages Projects Releases Wiki Activity

release: fix AUR host keys and harden tap auth

Browse Source
This commit is contained in:
Brooklyn Halmstad
2026-03-02 18:14:44 -05:00
parent 076aa10c2b
commit af9dcc8d15
2 changed files with 27 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/aur-publish.yml vendored
View File

@@ -90,14 +90,15 @@ jobs:
echo "missing required secret: AUR_SSH_PRIVATE_KEY" >&2 echo "missing required secret: AUR_SSH_PRIVATE_KEY" >&2
exit 1 exit 1
fi fi
mkdir -p ~/.ssh mkdir -p "$HOME/.ssh"
echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > ~/.ssh/aur printf '%s\n' "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > "$HOME/.ssh/aur"
chmod 600 ~/.ssh/aur chmod 600 "$HOME/.ssh/aur"
ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts ssh-keyscan -H aur.archlinux.org >> "$HOME/.ssh/known_hosts"
chmod 644 "$HOME/.ssh/known_hosts"
- name: Publish openbitdo and openbitdo-bin - name: Publish openbitdo and openbitdo-bin
env: env:
GIT_SSH_COMMAND: ssh -i ~/.ssh/aur -o IdentitiesOnly=yes GIT_SSH_COMMAND: ssh -i $HOME/.ssh/aur -o IdentitiesOnly=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=accept-new
run: | run: |
set -euo pipefail set -euo pipefail
publish_pkg() { publish_pkg() {

23
packaging/homebrew/sync_tap.sh
View File

@@ -16,7 +16,8 @@ HOMEBREW_TAP_TOKEN="$(printf '%s' "${HOMEBREW_TAP_TOKEN}" | tr -d '\r\n')"
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
TAP_REPO="${HOMEBREW_TAP_REPO:-bybrooklyn/homebrew-openbitdo}" TAP_REPO="${HOMEBREW_TAP_REPO:-bybrooklyn/homebrew-openbitdo}"
TAP_USER="${HOMEBREW_TAP_USERNAME:-${GITHUB_ACTOR:-x-access-token}}" TAP_OWNER="${TAP_REPO%%/*}"
TAP_USER="${HOMEBREW_TAP_USERNAME:-$TAP_OWNER}"
FORMULA_SOURCE="${FORMULA_SOURCE:-$ROOT/packaging/homebrew/Formula/openbitdo.rb}" FORMULA_SOURCE="${FORMULA_SOURCE:-$ROOT/packaging/homebrew/Formula/openbitdo.rb}"
TMP="$(mktemp -d)" TMP="$(mktemp -d)"
@@ -25,7 +26,24 @@ if [[ ! -f "$FORMULA_SOURCE" ]]; then
exit 1 exit 1
fi fi
git clone "https://${TAP_USER}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git" "$TMP/tap" clone_url() {
local user="$1"
echo "attempting tap clone using token auth as '${user}'"
git clone "https://${user}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git" "$TMP/tap"
}
if ! clone_url "$TAP_USER"; then
# Some token types (for example GitHub App tokens) require x-access-token.
if [[ "$TAP_USER" != "x-access-token" ]]; then
rm -rf "$TMP/tap"
clone_url "x-access-token"
TAP_USER="x-access-token"
else
echo "failed to clone tap repo with HOMEBREW_TAP_TOKEN" >&2
exit 1
fi
fi
mkdir -p "$TMP/tap/Formula" mkdir -p "$TMP/tap/Formula"
cp "$FORMULA_SOURCE" "$TMP/tap/Formula/openbitdo.rb" cp "$FORMULA_SOURCE" "$TMP/tap/Formula/openbitdo.rb"
@@ -37,4 +55,5 @@ git commit -m "Update openbitdo formula" || {
echo "no formula changes to push" echo "no formula changes to push"
exit 0 exit 0
} }
git remote set-url origin "https://${TAP_USER}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git"
git push git push