name: AUR Publish on: workflow_call: inputs: tag: description: "Release tag to publish (for example: v0.0.1-rc.2)" required: true type: string workflow_dispatch: inputs: tag: description: "Release tag to publish (for example: v0.0.1-rc.2)" required: true type: string permissions: contents: read jobs: publish-aur: if: vars.AUR_PUBLISH_ENABLED == '1' runs-on: ubuntu-latest container: archlinux:base env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG: ${{ inputs.tag }} steps: - uses: actions/checkout@v4 - name: Install AUR packaging dependencies run: | pacman -Sy --noconfirm --needed base-devel git openssh curl github-cli - name: Wait for release assets run: | set -euo pipefail for attempt in $(seq 1 30); do if gh release view "$TAG" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then echo "release ${TAG} is available" exit 0 fi sleep 10 done echo "release ${TAG} was not found after waiting" >&2 exit 1 - name: Render AUR metadata from released assets run: | set -euo pipefail mkdir -p /tmp/release-input /tmp/release-metadata gh release download "$TAG" --repo "$GITHUB_REPOSITORY" \ --pattern "openbitdo-${TAG}-linux-x86_64.tar.gz" \ --pattern "openbitdo-${TAG}-linux-aarch64.tar.gz" \ --pattern "openbitdo-${TAG}-macos-arm64.tar.gz" \ --dir /tmp/release-input bash packaging/scripts/render_release_metadata.sh \ "$TAG" \ "$GITHUB_REPOSITORY" \ /tmp/release-input \ /tmp/release-metadata useradd -m builder chown -R builder:builder /tmp/release-metadata su builder -s /bin/bash -c "set -euo pipefail; \ cd /tmp/release-metadata/aur/openbitdo-bin; \ makepkg --printsrcinfo > .SRCINFO" - name: Upload rendered metadata (audit) uses: actions/upload-artifact@v4 with: name: aur-rendered-metadata-${{ inputs.tag }} path: | /tmp/release-metadata/aur/openbitdo-bin/PKGBUILD /tmp/release-metadata/aur/openbitdo-bin/.SRCINFO /tmp/release-metadata/checksums.env - name: Configure SSH for AUR run: | if [[ -z "${{ secrets.AUR_USERNAME }}" ]]; then echo "missing required secret: AUR_USERNAME" >&2 exit 1 fi if [[ -z "${{ secrets.AUR_SSH_PRIVATE_KEY }}" ]]; then echo "missing required secret: AUR_SSH_PRIVATE_KEY" >&2 exit 1 fi mkdir -p "$HOME/.ssh" printf '%s\n' "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > "$HOME/.ssh/aur" chmod 600 "$HOME/.ssh/aur" ssh-keyscan -H aur.archlinux.org >> "$HOME/.ssh/known_hosts" chmod 644 "$HOME/.ssh/known_hosts" - name: Publish openbitdo-bin env: GIT_SSH_COMMAND: ssh -i $HOME/.ssh/aur -o IdentitiesOnly=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=accept-new run: | set -euo pipefail publish_pkg() { local pkg="$1" local remote="aur@aur.archlinux.org:${pkg}.git" local tmp_root local workdir tmp_root="$(mktemp -d)" workdir="${tmp_root}/${pkg}" if git clone "$remote" "$workdir"; then echo "${pkg}: updated-existing" else echo "${pkg}: bootstrap-created" mkdir -p "$workdir" cd "$workdir" git init git remote add origin "$remote" fi cp "/tmp/release-metadata/aur/${pkg}/PKGBUILD" "${workdir}/PKGBUILD" cp "/tmp/release-metadata/aur/${pkg}/.SRCINFO" "${workdir}/.SRCINFO" cd "$workdir" git config user.name "openbitdo-ci" git config user.email "actions@users.noreply.github.com" git add PKGBUILD .SRCINFO if git diff --cached --quiet; then echo "${pkg}: no metadata changes" return 0 fi git commit -m "Update ${pkg} package for ${TAG}" if git ls-remote --exit-code --heads origin >/dev/null 2>&1; then git push else git push -u origin HEAD:master fi } publish_pkg openbitdo-bin