Update repositories on full release/pre-release

.github/workflows/update-repositories.yml

@@ -0,0 +1,156 @@
+name: Update repositories with packages
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  update-apt:
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    outputs:
+      amd64_sha: ${{ steps.get_sha.outputs.AMD64_SHA }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download .deb assets from release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir debs
+          gh release download "${{ github.event.release.tag_name }}" \
+            --pattern "*.deb" \
+            --dir debs
+
+      - name: Get AMD64 DEB SHA256 # Obtain SHA for AUR
+        run: |
+          sha=$(sha256sum debs/defguard-client_*_amd64.deb | grep -v ubuntu | awk '{print $1}')
+          echo "AMD64_SHA=$sha" >> $GITHUB_OUTPUT
+        id: get_sha
+
+      - name: Install ruby with deb-s3
+        run: |
+          sudo apt-get install -y ruby
+          gem install deb-s3
+          echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
+
+      - name: Upload DEB to APT repository
+        run: |
+          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
+            component="pre-release"
+          else
+            component="release"
+          fi
+
+          for deb_file in debs/*.deb; do
+            if [[ "$deb_file" == *"ubuntu-22-04-lts"* ]]; then
+              codename="bookworm"
+            else
+              codename="trixie"
+            fi
+
+            echo "Uploading $deb_file to $codename"
+            deb-s3 upload -l \
+              --bucket=apt.defguard.net \
+              --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} \
+              --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} \
+              --s3-region=eu-north-1 \
+              --no-fail-if-exists \
+              --codename="$codename" \
+              --component="$component"
+              "$deb_file"
+          done
+
+  apt-sign:
+    needs:
+      - update-apt
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    steps:
+      - name: Sign APT repository
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
+          export AWS_REGION=eu-north-1
+          sudo apt update -y
+          sudo apt install -y awscli curl jq
+
+          for DIST in trixie bookworm; do
+            aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
+
+            curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
+              -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
+              -F "file=@Release" \
+              -o response.json
+
+            cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
+            cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
+
+            aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+            aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+
+          done
+          (aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
+          aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
+  update-aur:
+    if: github.event.release.prerelease == false
+    needs:
+      - update-apt
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    container: archlinux:latest
+    steps:
+      - name: Install dependencies
+        run: |
+          pacman -Syu --noconfirm
+          pacman -S --noconfirm git openssh base-devel
+      - name: Setup SSH for AUR
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.AUR_SSH_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan aur.archlinux.org >> ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+          # Create SSH config file
+          cat > ~/.ssh/config << EOF
+          Host aur.archlinux.org
+            IdentityFile ~/.ssh/id_rsa
+            User aur
+            StrictHostKeyChecking accept-new
+          EOF
+          chmod 600 ~/.ssh/config
+      - name: Update AUR Package
+        run: |
+
+          git config --global user.name "Defguard Build System"
+          git config --global user.email "[email protected]"
+          git config --global --add safe.directory '*'
+
+          rm -rf aur-repo || true
+          GIT_SSH_COMMAND="ssh -v -i ~/.ssh/id_rsa -o StrictHostKeyChecking=accept-new" \
+            git clone "ssh://[email protected]/defguard-client.git" aur-repo
+          cd aur-repo
+          git config --global --add safe.directory "$(pwd)"
+          VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+          echo "Updating to version: $VERSION"
+          sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD
+
+          AMD64_SHA="${{ needs.update-apt.outputs.amd64_sha }}"
+          echo "AMD64 DEB SHA256: $AMD64_SHA"
+          sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD
+
+          useradd -m builduser
+          chown -R builduser:builduser .
+
+          su builduser -c "makepkg --printsrcinfo" > .SRCINFO
+          git add PKGBUILD .SRCINFO
+          git commit -m "Updated to $VERSION"
+          GIT_SSH_COMMAND="ssh -v -i ~/.ssh/id_rsa -o StrictHostKeyChecking=accept-new" git push
+          cat PKGBUILD
+          cat .SRCINFO