Brodino/webkit2gtk-automator
1
0
Fork 0
mirror of https://github.com/Brodino96/webkit2gtk-automator.git synced 2026-05-06 06:31:13 +02:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: Brodino/webkit2gtk-automator:v2.50.6-5
Branches Tags
Brodino/webkit2gtk-automator:main Brodino/webkit2gtk-automator:workflow
Brodino/webkit2gtk-automator:v2.50.6-7 Brodino/webkit2gtk-automator:v2.50.6-5
...
compare: Brodino/webkit2gtk-automator:workflow
Branches Tags
Brodino/webkit2gtk-automator:main Brodino/webkit2gtk-automator:workflow
Brodino/webkit2gtk-automator:v2.50.6-7 Brodino/webkit2gtk-automator:v2.50.6-5

7 Commits
v2.50.6-5 ... workflow

Author SHA1 Message Date
Brodino 0a04b994ae feat: asked claude sonnet 4.6 to rework as github workflow instead of on my machine 2026-04-30 09:59:35 +02:00
Brodino 475ffc8445 feat(build): now limits hardware usage also on docker 2026-04-27 21:50:20 +02:00
Brodino 18e834b08c fix(build): now respects core limitations 2026-04-27 21:49:46 +02:00
Brodino 761b48f535 feat(readme): created readme file 2026-04-27 14:32:44 +02:00
Brodino 47e8d717a6 feat: add artifact caching to build process and improve error logging 2026-04-27 14:21:15 +02:00
Brodino f29ef992a9 feat(git): updated gitignore 2026-04-27 14:21:10 +02:00
Brodino 726d9cebb0 feat: removed file 2026-04-27 14:21:01 +02:00
12 changed files with 742 additions and 101 deletions
Expand all files Collapse all files
.env.example
+4 -3
View File
@@ -19,6 +19,7 @@ AUR_MAINTAINER_EMAIL=your@email.com
# How often to poll the AUR for updates, in seconds (default: 3600 = 1 hour) # How often to poll the AUR for updates, in seconds (default: 3600 = 1 hour)
POLL_INTERVAL_SECONDS=3600 POLL_INTERVAL_SECONDS=3600
# Number of CPU cores to use for compilation (default: all available cores) # Number of CPU cores to use for compilation (default: 4)
# Reduce this if you want to leave headroom for other processes on the server # This controls both the make -jN parallelism inside the build and the CPU
# NPROC=4 # cap enforced by Docker on the container. Set it once, it applies everywhere
NPROC=4
.github/workflows/build.yml
+176
View File
@@ -0,0 +1,176 @@
name: Build and publish webkit2gtk
on:
workflow_dispatch:
inputs:
aur_version:
description: 'Full AUR version string to build (e.g. 2.46.3-1)'
required: true
type: string
jobs:
build-and-publish:
name: Build webkit2gtk ${{ inputs.aur_version }}
runs-on: ubuntu-latest-96-cores
container:
image: archlinux:latest
# Needed so makepkg can use FUSE/user namespaces inside the container
options: --privileged
permissions:
contents: write # create GitHub Releases and upload assets
env:
GITHUB_REPO: ${{ github.repository }}
AUR_PACKAGE_NAME: webkit2gtk-bin
AUR_MAINTAINER_NAME: ${{ secrets.AUR_MAINTAINER_NAME }}
AUR_MAINTAINER_EMAIL: ${{ secrets.AUR_MAINTAINER_EMAIL }}
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
- name: Install build dependencies
run: |
pacman -Syu --noconfirm
pacman -S --noconfirm --needed \
base-devel \
git \
sudo \
curl \
jq \
openssh \
github-cli \
clang \
cmake \
gi-docgen \
glib2-devel \
gobject-introspection \
gperf \
gst-plugins-bad \
lld \
ninja \
python \
ruby \
ruby-stdlib \
systemd \
unifdef \
wayland-protocols \
at-spi2-core \
atk \
bubblewrap \
cairo \
enchant \
expat \
fontconfig \
freetype2 \
gdk-pixbuf2 \
glib2 \
glibc \
gst-plugins-bad-libs \
gst-plugins-base-libs \
gstreamer \
gtk3 \
harfbuzz \
harfbuzz-icu \
hyphen \
icu \
lcms2 \
libatomic \
libavif \
libdrm \
libegl \
libepoxy \
libgcrypt \
libgl \
libjpeg-turbo \
libjxl \
libmanette \
libpng \
libseccomp \
libsecret \
libsoup \
libsystemd \
libtasn1 \
libwebp \
libx11 \
libxml2 \
libxslt \
mesa \
openjpeg2 \
pango \
sqlite \
ttf-dejavu \
wayland \
woff2 \
xdg-dbus-proxy \
zlib
- name: Create builduser (makepkg refuses to run as root)
run: |
useradd -m -G wheel builduser
echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
# Allow builduser to write to the workspace
chown -R builduser:builduser "$GITHUB_WORKSPACE"
git config --system --add safe.directory '*'
- name: Set up AUR SSH key
env:
AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }}
run: |
SSH_DIR=/home/builduser/.ssh
mkdir -p "${SSH_DIR}"
printf '%s\n' "${AUR_SSH_KEY}" > "${SSH_DIR}/aur_id_rsa"
chown -R builduser:builduser "${SSH_DIR}"
chmod 700 "${SSH_DIR}"
chmod 600 "${SSH_DIR}/aur_id_rsa"
printf 'Host aur.archlinux.org\n User aur\n IdentityFile /home/builduser/.ssh/aur_id_rsa\n StrictHostKeyChecking no\n' \
> "${SSH_DIR}/config"
chmod 600 "${SSH_DIR}/config"
- name: Configure git identity for builduser
run: |
sudo -u builduser HOME=/home/builduser git config --global user.name "${AUR_MAINTAINER_NAME}"
sudo -u builduser HOME=/home/builduser git config --global user.email "${AUR_MAINTAINER_EMAIL}"
- name: Import WebKitGTK PGP signing keys
run: |
sudo -u builduser HOME=/home/builduser gpg \
--keyserver keyserver.ubuntu.com \
--recv-keys \
5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
013A0127AC9C65B34FFA62526C1009B693975393 || \
sudo -u builduser HOME=/home/builduser gpg \
--keyserver hkps://keys.openpgp.org \
--recv-keys \
5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
013A0127AC9C65B34FFA62526C1009B693975393
- name: Clone webkit2gtk from AUR
run: |
sudo -u builduser HOME=/home/builduser \
git clone https://aur.archlinux.org/webkit2gtk.git "${GITHUB_WORKSPACE}/webkit2gtk"
- name: Build webkit2gtk
env:
NPROC: 96
run: |
sudo -u builduser \
HOME=/home/builduser \
GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" \
NPROC="${NPROC}" \
bash "${GITHUB_WORKSPACE}/scripts/build.sh"
- name: Publish to GitHub Releases and AUR
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
sudo -u builduser \
HOME=/home/builduser \
GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" \
GITHUB_TOKEN="${GITHUB_TOKEN}" \
GITHUB_REPO="${GITHUB_REPO}" \
AUR_PACKAGE_NAME="${AUR_PACKAGE_NAME}" \
AUR_MAINTAINER_NAME="${AUR_MAINTAINER_NAME}" \
AUR_MAINTAINER_EMAIL="${AUR_MAINTAINER_EMAIL}" \
bash "${GITHUB_WORKSPACE}/scripts/publish.sh"
.github/workflows/check.yml
+66
View File
@@ -0,0 +1,66 @@
name: Check for webkit2gtk update
on:
# schedule:
# Run every hour
# - cron: '0 * * * *'
workflow_dispatch:
jobs:
check:
name: Poll AUR for new version
runs-on: ubuntu-latest
permissions:
contents: read
actions: write # required to trigger workflow_dispatch on build.yml
steps:
- name: Fetch latest AUR version
id: aur
run: |
response=$(curl -fsSL "https://aur.archlinux.org/rpc/v5/info/webkit2gtk")
aur_version=$(echo "${response}" | jq -r '.results[0].Version')
if [[ -z "${aur_version}" || "${aur_version}" == "null" ]]; then
echo "ERROR: Failed to parse version from AUR response: ${response}" >&2
exit 1
fi
echo "AUR version: ${aur_version}"
echo "version=${aur_version}" >> "$GITHUB_OUTPUT"
- name: Fetch last published version from GitHub Releases
id: last
env:
GH_TOKEN: ${{ github.token }}
run: |
# Get the tag of the latest release; strip the leading 'v'
tag=$(gh release list \
--repo "${{ github.repository }}" \
--limit 1 \
--json tagName \
--jq '.[0].tagName // ""')
last_version="${tag#v}"
echo "Last published version: ${last_version:-<none>}"
echo "version=${last_version}" >> "$GITHUB_OUTPUT"
- name: Decide whether to build
id: decision
run: |
aur="${{ steps.aur.outputs.version }}"
last="${{ steps.last.outputs.version }}"
if [[ "${aur}" == "${last}" ]]; then
echo "Already up to date (${aur}), nothing to do"
echo "should_build=false" >> "$GITHUB_OUTPUT"
else
echo "New version detected: ${aur} (was: ${last:-<none>})"
echo "should_build=true" >> "$GITHUB_OUTPUT"
fi
- name: Trigger build workflow
if: steps.decision.outputs.should_build == 'true'
env:
GH_TOKEN: ${{ github.token }}
run: |
gh workflow run build.yml \
--repo "${{ github.repository }}" \
--field aur_version="${{ steps.aur.outputs.version }}"
echo "Dispatched build.yml for version ${{ steps.aur.outputs.version }}"
.gitignore
+16 -10
View File
@@ -1,20 +1,26 @@
# Secrets # Secrets
.env .env
# Build artifacts # Build state — artifacts are large binaries, last_version is runtime state
state/artifacts/ state/
state/build.log
state/cron.log
# AUR SSH key (if stored locally) # AUR clones — managed at runtime by the container, not part of the repo
webkit2gtk/
webkit2gtk-bin/
# makepkg build leftovers (if they end up in the workspace)
*.pkg.tar.zst
*.pkg.tar.zst.sig
src/
pkg/
# AUR SSH keys if stored locally
*.pem *.pem
*.key *.key
id_rsa id_rsa
id_ed25519 id_ed25519
# Docker # Editor
.docker/
# Misc
*.tmp
*.swp *.swp
*.tmp
.DS_Store
AGENTS.md
+284
View File
@@ -0,0 +1,284 @@
# AGENTS.md — webkit2gtk-automator
This file provides guidance for agentic coding agents working in this repository.
---
## Project Overview
This project is a Bash/Docker automation daemon that:
1. Polls the AUR RPC API for new `webkit2gtk` releases
2. Builds the package using `makepkg` inside an Arch Linux container
3. Publishes the resulting `.pkg.tar.zst` artifact to GitHub Releases
4. Generates and pushes an updated `webkit2gtk-bin` PKGBUILD to the AUR
The entire codebase is Bash scripts orchestrated via Docker Compose. There is no application framework, no package manager (npm/pip/cargo), and no test suite.
---
## Repository Structure
```
webkit2gtk-automator/
├── .env.example # Template for required environment variables
├── .gitignore
├── Dockerfile # Arch Linux image with build dependencies
├── docker-compose.yml # Defines the "builder" service
├── README.md
└── scripts/
├── entrypoint.sh # Container entrypoint; polling loop
├── check-update.sh # AUR API poll; triggers build + publish if new version
├── build.sh # Runs makepkg; collects .pkg.tar.zst artifacts
└── publish.sh # Uploads to GitHub Releases; pushes PKGBUILD to AUR
```
Runtime-generated (gitignored):
- `state/last_version` — tracks last published version
- `state/artifacts/` — holds built `.pkg.tar.zst` files
- `webkit2gtk/` — AUR source package clone
- `webkit2gtk-bin/` — AUR binary package clone
---
## Environment Setup
Copy `.env.example` to `.env` and fill in all required values before starting:
```bash
cp .env.example .env
# Edit .env with your GITHUB_TOKEN, AUR SSH key path, GPG key, etc.
```
All scripts validate required variables at startup using the pattern:
```bash
: "${GITHUB_TOKEN:?GITHUB_TOKEN is not set}"
```
Missing variables cause an immediate exit with a descriptive error.
---
## Build / Run Commands
| Purpose | Command |
|---|---|
| Start the daemon (detached) | `docker compose up -d` |
| Start and rebuild the image | `docker compose up -d --build` |
| Watch live logs | `docker compose logs -f` |
| Stop the daemon | `docker compose down` |
| Force a rebuild on next poll | `rm state/last_version && docker compose restart` |
---
## Running a Single Script
There is no test runner. To manually invoke a single script inside the container:
```bash
# Run check-update.sh (polls AUR and triggers build+publish if needed)
docker compose run --rm builder bash -c "source /workspace/.env && /workspace/scripts/check-update.sh"
# Run build.sh directly
docker compose run --rm builder bash -c "source /workspace/.env && /workspace/scripts/build.sh"
# Run publish.sh directly
docker compose run --rm builder bash -c "source /workspace/.env && /workspace/scripts/publish.sh"
```
To test publish without recompiling, pre-place an artifact in `state/artifacts/`:
```bash
# build.sh detects existing artifact and skips makepkg
cp some-existing.pkg.tar.zst state/artifacts/
docker compose run --rm builder bash -c "source /workspace/.env && /workspace/scripts/publish.sh"
```
---
## No Test Suite
There are no unit tests, integration tests, or test commands. Manual invocation of
individual scripts (see above) is the primary validation mechanism.
---
## Code Style Guidelines
### Shebang and Strict Mode
Every script **must** begin with:
```bash
#!/usr/bin/env bash
set -euo pipefail
```
- `set -e` — exit immediately on any non-zero return code
- `set -u` — treat unset variables as errors
- `set -o pipefail` — propagate errors through pipelines
### Variable Naming
| Scope | Convention | Example |
|---|---|---|
| All variables (env or local) | `UPPER_SNAKE_CASE` | `PKG_VERSION`, `BUILD_DIR` |
| Functions | `snake_case` | `log`, `die`, `check_deps` |
| Script files | `kebab-case.sh` | `check-update.sh`, `build.sh` |
### Quoting
Always double-quote variable expansions. Use `${VAR}` brace syntax:
```bash
# Correct
cp "${SRC_FILE}" "${DEST_DIR}/"
echo "Version: ${PKG_VERSION}"
# Wrong — never do this
cp $SRC_FILE $DEST_DIR/
```
### Sourcing Files
Use `source` (not the POSIX `.` shorthand):
```bash
# Correct
source /workspace/.env
# Avoid
. /workspace/.env
```
To auto-export all variables from a sourced file:
```bash
set -a
source /workspace/.env
set +a
```
### Logging
Every script defines a `log()` function with a consistent timestamp prefix:
```bash
log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] [script-name] $*"; }
```
Use `log` for all informational output. Use `log "ERROR: ..." >&2` (or `die`) for errors.
### Arrays
Use Bash arrays when collecting multiple items:
```bash
packages=()
packages+=("${pkg_file}")
```
---
## Error Handling Conventions
### Required Variable Checks
Use Bash parameter expansion to validate required env vars:
```bash
: "${GITHUB_TOKEN:?GITHUB_TOKEN is not set}"
: "${AUR_SSH_KEY:?AUR_SSH_KEY is not set}"
```
### `die()` Helper
Define and use a `die()` function for fatal errors:
```bash
die() {
log "ERROR: $*" >&2
exit 1
}
# Usage
[[ -f "${pkg_file}" ]] || die "Expected artifact not found: ${pkg_file}"
```
### Explicit Guard Blocks
Prefer explicit `if/else` over bare command calls for critical steps:
```bash
if "${SCRIPT_DIR}/build.sh"; then
log "Build succeeded"
else
log "ERROR: Build failed, aborting"
exit 1
fi
```
### Null/Empty API Response Checks
Always validate outputs from `curl | jq` pipelines:
```bash
aur_version=$(curl -s "${AUR_API_URL}" | jq -r '.results[0].Version')
if [[ -z "${aur_version}" || "${aur_version}" == "null" ]]; then
log "ERROR: Failed to parse version from AUR response"
exit 1
fi
```
### Graceful No-Op
For idempotent operations (e.g., git commit), allow the no-op case:
```bash
git commit -m "Update to ${FULL_VERSION}" || {
log "Nothing to commit, already at ${FULL_VERSION}"
exit 0
}
```
---
## External Tool Dependencies
These CLI tools are invoked directly by the scripts. They must be present in the container:
| Tool | Purpose |
|---|---|
| `curl` | HTTP requests to AUR RPC API |
| `jq` | JSON parsing of AUR API responses |
| `makepkg` | Arch Linux package build tool |
| `gh` | GitHub CLI — creating releases and uploading assets |
| `git` | Cloning/pulling AUR repos, committing, pushing |
| `gpg` | Verifying PGP signatures on source tarballs |
| `sha256sum` | Computing checksums for the artifact |
| `bsdtar` | Extracting the `.pkg.tar.zst` in the generated PKGBUILD |
| `sudo` | Dropping privileges from root to `builduser` for `makepkg` |
| `ssh` | AUR authentication via SSH key |
All of these are installed in the `Dockerfile`. If adding a new dependency, add it there.
---
## Dockerfile and docker-compose.yml
- The base image is Arch Linux. Keep it updated with `pacman -Syu` in the `Dockerfile`.
- The container runs as root but drops to a `builduser` account for `makepkg` (which
refuses to run as root).
- Secrets (`.env`, SSH keys, GPG keys) are mounted at runtime via volume mounts defined
in `docker-compose.yml`. Never bake secrets into the image.
---
## ShellCheck
ShellCheck is the recommended linter for Bash scripts. It is not formally enforced (no
`.shellcheckrc` or CI step), but inline directives are already used in the codebase
(e.g., `# shellcheck source=/dev/null`). When editing scripts, run ShellCheck locally:
```bash
shellcheck scripts/*.sh
```
Fix all warnings before committing. Use inline directives sparingly and only with a
comment explaining why the suppression is necessary.
---
## Adding a New Script
1. Create the file as `scripts/kebab-case-name.sh`
2. Start with `#!/usr/bin/env bash` and `set -euo pipefail`
3. Define a `log()` function matching the pattern above
4. Validate all required env vars with `: "${VAR:?...}"`
5. Define a `die()` helper for fatal errors
6. Make it executable: `chmod +x scripts/kebab-case-name.sh`
7. If it needs to run inside the container, invoke it via `docker compose run --rm builder`
README.md
+80
View File
@@ -0,0 +1,80 @@
# webkit2gtk-automator
Automated builder and AUR publisher for [webkit2gtk](https://aur.archlinux.org/packages/webkit2gtk), running on a self-hosted server.
Every hour the container polls the AUR for a new webkit2gtk version. When an update is detected, it builds the package from source inside an isolated Arch Linux container and publishes the resulting binary as a [webkit2gtk-bin](https://aur.archlinux.org/packages/webkit2gtk-bin) AUR package, with the prebuilt artifact hosted on [GitHub Releases](https://github.com/Brodino96/webkit2gtk-automator/releases).
## How it works
```
docker compose up -d
└── container starts
every hour:
├── query AUR RPC API for webkit2gtk version
├── if unchanged → sleep
└── if newer →
git pull webkit2gtk PKGBUILD
makepkg (all available cores)
upload .pkg.tar.zst to GitHub Releases
update webkit2gtk-bin PKGBUILD + .SRCINFO
git push to AUR
```
## Setup
**1) Clone the repository**
```bash
git clone https://github.com/Brodino96/webkit2gtk-automator.git
cd webkit2gtk-automator
```
**2) Configure the environment**
```bash
cp .env.example .env
```
Edit `.env` and fill in:
| Variable | Description |
|---------------------------|-----------------------------------------------------------------------------------|
| `GITHUB_TOKEN` | Personal access token with **Contents: read/write** on this repo |
| `GITHUB_REPO` | `Brodino96/webkit2gtk-automator` |
| `AUR_SSH_KEY_PATH` | Absolute path to the SSH private key registered on your AUR account |
| `AUR_PACKAGE_NAME` | `webkit2gtk-bin` |
| `AUR_MAINTAINER_NAME` | Your name (written into the published PKGBUILD) |
| `AUR_MAINTAINER_EMAIL` | Your email (written into the published PKGBUILD) |
| `POLL_INTERVAL_SECONDS` | How often to check for updates, in seconds (default: `3600`) |
| `NPROC` | CPU cores for compilation, also caps the container's CPU quota (default: `4`) |
**3) Start the daemon**
```bash
docker compose up -d
```
**4) Optional - Watch the logs**
```bash
docker compose logs -f
```
## Useful commands
```bash
# Stop the daemon
docker compose down
# Rebuild the image after a Dockerfile change
docker compose up -d --build
# Force a rebuild on next poll (reset the tracked version)
rm state/last_version
docker compose restart
```
## Notes
- The build takes 13 hours depending on server hardware
- If an artifact for the current version already exists in `state/artifacts/`, the build step is skipped and the existing file is published directly (useful for testing)
- All logs go to stdout and are accessible via `docker compose logs`
- The `state/` directory is created at runtime and is not tracked by git
docker-compose.yml
+7 -5
View File
@@ -8,14 +8,16 @@ services:
restart: unless-stopped restart: unless-stopped
env_file: env_file:
- .env - .env
# By default Docker exposes all host CPUs to the container. # NPROC in .env controls both the number of compiler jobs (make -jN) and
# You can cap it here or set NPROC in .env to limit parallelism at the build level. # the CPU cap enforced by the kernel. Set it once, it applies everywhere
# cpus: '4' cpus: '${NPROC:-4}'
mem_limit: 12g
memswap_limit: 12g
volumes: volumes:
# Entire project mounted so the container can read/write state, artifacts, # Entire project mounted so the container can read/write state, artifacts,
# and the webkit2gtk / webkit2gtk-bin git repos. # and the webkit2gtk / webkit2gtk-bin git repos
- .:/workspace - .:/workspace
# AUR SSH private key (path set in .env via AUR_SSH_KEY_PATH) # AUR SSH private key (path set in .env via AUR_SSH_KEY_PATH)
- ${AUR_SSH_KEY_PATH}:/run/secrets/aur_id_rsa:ro - ${AUR_SSH_KEY_PATH}:/run/secrets/aur_id_rsa:ro
# No ports needed this is a pure background worker. # No ports needed this is a pure background worker
# Logs are available via: docker compose logs -f # Logs are available via: docker compose logs -f
scripts/build.sh
+21 -3
View File
@@ -1,12 +1,16 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# build.sh # build.sh
# Runs INSIDE the Docker container as builduser. # Runs as builduser (inside Docker or a GitHub Actions container job).
# Builds webkit2gtk from the AUR PKGBUILD and copies the resulting # Builds webkit2gtk from the AUR PKGBUILD and copies the resulting
# .pkg.tar.zst packages to /workspace/state/artifacts/. # .pkg.tar.zst packages to <workspace>/state/artifacts/.
#
# Works in both environments:
# Docker / local: WORKSPACE=/workspace (default)
# GitHub Actions: WORKSPACE=$GITHUB_WORKSPACE (set by runner)
set -euo pipefail set -euo pipefail
WORKSPACE=/workspace WORKSPACE="${GITHUB_WORKSPACE:-/workspace}"
SRC_DIR="${WORKSPACE}/webkit2gtk" SRC_DIR="${WORKSPACE}/webkit2gtk"
ARTIFACTS_DIR="${WORKSPACE}/state/artifacts" ARTIFACTS_DIR="${WORKSPACE}/state/artifacts"
@@ -22,6 +26,20 @@ fi
mkdir -p "${ARTIFACTS_DIR}" mkdir -p "${ARTIFACTS_DIR}"
# Skip rebuild if artifacts for this version already exist
pkgver=$(bash -c "source ${SRC_DIR}/PKGBUILD; echo \${pkgver}")
pkgrel=$(bash -c "source ${SRC_DIR}/PKGBUILD; echo \${pkgrel}")
existing=$(find "${ARTIFACTS_DIR}" -maxdepth 1 \
-name "webkit2gtk-${pkgver}-${pkgrel}-*.pkg.tar.zst" \
! -name 'webkit2gtk-docs-*' \
-print | head -n1)
if [[ -n "${existing}" ]]; then
log "Artifacts for ${pkgver}-${pkgrel} already exist, skipping build"
log "Using cached: $(basename "${existing}")"
exit 0
fi
# Clean any leftover build artifacts from a previous run # Clean any leftover build artifacts from a previous run
log "Cleaning previous build artifacts in ${SRC_DIR}" log "Cleaning previous build artifacts in ${SRC_DIR}"
# makepkg leaves behind src/, pkg/ and the .pkg.tar.zst files # makepkg leaves behind src/, pkg/ and the .pkg.tar.zst files
scripts/check-update.sh
+48 -55
View File
@@ -1,26 +1,38 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# check-update.sh # check-update.sh
# Polls the AUR RPC API for the latest webkit2gtk version. # Queries the AUR RPC API for the latest webkit2gtk version and compares it
# If a newer version is detected, runs build.sh then publish.sh directly. # against the last published version on GitHub Releases.
# Called by entrypoint.sh on a loop — runs entirely inside the container. #
# Outputs:
# aur_version=<string> — latest AUR version string
# should_build=true|false — whether a new build is needed
#
# When run inside a GitHub Actions step, GITHUB_OUTPUT is set and the outputs
# are written there automatically. When run locally, they are printed to stdout.
#
# Required env vars (only when comparing against GitHub Releases):
# GITHUB_TOKEN — a token with 'contents: read' on GITHUB_REPO
# GITHUB_REPO — owner/repo, e.g. Brodino96/webkit2gtk-automator
set -euo pipefail set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
# Paths
STATE_DIR="${ROOT_DIR}/state"
LAST_VERSION_FILE="${STATE_DIR}/last_version"
mkdir -p "${STATE_DIR}"
# Logging
# Output goes to stdout so docker compose logs picks it up automatically.
log() { log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [check-update] $*" echo "[$(date '+%Y-%m-%d %H:%M:%S')] [check-update] $*"
} }
# Fetch latest AUR version set_output() {
local key="$1"
local value="$2"
if [[ -n "${GITHUB_OUTPUT:-}" ]]; then
echo "${key}=${value}" >> "${GITHUB_OUTPUT}"
else
log "OUTPUT: ${key}=${value}"
fi
}
# ---------------------------------------------------------------------------
# 1. Fetch latest AUR version
# ---------------------------------------------------------------------------
AUR_API_URL="https://aur.archlinux.org/rpc/v5/info/webkit2gtk" AUR_API_URL="https://aur.archlinux.org/rpc/v5/info/webkit2gtk"
log "Querying AUR for webkit2gtk" log "Querying AUR for webkit2gtk"
@@ -33,50 +45,31 @@ if [[ -z "${aur_version}" || "${aur_version}" == "null" ]]; then
fi fi
log "AUR version: ${aur_version}" log "AUR version: ${aur_version}"
set_output "aur_version" "${aur_version}"
# Compare with last built version # ---------------------------------------------------------------------------
last_version="" # 2. Fetch last published version from GitHub Releases
if [[ -f "${LAST_VERSION_FILE}" ]]; then # ---------------------------------------------------------------------------
last_version=$(cat "${LAST_VERSION_FILE}") : "${GITHUB_TOKEN:?GITHUB_TOKEN is not set}"
fi : "${GITHUB_REPO:?GITHUB_REPO is not set}"
log "Last built version: ${last_version:-<none>}" log "Fetching latest GitHub Release tag from ${GITHUB_REPO}"
tag=$(gh release list \
--repo "${GITHUB_REPO}" \
--limit 1 \
--json tagName \
--jq '.[0].tagName // ""' 2>/dev/null || echo "")
last_version="${tag#v}"
log "Last published version: ${last_version:-<none>}"
# ---------------------------------------------------------------------------
# 3. Compare
# ---------------------------------------------------------------------------
if [[ "${aur_version}" == "${last_version}" ]]; then if [[ "${aur_version}" == "${last_version}" ]]; then
log "Already up to date, nothing to do" log "Already up to date (${aur_version}), nothing to do"
exit 0 set_output "should_build" "false"
fi
log "New version detected: ${aur_version} (was: ${last_version:-<none>}), starting build"
# Update the webkit2gtk AUR clone
WEBKIT2GTK_DIR="${ROOT_DIR}/webkit2gtk"
if [[ -d "${WEBKIT2GTK_DIR}/.git" ]]; then
log "Pulling latest PKGBUILD from AUR"
git -C "${WEBKIT2GTK_DIR}" pull --ff-only
else else
log "Cloning webkit2gtk from AUR" log "New version detected: ${aur_version} (was: ${last_version:-<none>})"
git clone https://aur.archlinux.org/webkit2gtk.git "${WEBKIT2GTK_DIR}" set_output "should_build" "true"
fi fi
# Build
log "Running build"
if "${SCRIPT_DIR}/build.sh"; then
log "Build succeeded"
else
log "ERROR: Build failed, aborting"
exit 1
fi
# Publish
log "Running publish"
if "${SCRIPT_DIR}/publish.sh"; then
log "Publish succeeded"
else
log "ERROR: Publish failed"
exit 1
fi
# Record new version
echo "${aur_version}" > "${LAST_VERSION_FILE}"
log "Updated last_version to ${aur_version}, done"
scripts/entrypoint.sh
+18 -6
View File
@@ -8,6 +8,16 @@
set -euo pipefail set -euo pipefail
# Load .env so all variables are available both here (root) and in child
# processes running as builduser. Docker's env_file only sets variables for
# the initial process; sudo drops them by default.
if [[ -f /workspace/.env ]]; then
set -a
# shellcheck source=/dev/null
source /workspace/.env
set +a
fi
POLL_INTERVAL_SECONDS="${POLL_INTERVAL_SECONDS:-3600}" POLL_INTERVAL_SECONDS="${POLL_INTERVAL_SECONDS:-3600}"
# Set up AUR SSH key # Set up AUR SSH key
@@ -25,21 +35,21 @@ else
fi fi
# Set git identity for builduser # Set git identity for builduser
sudo -u builduser git config --global user.name "${AUR_MAINTAINER_NAME:-webkit2gtk-automator}" sudo -u builduser HOME=/home/builduser git config --global user.name "${AUR_MAINTAINER_NAME:-webkit2gtk-automator}"
sudo -u builduser git config --global user.email "${AUR_MAINTAINER_EMAIL:-noreply@localhost}" sudo -u builduser HOME=/home/builduser git config --global user.email "${AUR_MAINTAINER_EMAIL:-noreply@localhost}"
# Import WebKitGTK PGP signing keys into builduser's keyring # Import WebKitGTK PGP signing keys into builduser's keyring
# makepkg verifies the source tarball signature against these keys. # makepkg verifies the source tarball signature against these keys.
# Try the bundled local keys first (no network needed), then fall back to keyservers. # Try the bundled local keys first (no network needed), then fall back to keyservers.
echo "[entrypoint] Importing WebKitGTK PGP signing keys" echo "[entrypoint] Importing WebKitGTK PGP signing keys"
if ls /workspace/webkit2gtk/keys/pgp/*.asc &>/dev/null; then if ls /workspace/webkit2gtk/keys/pgp/*.asc &>/dev/null; then
sudo -u builduser gpg --import /workspace/webkit2gtk/keys/pgp/*.asc sudo -u builduser HOME=/home/builduser gpg --import /workspace/webkit2gtk/keys/pgp/*.asc
echo "[entrypoint] PGP keys imported from local bundle" echo "[entrypoint] PGP keys imported from local bundle"
else else
sudo -u builduser gpg --keyserver keyserver.ubuntu.com --recv-keys \ sudo -u builduser HOME=/home/builduser gpg --keyserver keyserver.ubuntu.com --recv-keys \
5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \ 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
013A0127AC9C65B34FFA62526C1009B693975393 || \ 013A0127AC9C65B34FFA62526C1009B693975393 || \
sudo -u builduser gpg --keyserver hkps://keys.openpgp.org --recv-keys \ sudo -u builduser HOME=/home/builduser gpg --keyserver hkps://keys.openpgp.org --recv-keys \
5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \ 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
013A0127AC9C65B34FFA62526C1009B693975393 013A0127AC9C65B34FFA62526C1009B693975393
echo "[entrypoint] PGP keys imported from keyserver" echo "[entrypoint] PGP keys imported from keyserver"
@@ -47,9 +57,11 @@ fi
# Drop to builduser and start the polling loop # Drop to builduser and start the polling loop
echo "[entrypoint] Starting polling loop, interval: ${POLL_INTERVAL_SECONDS}s" echo "[entrypoint] Starting polling loop, interval: ${POLL_INTERVAL_SECONDS}s"
exec sudo -u builduser bash -c ' exec sudo -u builduser --preserve-env HOME=/home/builduser bash -c '
set -euo pipefail set -euo pipefail
POLL_INTERVAL_SECONDS="'"${POLL_INTERVAL_SECONDS}"'" POLL_INTERVAL_SECONDS="'"${POLL_INTERVAL_SECONDS}"'"
NPROC="'"${NPROC:-}"'"
[[ -n "${NPROC}" ]] && export NPROC
while true; do while true; do
/workspace/scripts/check-update.sh /workspace/scripts/check-update.sh
echo "[entrypoint] Sleeping for ${POLL_INTERVAL_SECONDS}s" echo "[entrypoint] Sleeping for ${POLL_INTERVAL_SECONDS}s"
scripts/publish.sh
+22 -19
View File
@@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# publish.sh # publish.sh
# Runs INSIDE the Docker container as builduser. # Runs as builduser (inside Docker or a GitHub Actions container job).
# #
# Steps: # Steps:
# 1. Find the built webkit2gtk .pkg.tar.zst in state/artifacts/ # 1. Find the built webkit2gtk .pkg.tar.zst in state/artifacts/
@@ -8,10 +8,14 @@
# 3. Update webkit2gtk-bin/PKGBUILD with the new version, URL and sha256sum # 3. Update webkit2gtk-bin/PKGBUILD with the new version, URL and sha256sum
# 4. Regenerate webkit2gtk-bin/.SRCINFO # 4. Regenerate webkit2gtk-bin/.SRCINFO
# 5. Commit and push webkit2gtk-bin/ to the AUR # 5. Commit and push webkit2gtk-bin/ to the AUR
#
# Works in both environments:
# Docker / local: WORKSPACE=/workspace (default)
# GitHub Actions: WORKSPACE=$GITHUB_WORKSPACE (set by runner)
set -euo pipefail set -euo pipefail
WORKSPACE=/workspace WORKSPACE="${GITHUB_WORKSPACE:-/workspace}"
ARTIFACTS_DIR="${WORKSPACE}/state/artifacts" ARTIFACTS_DIR="${WORKSPACE}/state/artifacts"
BIN_PKG_DIR="${WORKSPACE}/webkit2gtk-bin" BIN_PKG_DIR="${WORKSPACE}/webkit2gtk-bin"
SRC_PKGBUILD="${WORKSPACE}/webkit2gtk/PKGBUILD" SRC_PKGBUILD="${WORKSPACE}/webkit2gtk/PKGBUILD"
@@ -33,23 +37,18 @@ die() {
: "${AUR_MAINTAINER_EMAIL:?AUR_MAINTAINER_EMAIL is not set}" : "${AUR_MAINTAINER_EMAIL:?AUR_MAINTAINER_EMAIL is not set}"
# Authenticate gh CLI # Authenticate gh CLI
echo "${GITHUB_TOKEN}" | gh auth login --with-token # GITHUB_TOKEN is already in the environment and picked up by gh automatically
# Find the main webkit2gtk package (not -docs) # Find the main webkit2gtk package only (exclude -docs and -debug variants)
log "Looking for built package in ${ARTIFACTS_DIR}" log "Looking for built package in ${ARTIFACTS_DIR}"
# We want webkit2gtk-<ver>-<rel>-x86_64.pkg.tar.zst, NOT webkit2gtk-docs-*
pkg_file=$(find "${ARTIFACTS_DIR}" -maxdepth 1 \
-name 'webkit2gtk-*.pkg.tar.zst' \
! -name 'webkit2gtk-docs-*' \
-print | sort -V | tail -n1)
[[ -n "${pkg_file}" ]] || die "No webkit2gtk .pkg.tar.zst found in ${ARTIFACTS_DIR}"
log "Found package: ${pkg_file}"
# Derive version from the built PKGBUILD
pkgver=$(bash -c "source ${SRC_PKGBUILD}; echo \${pkgver}") pkgver=$(bash -c "source ${SRC_PKGBUILD}; echo \${pkgver}")
pkgrel=$(bash -c "source ${SRC_PKGBUILD}; echo \${pkgrel}") pkgrel=$(bash -c "source ${SRC_PKGBUILD}; echo \${pkgrel}")
full_version="${pkgver}-${pkgrel}" full_version="${pkgver}-${pkgrel}"
log "Package version: ${full_version}" log "Package version: ${full_version}"
pkg_file="${ARTIFACTS_DIR}/webkit2gtk-${pkgver}-${pkgrel}-x86_64.pkg.tar.zst"
[[ -f "${pkg_file}" ]] || die "Expected artifact not found: ${pkg_file}"
log "Found package: ${pkg_file}"
# Compute sha256sum of the artifact # Compute sha256sum of the artifact
sha256=$(sha256sum "${pkg_file}" | awk '{print $1}') sha256=$(sha256sum "${pkg_file}" | awk '{print $1}')
log "sha256sum: ${sha256}" log "sha256sum: ${sha256}"
@@ -61,12 +60,16 @@ release_title="webkit2gtk ${full_version}"
log "Creating/updating GitHub release ${release_tag}" log "Creating/updating GitHub release ${release_tag}"
# Create the release if it doesn't exist; ignore error if it already does # Create the release if it doesn't exist
gh release create "${release_tag}" \ if gh release view "${release_tag}" --repo "${GITHUB_REPO}" &>/dev/null; then
--repo "${GITHUB_REPO}" \ log "Release ${release_tag} already exists, proceeding to upload asset"
--title "${release_title}" \ else
--notes "Automated build of webkit2gtk ${full_version}" \ log "Creating GitHub release ${release_tag}"
2>/dev/null || log "Release ${release_tag} already exists, proceeding to upload asset" gh release create "${release_tag}" \
--repo "${GITHUB_REPO}" \
--title "${release_title}" \
--notes "Automated build of webkit2gtk ${full_version}"
fi
# Upload the package (--clobber overwrites an existing asset with the same name) # Upload the package (--clobber overwrites an existing asset with the same name)
log "Uploading ${pkg_filename} to release ${release_tag}" log "Uploading ${pkg_filename} to release ${release_tag}"
state/last_version
View File