webkit2gtk-automator/.github/workflows/build.yml

name: Build and publish webkit2gtk

on:
  workflow_dispatch:
    inputs:
      aur_version:
        description: 'Full AUR version string to build (e.g. 2.46.3-1)'
        required: true
        type: string

jobs:
  build-and-publish:
    name: Build webkit2gtk ${{ inputs.aur_version }}
    runs-on: ubuntu-latest-96-cores
    container:
      image: archlinux:latest
      # Needed so makepkg can use FUSE/user namespaces inside the container
      options: --privileged

    permissions:
      contents: write  # create GitHub Releases and upload assets

    env:
      GITHUB_REPO: ${{ github.repository }}
      AUR_PACKAGE_NAME: webkit2gtk-bin
      AUR_MAINTAINER_NAME: ${{ secrets.AUR_MAINTAINER_NAME }}
      AUR_MAINTAINER_EMAIL: ${{ secrets.AUR_MAINTAINER_EMAIL }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6.0.2

      - name: Install build dependencies
        run: |
          pacman -Syu --noconfirm
          pacman -S --noconfirm --needed \
            base-devel \
            git \
            sudo \
            curl \
            jq \
            openssh \
            github-cli \
            clang \
            cmake \
            gi-docgen \
            glib2-devel \
            gobject-introspection \
            gperf \
            gst-plugins-bad \
            lld \
            ninja \
            python \
            ruby \
            ruby-stdlib \
            systemd \
            unifdef \
            wayland-protocols \
            at-spi2-core \
            atk \
            bubblewrap \
            cairo \
            enchant \
            expat \
            fontconfig \
            freetype2 \
            gdk-pixbuf2 \
            glib2 \
            glibc \
            gst-plugins-bad-libs \
            gst-plugins-base-libs \
            gstreamer \
            gtk3 \
            harfbuzz \
            harfbuzz-icu \
            hyphen \
            icu \
            lcms2 \
            libatomic \
            libavif \
            libdrm \
            libegl \
            libepoxy \
            libgcrypt \
            libgl \
            libjpeg-turbo \
            libjxl \
            libmanette \
            libpng \
            libseccomp \
            libsecret \
            libsoup \
            libsystemd \
            libtasn1 \
            libwebp \
            libx11 \
            libxml2 \
            libxslt \
            mesa \
            openjpeg2 \
            pango \
            sqlite \
            ttf-dejavu \
            wayland \
            woff2 \
            xdg-dbus-proxy \
            zlib

      - name: Create builduser (makepkg refuses to run as root)
        run: |
          useradd -m -G wheel builduser
          echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
          # Allow builduser to write to the workspace
          chown -R builduser:builduser "$GITHUB_WORKSPACE"
          git config --system --add safe.directory '*'

      - name: Set up AUR SSH key
        env:
          AUR_SSH_KEY: ${{ secrets.AUR_SSH_KEY }}
        run: |
          SSH_DIR=/home/builduser/.ssh
          mkdir -p "${SSH_DIR}"
          printf '%s\n' "${AUR_SSH_KEY}" > "${SSH_DIR}/aur_id_rsa"
          chown -R builduser:builduser "${SSH_DIR}"
          chmod 700 "${SSH_DIR}"
          chmod 600 "${SSH_DIR}/aur_id_rsa"
          printf 'Host aur.archlinux.org\n  User aur\n  IdentityFile /home/builduser/.ssh/aur_id_rsa\n  StrictHostKeyChecking no\n' \
            > "${SSH_DIR}/config"
          chmod 600 "${SSH_DIR}/config"

      - name: Configure git identity for builduser
        run: |
          sudo -u builduser HOME=/home/builduser git config --global user.name  "${AUR_MAINTAINER_NAME}"
          sudo -u builduser HOME=/home/builduser git config --global user.email "${AUR_MAINTAINER_EMAIL}"

      - name: Import WebKitGTK PGP signing keys
        run: |
          sudo -u builduser HOME=/home/builduser gpg \
            --keyserver keyserver.ubuntu.com \
            --recv-keys \
              5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
              013A0127AC9C65B34FFA62526C1009B693975393 || \
          sudo -u builduser HOME=/home/builduser gpg \
            --keyserver hkps://keys.openpgp.org \
            --recv-keys \
              5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \
              013A0127AC9C65B34FFA62526C1009B693975393

      - name: Clone webkit2gtk from AUR
        run: |
          sudo -u builduser HOME=/home/builduser \
            git clone https://aur.archlinux.org/webkit2gtk.git "${GITHUB_WORKSPACE}/webkit2gtk"

      - name: Build webkit2gtk
        env:
          NPROC: 96
        run: |
          sudo -u builduser \
            HOME=/home/builduser \
            GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" \
            NPROC="${NPROC}" \
            bash "${GITHUB_WORKSPACE}/scripts/build.sh"

      - name: Publish to GitHub Releases and AUR
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          sudo -u builduser \
            HOME=/home/builduser \
            GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" \
            GITHUB_TOKEN="${GITHUB_TOKEN}" \
            GITHUB_REPO="${GITHUB_REPO}" \
            AUR_PACKAGE_NAME="${AUR_PACKAGE_NAME}" \
            AUR_MAINTAINER_NAME="${AUR_MAINTAINER_NAME}" \
            AUR_MAINTAINER_EMAIL="${AUR_MAINTAINER_EMAIL}" \
            bash "${GITHUB_WORKSPACE}/scripts/publish.sh"